Re: quantum hype

[David Wagner]

John S. Denker wrote:
>After the key exchange has taken place, Alice
>and Bob can use the key to set up a tunnel to
>keep their discussions private.  Probably one
>of the first things they will do is exchange
>authentication messages through the newly
>created tunnel.  Thereby Alice can decide
>whether this Bob is the Bob she wanted to
>talk to, as opposed to an impersonator.
>Similarly Bob ought to check Alice's creds.

Exchanging authentication messages through the newly created channel is
not secure: It is vulnerable to man-in-the-middle attacks.

For instance, suppose I do a quantum key exchange to get a session key SK,
set up a channel encrypted using SK, and then do a challenge-response
authentication protocol to check whether the party on the other end of
this channel is the Bob I wanted to talk to.  The resulting protocol
looks like this:
  A<->B: [exchange session key SK using a quantum key exchange]
  A->B:  {N_A}_SK
  B->A:  {sig}_SK,where sig = {N_A}_{K_B^{-1}}

This protocol is insecure.  A man in the middle can relay messages.
  A<->M: [exchange session key SK using a quantum key exchange]
  M<->B: [exchange session key SK' using a quantum key exchange]
  A->M:  {N_A}_SK
 M->B:  {N_A}_SK'
 B->M:  {sig}_SK',where sig = {N_A}_{K_B^{-1}}
  M->A:  {sig}_SK
Now Alice thinks she is talking to Bob, when actually Mallet has
insinuated herself into the middle of their communication link.

The problem with doing authentication after creation of the channel is
that the authentication is not bound to the quantum key exchange itself.

The only fix I can see is to somehow authenticate the quantum link used
for the quantum key exchange.  For instance, the quantum key exchange
could be done over an authentic link -- a link where you *know* who is
on the other end, and you have confidence that no one can tamper with
the link or splice themselves in.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: quantum hype

[Peter Fairbrother]

Matt Crawford wrote:

>> BTW, you can decrease the wavelength of a photon by bouncing it off
>> moving
>> mirrors.
> 
> Sure.  To double the energy (halve the wavelength), move the mirror at
> 70% of the speed of light.  And since you don't know exactly when the
> photon is coming, keep it moving at that speed ...
> 
 
I never suggested it was very practical, but:

Trap it in a cavity between two parallel mirrors, and shrink the cavity. It
doesn't matter (within reason) how fast you shrink it, just how much.

:)


-- 
Peter Fairbrother

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Who is this Mallory guy anyway?

[Matt Crawford]

Well, that's the question - is Eve allowed to
forward packets, in the act of listening, or
is that the Mallory's job?  I don't know.
You can't measure a single-particle state without at least some chance 
of destroying the state.  (Even quantum non-demolition methods affect 
the measured system a bit.)  So you can't have a purely passive Eve.  
Perhaps "Quentin" is the Quantum Eavesdropper who makes his optimal 
tradeoff between gathering the most information and being the least 
detectable.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Baltimore sells 'crown jewels'

[R. A. Hettinga]

The Register

  22 September 2003 
  Updated: 13:23 GMT 

Baltimore sells 'crown jewels' 
By John Leyden 
Posted: 22/09/2003 at 13:18 GMT 


 
Security company Baltimore Technologies today announced a "conditional agreement" to 
sell its core public key infrastructure (PKI) business to US firm beTRUSTed for $5 
million in cash. 

The sale of Baltimore's 'crown jewels' to BeTRUSTed (which is owned by Bank One's One 
Equity Partners) effectively winds up the company, analysts say. 

In a statement, Baltimore said the planned sale of its PKI business completes its 
disposal programme. The sale involves the transfer of staff to BeTRUSTed and is 
subject to shareholder approval - but that is likely to be a formality. 

Baltimore recently sold off its SelectAccess authentication, OmniRoot and managed 
services operations. These, together with the earlier sale of content filtering 
technologies to Clearswift and other businesses, have left Baltimore as a ghost of its 
former self. 

Baltimore is today valued at around £22 million compared to its peak valuation at the 
height of the dotcom bubble of £5.5 billion. 

Unrestrained optimism that Baltimore's security technologies would become the 
foundation of an ecommerce boom propelled Dublin-based Baltimore into the FTSE 100 
index in the late 1990s. But sales never met expectations and Baltimore's stock price 
plummeted as its cash reserves dwindled. 

So the company was forced into a fire sale. 

Baltimore secured a much needed cash lifeline with the sale of its content security 
business to UK software firm Clearswift Corporation for £20.5 million in January 2001. 
But the deal represents only a tiny fraction of the £692 million Baltimore paid for 
Content Technologies at the height of the stock market boom in 2000. 

With hindsight, Baltimore's idea to combine encryption with content filtering 
technology appears fundamentally misconceived. The company would have done better to 
concentrate on making its core PKI technology easier to deploy, a shortcoming that 
became a key reason Baltimore's UniCERT PKI technology never went mainstream. 

Strategic mistakes alongside the bursting of the dotcom bubble resulted in Baltimore's 
inexorable decline. Baltimore employed 1,400 workers at its peak but now only has 255 
people on its books. The disposal of its core PKI business is seen by some as the 
final chapter in the Baltimore story. 

"This is kind of the final disposal... this is the end, really," analyst Barry Dixon 
of Davy Stockbrokers in Dublin, told Reuters. ® 


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: quantum hype

[Matt Crawford]

BTW, you can decrease the wavelength of a photon by bouncing it off 
moving
mirrors.
Sure.  To double the energy (halve the wavelength), move the mirror at 
70% of the speed of light.  And since you don't know exactly when the 
photon is coming, keep it moving at that speed ...

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

"Cyrillic Projector" cracked.

[Perry E. Metzger]

 "The Cyrillic Projector is an encrypted sculpture at the
 University of North Carolina in Charlotte, that was created by
 Washington DC artist James Sanborn in the early 1990s.  It was
 inspired by the encrypted Kryptos sculpture that Sanborn created
 two years earlier for CIA Headquarters."

http://www.elonka.com/kryptos/CyrillicProjectorAnnouncement.html

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Who is this Mallory guy anyway?

[Ian Grigg]

> someone wrote:
> 
> Hiya.
> 
> Dumb question. Why is the bad guy called Mallory in
> this thread? I always thought that traditionally the
> two correspondents were called Alice and Bob and that
> the bad guy was called Eve. (As in, short for eavesdropper?).
> Intercepting the bits and sending them is precisely
> the sort of thing that Eve does all the time.


Mallory is the Man-in-the-Middle.  He is the one
that inserts himself into a connection, in an
active attack, and sends packets to both Alice
and Bob.  He can send one thing to Bob, and
send another thing to Bob.  In this way, he
can insert himself into a Diffie-Hellman key
exchange, and send completely separate numbers
to both both parties.

Eve is indeed the eavesdropper.  She can only
listen.

(As a further point, there are other personas,
being Trent, the trusted third party.  Also,
Victor, a verifier.  In financial cryptography
we use Ivan as an Issuer and sometimes Matilda
as a merchant.  Carol and Dave can assist
Alice and Bob in more complex protocols.)


> I would have said "Mallory is acting as Eve", not
> "Eve is acting as Mallory". But then, I'm surprisingly
> ignorant about all sorts of "obvious" things, Maybe
> you could clear this up for me?

Well, that's the question - is Eve allowed to
forward packets, in the act of listening, or
is that the Mallory's job?  I don't know.

Given the silence on the issue, and the differeng
usages, I'd say we've reached an uncertainty in
the definition.

The question revolves around whether Eve's name
derives from her eavesdropping, or whether she
is passive, and can only do stuff that can be
done by observation.  If she is allowed to resend
because she is eavesdropping then that's ok.  But,
if she must only passively listen - measure - and
cannot resend, then what this Quantum stuff does
is eliminate her from consideration because she
will always give herself away.  Hence, only
Mallory, the MITM, can do the job.  In effect,
it is very close to Anon-DH - in that Eve cannot
crack the crypto, but Mallory can.

It's a minor point, it doesn't really change the
crypto at all, but it can evoke different images
in different people if they don't agree on which
it is.  So one has to be careful, as the essence
of naming is, after all, efficient communication.

iang

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: quantum hype

[Peter Fairbrother]

[EMAIL PROTECTED] wrote:

>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] Behalf Of Dave Howe
>> 
>> Peter Fairbrother may well be in possession of a break for the QC hard
>> problem - his last post stated there was a way to "clone" photons with
>> high accuracy in retention of their polarization
>> [SNIP]
>> 
> Not a break at all. The physical limit for cloning is 5/6ths of the bits will
> clone true. Alice need only send 6 bits for every one bit desired to assure
> Eve has zero information. For a 256-bit key negotiation, Alice sends 1536 bits
> and hashes it down to 256 bits for the key.

Agreed. It's not a break, though it does make it harder. Many people think
the no-cloning theorem says you can't clone photons at all. Most COTS QC
gear only "works" under that false assumption.

Then there's the noise/error rates - in practice it's very hard to get > 60%
single photon detection rates, even under the most favourable conditions,
and low error rates are hard to get too.

I tend to the opinion, without sufficient justification and knowledge to
make it more than an opinion, that most COTS QC products are probably secure
today in practice, but claims for theoretical security are overblown.




There may be yet another problem which I should mention. First, I'd like to
state that I'm not a quantum mechanic, and I find the math and theory quite
hard, so don't rely too much on this.

I'm not certain that the 5/6 figure is a universal physical limit. It may
just be an artifact of the particular unitary transform used in that
specific cloning process.

It _may_ be possible for the cloner to get some information about which
photons were cloned incorrectly. This is tricky, and I don't know if it's
right - it involves non-interactive measurement of virtual states, kind of.

Another possibility is to imperfectly clone the photon more than once.

The no-cloning theorem per se doesn't disallow these, it only disallows
perfect cloning, but other physics might.

QC's unbreakability isn't based on a "hard problem", it's based on the
physical impossibility of perfect cloning. But exactly what that
impossibility means in practice, I wouldn't like to say. You can't clone
every photon. Can you only clone 5/6 of photons? Or 99.9...% of them? It
may be the latter.




BTW, you can decrease the wavelength of a photon by bouncing it off moving
mirrors.


-- 
Peter Fairbrother

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Linux's answer to MS-PPTP

[Peter Gutmann]

A friend of mine recently pointed me at CIPE, a Linux VPN tool that he claimed
was widely used but that no-one else I know seems to have heard of.  Anyway, I
had a quick look at it while I was at his place.  It has some problems.

CIPE lead me to another program, vtun, which is even worse.  Someone else then
told me about another one, tinc, which apparently was just as bad as CIPE and
vtun, but has been partially fixed after flaws were pointed out (it still has
some problems, see below).  The following writeup covers some of the problems,
with conclusions drawn at the end.  As you'll note from reading this, as I
went down the list of VPN software I got less and less interested in writing
up lengthy analyses, so CIPE (the first one I looked at) has the most detail.

CIPE


The following comments on CIPE apply to the protocol described at
http://sites.inka.de/sites/bigred/devel/CIPE-Protocol.txt (the CIPE home
page).

Section 2, Packet Encryption:

- CIPE uses a CRC-32 for integrity-protection.  The use of a weak checksum
  under CFB or CBC has been known to be insecure for quite some time,
  providing no (or at least inadequate) integrity protection for the encrypted
  data.  This first gained widespread attention in 1998 with the Core SDI
  paper "An attack on CRC-32 integrity checks of encrypted channels using CBC
  and CFB modes" by Ariel Futoransky, Emiliano Kargieman, and Ariel M. Pacetti
  of CORE SDI S.A, which lead to the SSHv1 insertion attacks and the more or
  less complete abandonment of SSHv1.  To quote the Core SDI work:

   The use of these algorithms in CBC (Cipher Block Chaining) or CFB (Cipher
   Feedback 64 bits) modes with the CRC-32 integrity check allows to perform a
   known plaintext attack (with as few as 16 bytes of known plaintext) that
   permits the insertion of encrypted packets with any choosen plaintext in
   the client to server stream that will subvert the integrity checks on the
   server and decrypt to the given plaintext, thus allowing an attacker to
   execute arbitrary commands on the server.

  In other words this provides no real integrity protection for data.
  Although it first gained widespread publicity in the SSHv1 attacks, the fact
  that this mechanism is insecure and shouldn't be used goes back to (at
  least) Kerberos v4 dating from the 1980s (the des-cbc-crc mechanism was
  deprecated in Kerberos v5, the now ten-year-old RFC 1510).

- The padding length is limited to 3 bits, making it unusable with any recent
  128-bit block cipher.  In particular, AES can't be used.  In addition, the
  inability to pad to more than one (64-bit) cipher block length makes it
  impossible to disguise message lengths by padding messages to a fixed size
  (there are further SSHv1 attacks that arose from similar problems there).
  This weakness is particularly problematic when applied to section 3.

- There is no protection against message insertion or deletion.  In particular
  an attacker can delete or replay any message, and in combination with the
  weak checksum problem can replay modified messages.  Consider for example
  what would happen if an attacker can replay database transactions where
  money is involved.  This issue is also particularly problematic when applied
  to section 3.

Recommendation to fix:

This portion of the protocol has a number of flaws, but can be fixed with a
more or less complete overhaul of the message format:

- Replace the weak checksum with a MAC like HMAC-SHA1.  If size is a concern,
  use a truncated HMAC (but not to a mere 32 bits, which is unconvincing).
  IPsec cargo-cult protocol design practice would seem to require a MAC size
  of at least 96 bits (IPsec truncated the MAC to 96 bits because that makes
  the AH header a nice size, with a payload length of exactly 128 bits (4 32-
  bit words); everyone else assumed that the number 96 had some magic
  significance and copied it into their own designs).

- Replace the padding with standard PKCS #5 padding, allowing both the use of
  ciphers with block sizes > 64 bits and padding of messages to hide plaintext
  size.

- Either provide protection against insertion/deletion via message sequence
  numbers, or make it very explicit in the documentation that CIPE should not
  be used where insertion/deletion can be a problem, i.e. in situations where
  the higher-level protocol being tunneled doesn't provide its own mechanism
  for detecting missing, inserted, or out-of-sequence messages.

A quick fix would be to take the SSL (or SSH) format, strip out the SSL
headers and encapsulation, and use what's left (the padding, MAC'ing, etc
etc).  SSL/SSH also provides message-sequence handling if you want this.

Section 3, Key exchange:

- The lack of integrity protection means that it's possible to modify keys in
  transit.  As an extreme example, if 3DES keys were used it'd be possible to
  flip the necessary bits to force the use of weak keys, so that both sides
  would end up sending plaintext

Music's Struggle With Technology

[R. A. Hettinga]

The New York Times


September 22, 2003
NEW ECONOMY

Music's Struggle With Technology
By JOHN SCHWARTZ


LIFE, like television, is full of reruns. And long-time watchers of
technology trends say the entertainment industry's attack on peer-to-peer
software - the technology at the heart of the song-swapping mania - follows
a familiar pattern.

Every technology can, of course, be used for evil or good purposes. Cars
can be used in bank robberies, and radiation can cure cancer. But many new
technologies go through a stage of demonization, and communications
technologies come in for an especially tough hit from people who feel
threatened by them.

Long before girding against the Internet, for example, the entertainment
industry objected to cassettes and videotapes because they would allow
people to copy music and programming without making additional payments.
Even FM radio was opposed by the record companies at the outset because the
high fidelity broadcasts were free. The early defenders of the industry did
not understand the ways that the power of the new communications tool would
help them market their goods to a broader audience.

The current fight over peer-to-peer technology closely resembles a grand
battle in the 1990's over encryption technology, which secures the contents
of communications from prying eyes. In that case, the opponent was not the
entertainment industry, but the Clinton administration and its law
enforcement and intelligence agencies, which tried to restrict the use and
spread of strong encryption ("crypto," in geekspeak). The technology was an
essential tool for businesses and consumers who wanted to protect privacy;
because of their resistance to the government crackdown, many encryption
restrictions have been lifted.

But, at the time, government officials argued that crypto, if unrestricted,
would bring disaster upon disaster. The Clinton administration encouraged
the adoption of encryption products with a "backdoor" that government could
unlock. "Uncrackable encryption will allow drug lords, terrorists and even
violent gangs to communicate with impunity," Louis J. Freeh, then director
of the F.B.I., testified before a Senate committee in 1997.

Similar accusations have been lodged against peer-to-peer - or P2P, as it
is commonly known - which also has the potential to become a powerful tool
for network communications and pooling computer resources. The
entertainment industry has tried to portray the networks as hotbeds of
crime and havens for child pornography. Yet many in the tech world say
there are so many possible uses for P2P that "it's impossible to imagine
them not being developed," said Lance Cottrell, the president and founder
of   a company that provides tools for enhancing privacy online. "Music was
just the first killer app, but I think it will be the first of many."

Mr. Cottrell said that efforts to restrict access to P2P technology will
not deter bad people but the efforts will hinder honest users. "People who
really desire to steal will find ways of doing it," he said. But as with
encryption, "restricting it means it is only available to the real bad
guys."

The potential public benefits - like new computer networks that make worker
collaboration easier, È la the entrepreneur Ray Ozzie's Groove Networks, or
clusters of PC's linked to pool their power and resources - could be
delayed in the P2P fight, just as the tug of war over cryptography hindered
the ability of business to protect communications and databases from
intruders, said Bruce Schneier, a security expert and author of "Beyond
Fear: Thinking Sensibly About Security in an Uncertain World." "In both
cases, a large well-funded organization is fighting the little guy."

The similarities do not stop there, Mr. Schneier said, because in both
cases legal remedies have been sought "to solve an inherently technological
problem." Those seeking to restrict the new technology are using "legal
intimidation" to fight their battles, he said. And, he predicted, the
ultimate outcome will be similar: "Strong crypto would inevitably be used.
Digital files are inevitably copyable." The real goal of the pushback  in
both cases, he said, is to delay change.

A former government official who fought on the opposite side of the crypto
battle from Mr. Schneier says the similarities between that fight and the
battle over file sharing are striking - but so are the differences. Stewart
Baker, former general counsel for the National Security Agency, said, "The
N.S.A. had a lot of clout, but it didn't have political action committees."
The entertainment industry's political influence has already manifested
itself in such laws as the Digital Millennium Copyright Act of 1998, which
made it easier to go after digital pirates.

But file trading has things going for it that encryption neve

RE: quantum hype

[Michael_Heyman]

> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Dave Howe
> 
> Peter Fairbrother may well be in possession of a break for the QC hard
> problem - his last post stated there was a way to "clone" photons with
> high accuracy in retention of their polarization
> [SNIP]
>
Not a break at all. The physical limit for cloning is 5/6ths of the bits will clone 
true. Alice need only send 6 bits for every one bit desired to assure Eve has zero 
information. For a 256-bit key negotiation, Alice sends 1536 bits and hashes it down 
to 256 bits for the key.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: quantum hype

[Jaap-Henk Hoepman]

I always understood that QKD is based on a hard problem of which the theory of
physics says it is impossible to find a solution (if not, then i'd like to
know). Then if QKD breaks, the current theory of physics was wrong.

On the other hand, if DH or RSA breaks, factoring or the discrete log turn out
to be polynomial. This is earthshattering, but doesn't imply our theory of
computing was wrong.

Whether one is a stronger foundation than the other is really a philosophical
question (and a an interesting one too... ;-)

Jaap-Henk

On Sun, 21 Sep 2003 16:39:17 +0200 martin f krafft <[EMAIL PROTECTED]> writes:
>> > Has anyone *proven* that there is no way to read
>> > a quantum bit without altering it?
>> no. its the "underlieing hard problem" for QC. If there is
>> a solution to any of the Hard Problems, nobody knows about them.
>
> right, so it's no better than the arguable hard problem of factoring
> a 2048 bit number.


-- 
Jaap-Henk Hoepman   |  I've got sunshine in my pockets
Dept. of Computer Science   |  Brought it back to spray the day
University of Nijmegen  |Gry "Rocket"
(w) www.cs.kun.nl/~jhh  |  (m) [EMAIL PROTECTED]
(t) +31 24 36 52710/531532  |  (f) +31 24 3653137

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]