MagiQ Readies Quantum Key Distribution System

[R. A. Hettinga]

--- begin forwarded text


Status:  U
Date: Sun, 2 Nov 2003 13:51:57 -0500
To: "Philodox Clips" <[EMAIL PROTECTED]>
From: "R. A. Hettinga" <[EMAIL PROTECTED]>
Subject: MagiQ Readies Quantum Key Distribution System
Reply-To: "Philodox Clips" <[EMAIL PROTECTED]>
Sender: <[EMAIL PROTECTED]>
List-Subscribe: 



EWeek




MagiQ Readies Quantum Key Distribution System


October 31, 2003
By  Dennis Fisher



Discuss This in the eWEEK Forum

MagiQ Technologies Inc. on Monday plans to release the first version of its
much talked-about quantum key distribution product, known as Navajo. The
system is to be unveiled at next week's Computer Security Institute show in
Washington and is among the first commercially available quantum
cryptography products.


In theory and practice, Navajo is not much different from most existing
public key cryptosystems. It encodes the encryption keys, performs the key
exchange, encrypts the message and then sends it to the recipient. The
difference is in the manner in which the key is encoded and distributed to
the recipient.

Navajo encodes each key by placing several bits of information on a series
of individual photons, which are then transmitted to the recipient over a
dedicated fiber optic line. When they're reassembled by the recipient, the
bits on the photons form the encryption key.

During transmission, the key is protected elegantly by the laws of physics.
The nature of quantum mechanics is such that if someone was able to
eavesdrop on the key exchange process, the simple act of reading the bits
on one photon would irreversibly change that photon. This, in turn, would
alert the recipient that the key had been compromised and should be thrown
away.

The system can handle both triple-DES and AES encryption and its
transmission rate is about 1Gbps, company officials said.

One other key difference in Navajo is its key regeneration rate. In
practice, many commercial cryptosystems are set to generate new keys
infrequently, if ever. This can lead to a situation where an attacker can
read supposedly secure communications ad infinitum if he or she is able to
compromise the encryption key. Instead, MagiQ's system refreshes its keys
continuously.

"The issue is flipping keys in a secure way. Most people don't change them
very often," said Michael LaGasse, vice president of engineering at MagiQ,
based in New York. "And it's pretty easy to tap a fiber link with a couple
of hundred dollars in equipment."

Meanwhile, the nature of the Navajo system presents a couple of unique
challenges for potential customers. Because the system relies on photons of
light for transmission of the keys, customers must have fiber optic lines
available. This isn't much of a barrier for most large enterprises, which
typically have such lines in place already. However, the system is limited
by a range of about 62 miles right now, although the transmission can be
sent through repeaters to increase the range, LaGasse said.

Much of the early interest in the system has come from telecoms that are
looking to put some of their extra fiber capacity to work. "These carriers
have between 50 and 70 percent of their fiber lying unused, depending on
the company, and they want to find ways to generate more revenue from it.
Security is one of the obvious ways," said Bob Gelfond, CEO of MagiQ.

Pricing for Navajo starts at $50,000 per endpoint.

Also next week MagiQ will release a separate box that does key distribution
only and is meant for use by researchers looking into quantum cryptography.

Discuss This in the eWEEK Forum

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

New info on Palladium

[Anonymous]

For some updated news about NGSCB, aka Palladium, go to the Microsoft
NGSCB newsgroup page at
http://communities.microsoft.com/newsgroups/default.asp?icp=ngscb&slcid=us.
This might be a good forum for cypherpunks to ask questions about
Palladium.

There was a particularly informative posting by Ellen Cram of Microsoft on
October 15.  Among other things she reveals that the Longhorn pre-release
to be distributed at the Microsoft PDC (conference) will include NGSCB
technology.  It's not clear how this will work without the specialized
hardware features, though.

Also getting attention is a bizarre attempt at guerrilla marketing,
where Microsoft employees are running blogs to promote Longhorn.
http://longhornblogs.com/scobleizer/ provides a good example.  In "How
to Hate Microsoft", Robert Scoble, Longhorn technology evangelist,
wants you to tell him everything you don't like about Longhorn.  Pull no
punches, he begs.  So far there are a few comments about DRM but not
much specifically about Palladium/NGSCB.

On another front, John Walker of AutoCAD fame, who supported
a number of quixotic projects through the 80s and 90s, like the
ill-fated Xanadu, has a new publication out.  The Digital Imprimatur,
http://www.fourmilab.ch/documents/digital-imprimatur/, presents a
dystopian future for the Internet that is heavily based on the potential
negative consequences of Trusted Computing technologies like Palladium.

In Walker's view, Palladium will spawn a net where you need a certificate
to participate, and this will naturally lead to a "fully trusted"
network where not only people, but all their transactions and documents
will be certified, hence traceable and accountable.  An "imprimatur"
is a government license to run a printing press, and we will experience
the same effect in the Trusted Internet of the future.

Although Walker's story is meant to be a cautionary tale, the list of
properties of the Trusted Net is so attractive that many readers are
questioning why we should oppose these developments: an end to copyright
violation, (unauthorized) eavesdropping, scams, security fraud, SPAM,
worms and viruses.  Walker's architecture also supports search engines
that are 100% accurate, with low maintenance.  The Trusted Net limits
child pornography (and children's access to adult porn), hate speech,
employee internet abuse, and tax evasion.  It inherently supports DRM,
satisfying the concerns of content providers and providing a foundation
for wide-scale distribution of copyrighted content.

Walker has put an intentionally favorable slant on his presentation in
order to demonstrate how plausible it is that people will accept the
restrictions of Palladium in exchange for all these benefits.  The spam
menace is already leading to calls for an Internet Drivers License even
from some circles within the pro-freedom crowd, and a Trusted Net would
be only a small additional step.

While Walker's description of "how to put the Internet genie back in
the bottle" is sobering, his track record as a prognosticator is not
promising.  He was wrong about the net before, and he's probably wrong
about it now.  A rather dull discussion forum for the essay is running
at http://www.fourmilab.ch/wb/digital-imprimatur.pl.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Certicom? [...] [Fwd: NSA Turns To Commercial Software For Encryption]

[R. A. Hettinga]

--- begin forwarded text


Status:  U
To: [EMAIL PROTECTED]
Date: Mon, 27 Oct 2003 16:37:55 +0100 (CET)
From: [EMAIL PROTECTED] (Dr. Robert J. Harley)
Subject: Re: Certicom? [...] [Fwd: NSA Turns To Commercial Software For
Encryption]
List-Id: Friends of Rohit Khare 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,

Sender: [EMAIL PROTECTED]


RAH wrote:
> > FWIW, this is about going rate for RSA too, BTW.
> Was. RSA's patent has expired.

And ECC never has been and never can be patented.  Some protocols and
implementation methods are (just as they are for RSA etc.)


>BTW, the only decent *software* ECC, FEE, is patented, by Apple.

Are you serious?  So many holes... so little time...

Let's see.  Are you talking about software or about technology?

Re: Software; I have never seen FEE software lauded.  Apple uses an
implementation of it in MacOS... other than that... uh...???

Re: Technology; Apples uses it is as a minor PR opportunity to claim
that they are doing crypto research.  The patent is an abusive one on
trivia (see below).  One day Crandall thought of using simple primes
in ECC (like about 1000 other people) and patented it.  NeXT used this
as a PR opportunity to claim that they had developed it on purpose to
avoid licensing RSA.  They also said anybody could use FEE without
licensing it.

Then Apple bought NeXT.  Dunno what their position is but it is
irrelevant.  FEE is bog standard ECC over prime fields, using primes
of the form p = 2^d-c with small c such as 2^233-3.  This makes
reduction simpler and speeds up operations a bit.  It is absolutely
trivial to pick other simple primes not covered by the patent, such as
p = 2^248-2^100-1.  All of the NIST curves over prime fields are of
this form, such as p = 2^224-2^96+1.

Personally, I would avoid such special cases anyway.

Regards,
  Rob.
 .-.   .-.
/   \   .-. .-.   /   \
   / \ /   \   .-. _ .-.   /   \ / \
  /   \   / \ /   \   / \   /   \ / \   /   \
 / \ /   \   / `-'   `-' \   /   \ / \
\   / `-' `-' \   /
 `-'   `-'
___
FoRK mailing list
http://xent.com/mailman/listinfo/fork

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

'Smart stamps' next in war on terrorism

[R. A. Hettinga]

The Washington Times
www.washingtontimes.com

'Smart stamps' next in war on terrorism
By Audrey Hudson
Published October 26, 2003


Sending an anonymous love letter or an angry note to your congressman?
The U.S. Postal Service will soon know who you are.
Beginning with bulk or commercial mail, the Postal Service will require
"enhanced sender identification" for all discount-rate mailings, according
to the notice published in the Oct. 21 Federal Register. The purpose of
identifying senders is to provide a more efficient tracking system, but
more importantly, to "facilitate investigations into the origin of
suspicious mail."
The Postal Service began to look into updating mailing procedures after
the anthrax scares in October 2001 when an unknown person or persons sent
several U.S. senators and news organizations envelopes filled with the
deadly toxin. Two post office workers died from handling envelopes laced
with anthrax.
"This is a first step to make the mail more secure," said Joel Walker,
customer service support analyst for the mailing-standards office.
But what has privacy advocates concerned is a report by a presidential
commission that recommends the post office develop technology to identify
all individual senders, which is directly referenced in the Federal
Register notice. The proposed regulations are open for public comment
through Nov. 20 to the Postal Service.
"The President's Commission on the United States Postal Service
recently recommended the use of sender identification for every piece of
mail," the Federal Register stated. "Requiring sender-identification for
discount-rate mail is an initial step on the road to intelligent mail."
Also cited in the notice are two congressional committee
recommendations urging the Postal Service to explore the concept of sender
identification, including the "feasibility of using unique, traceable
identifiers applied by the creator of the mailpiece."
"We're not ready to go there yet, but we are trying to make an initial
step to make all mail, including discount mail, easily identified as to who
the sender is," Mr. Walker said.
"Smart stamps" or personalized stamps with an embedded digital code
would identify the sender, destination and class.
In October 2001, a letter was sent to then-Senate Majority Leader Tom
Daschle, South Dakota Democrat, from a bogus New Jersey address. In theory,
smart stamps would allow authorities to better identify would-be assailants.
"The postal notice itself says this is the first step to identify all
senders, so this is not a matter of paranoia, this is reality. The post
office is moving towards identification requirements for everyone," said
Chris Hoofnagle, associate director of the Electronic Privacy Information
Center.
Mr. Hoofnagle scoffed at the notion identification could prevent crimes
such as the anthrax attacks on members of Congress and news media two years
ago.
"Anyone resourceful enough to obtain anthrax can get a stamp" without
going through the new channels, Mr. Hoofnagle said.
A Treasury Department report from the Mailing Industry Task Force also
recommended that "the industry promote development of the 'intelligent'
mail piece by collaborating with the Postal Service to implement standards
and systems to make every mail piece - including packages - unique and
trackable."
"What happens if I buy stamps and you need one, is it legal for me to
give it to you?" Mr. Hoofnagle said.
Ari Schwartz, associate director for the Center for Democracy and
Technology, said intelligent mail can play an important role and improve
the mail system.
However, privacy issues must be seriously addressed, and moving forward
with the rules on bulk mail could alleviate some concerns, he said.
"There is a right to anonymity in the mail. If you look back in the
history of this country, the mail has played an important role in free
expression and political speech and anonymous mail has provided that," Mr.
Schwartz said.
Capitol Hill staffers dismissed the potential for abuse by politicians
who might use the system to track anonymous critics.
"A petty staff member, maybe, but I doubt a member of Congress would do
that," said one Senate aide.
Added a senior House staffer: "A politician getting even with someone?
Nah, it just saves us the trouble of having to reply to the letter."








Copyright © 2003 News World Communications,  Inc. All
rights reserved.
Return to the article

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-

Gresham's Law?

[Russell Nelson]

I wonder if the DMCA (why do those initials bring to mind a song by
The Village People?) isn't invoking Gresham's Law?  Gresham's Law says
"bad money drives out good", but it only applies when there is a legal
tender law.  Such a law requires that all money be treated equally --
as legal tender for all debts.  Gresham's Law predicts that people
will hoard good money and spend bad money, since it's all the same to
them.

The DMCA requires that all copyright protection systems be treated
equally, since it says nothing about the efficacy of a copyright
protection system.  In that regard it is identical to a legal tender
law because it does not distinguish between good and bad copyright
protection.  Any kind of cryptography, effective or not, seems to be
presumptively copyright protection.  Marketplace competition in the
realm of DMCA-protected products will give people an interest in
putting the least amount of resources into copyright protection.

The DMCA is a recipe for ineffective copyright protection.

`Sec. 1201. Circumvention of copyright protection systems

`(2) No person shall manufacture, import, offer to the public,
provide, or otherwise traffic in any technology, product, service,
device, component, or part thereof, that--

-- 
--My blog is at angry-economist.russnelson.com  | Can I recommend python?
Crynwr sells support for free software  | PGPok | Just a thought.
521 Pleasant Valley Rd. | +1 315 268 1925 voice | -Dr. Jamey Hicks
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Certicom Sells Licensing Rights to NSA

[R. A. Hettinga]

--- begin forwarded text


Status:  U
Date: Fri, 24 Oct 2003 11:44:39 -0400
To: "Philodox Clips" <[EMAIL PROTECTED]>
From: "R. A. Hettinga" <[EMAIL PROTECTED]>
Subject: Certicom Sells Licensing Rights to NSA
Reply-To: "Philodox Clips" <[EMAIL PROTECTED]>
Sender: <[EMAIL PROTECTED]>
List-Subscribe: 



Canada NewsWire

CERTICOM CORP.

Quotes and Charts
 CIC. (TSX)

Attention Business Editors:

Certicom Sells Licensing Rights to NSA
MISSISSAUGA, ON, Oct. 24 /CNW/ - Certicom Corp. (TSX: CIC), a leading
provider of wireless security solutions, today announced that the National
Security Agency (NSA) in Maryland has purchased extensive licensing rights to
Certicom's MQV-based Elliptic Curve Cryptography (ECC) intellectual property.
ECC is becoming a crucial technology for protecting national security
information.
This agreement will give the NSA a nonexclusive, worldwide license with
the right to grant sublicenses of MQV-based ECC covered by many of Certicom's
US patents and applications and corresponding foreign rights in a limited
field of use. The field of use is restricted to implementations of ECC that
are over GF(p), where p is a prime greater than 2(256). Outside the field of
use, Certicom will retain all rights to the technology for other industries
that require the same levels of security, including state and local government
agencies. Certicom will continue its policy of making its intellectual
property available to implementers of ECC under normal commercial terms on a
non discriminatory basis.
Researchers have been studying ECC for almost 20 years as the next
generation of public-key technology. ECC is a computationally efficient form
of cryptography that offers equivalent security to other competing
technologies but with much smaller key sizes. This results in faster
computations, lower power consumption, as well as memory and bandwidth
savings.
"Certicom is a pioneer in researching and developing ECC," says Scott
Vanstone, founder and executive vice-president, strategic technology at
Certicom. "Over 15 years ago, Certicom was founded to research and develop the
strongest security possible. This makes us ideally positioned to provide
manufacturers, that build government communications equipment and
applications, with the tools they need to deliver ECC-based security solutions
to the government market. Certicom is committed to work with the commercial
sector in making our intellectual property and technology available to the
security industry at large."
In 1997, Certicom developed the industry's first toolkit to include ECC
which has since been adopted by over 300 organizations. Security Builder
Crypto, a cross-platform cryptographic toolkit, includes standards-based ECC
implementations that are optimized for size and performance on over 30
platforms.
"Certicom is committed to providing technology that meets the U.S.
Government's highest standards to secure and protect its most sensitive
information," said Ian McKinnon, president and CEO of Certicom. "With NSA's
decision to purchase a license from Certicom for MQV-based ECC, Certicom is
well-positioned to drive the adoption of our technologies and intellectual
property in new markets that need strong security. This contract, valued at
US$25 million, has been facilitated through the CCC (Canadian Commercial
Corporation), Canada's export contracting agency."
Companies and Government Departments or Agencies wishing to develop
security products implementing ECC to protect national security related
systems and/or information or other mission critical information related to
national security under this licensing agreement should submit the details of
their requirements to the Director, National Security Agency (Attn: IA
Directorate, V1). NSA will employ established development programs (e.g. NSA
sponsored developments, the Commercial COMSEC Endorsement Program (CCEP), or
User Partnership Programs) to develop and certify ECC for these requirements.

About Certicom
Certicom is a leading provider of wireless security solutions, enabling
developers, governments and enterprises to add strong security to their
devices, networks and applications. Designed for constrained devices,
Certicom's patented technologies are unsurpassed in delivering the strongest
cryptography with the smallest impact on performance and usability. Certicom
products are currently licensed to more than 300 customers including Texas
Instruments, Palm, Research In Motion, Cisco Systems, Oracle and Motorola.
Founded in 1985, Certicom is headquartered in Mississauga, ON, Canada, with
offices in Ottawa, ON; Herndon, VA; San Mateo, CA; and London, England. Visit
www.certicom.com.

About CCC
CCC (Canadian Commercial Corporation) is a Crown Corporation mandated to
facilitate international trade, particularly in government markets. CCC's
approach is based on 'three Cs': credi

Re: SSL, client certs, and MITM (was WYTM?)

[Anton Stiglic]

> I'm not sure how you come to that conclusion.  Simply
> use TLS with self-signed certs.  Save the cost of the
> cert, and save the cost of the re-evaluation.
> 
> If we could do that on a widespread basis, then it
> would be worth going to the next step, which is caching
> the self-signed certs, and we'd get our MITM protection
> back!  Albeit with a bootstrap weakness, but at real
> zero cost.

I know of some environments where this is done.  For example
to protect the connection to a corporate mail server, so that 
employees can read their mail from outside of work.  The caching 
problem is easily solved in this case by having the administrator 
distribute the self-signed cert to all employees and having them 
import it and trust it.  This costs no more than 1 man day per year.

This is near 0 cost however, and gives some weight to Perry's
argument.

> Any merchant who wants more, well, there *will* be
> ten offers in his mailbox to upgrade the self-signed
> cert to a better one.  Vendors of certs may not be
> the smartest cookies in the jar, but they aren't so
> dumb that they'll miss the financial benefit of self-
> signed certs once it's been explained to them.

I have a hard time believing that a merchant (who plans
to make $ by providing the possibility to purchase on-line)
cannot spend something like 1000$ [1] a year for an SSL 
certificate, and that the administrator is not capable of 
properly installing it within 1-2 man days.  If he can't install
it, just get a consultant to do it, you can probably get one
that does it within a day and charges no more than 1000$.

So that would make the total around 2000$ a year, let's 
generously round it up to 10K$ annum.
I think your 10-100 million $ annum estimate is a bit 
exaggerated...


[1] this is the price I saw at Verisign
http://www.verisign.com/products/site/commerce/index.html
I'm sure you can get it for cheaper. This was already 
discussed on this list I think...

--Anton

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

PGP Corporation Announces Release of PGP Desktop 8.0.3

[R. A. Hettinga]

--- begin forwarded text


Status:  U
Date: Fri, 24 Oct 2003 11:35:52 -0400
To: "Philodox Clips" <[EMAIL PROTECTED]>
From: "R. A. Hettinga" <[EMAIL PROTECTED]>
Subject: PGP Corporation Announces Release of PGP Desktop 8.0.3
Reply-To: "Philodox Clips" <[EMAIL PROTECTED]>
Sender: <[EMAIL PROTECTED]>
List-Subscribe: 




Headlines




October 24, 2003 08:31 AM US Eastern Timezone

PGP Corporation Announces Release of PGP Desktop 8.0.3; Support For the
Latest Windows and Mac Operating Systems and Popular Email Clients

PALO ALTO, Calif.--(BUSINESS WIRE)--Oct. 24, 2003--PGP Corporation, the
recognized leader in secure messaging and information storage, today
announced the immediate availability of PGP(R) Desktop 8.0.3. This version
adds support for Microsoft Office 2003, including Outlook 2003 and Windows
Server 2003; Novell GroupWise 6.5; and Mac OS X 10.3 (Panther).

"Although technology changes increasingly quickly, PGP products keep pace,"
said Jon Callas, PGP Corporation's CTO and Chief Security Officer. "This
release ensures customers continued access to the rich set of features in
PGP Desktop products, including digital signatures to automatically detect
email 'spoofing,' key management, and standards-based technology."

The release is available free to all customers who have purchased PGP
Desktop 8.0 products, including PGP Corporate Desktop, PGP Workgroup
Desktop, and PGP Personal Desktop as well as earlier versions of PGP
Enterprise, PGP Desktop, and PGP Personal. Licensed customers wishing to
upgrade to PGP Desktop 8.0.3 may download the update from www.pgp.com .

About PGP Corporation

The recognized worldwide leader in secure messaging and information
storage, PGP Corporation develops, markets, and supports products used by a
broad installed base of enterprises, businesses, governments, individuals,
and cryptography experts to secure proprietary and confidential information.

During the past ten years, PGP(R) technology has built a global reputation
for open and trusted security products. The PGP Corporation family of
products includes PGP Universal, an automatic, self-managing network-based
solution for enterprises, and individual desktop solutions. Venture funding
is provided by DCM-Doll Capital Management and Venrock Associates. Contact
PGP Corporation at www.pgp.com or 650-319-9000.

PGP is a registered trademark and the PGP logo is a trademark of PGP
Corporation. Product and brand names used in the document may be trademarks
or registered trademarks of their respective owners. Any such trademarks or
registered trademarks are the sole property of their respective owners.

Contacts

For PGP Corporation:
Jump Start Communications, LLC
Lori Curtis, 970-887-0044
[EMAIL PROTECTED]

Print this release

Terms of Use   |   © Business Wire 2003

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Digital certificate clearinghouse needs work

[Anne & Lynn Wheeler]

http://www.fcw.com/fcw/articles/2003/1020/web-fbca-10-22-03.asp

Digital certificate clearinghouse needs work

The mechanism that allows a digital certificate to be used across
government agencies must be upgraded before it will be available for the
entire government, a federal information technology official said today.

The Federal Bridge Certification Authority (FBCA) is the central
mechanism that handles digital certificates for transactions secured by
any participating agency's public-key infrastructure (PKI). Clients of
FBCA participants do not need certificates from every agency with which
they do business.

... snip ..

-- 
Anne & Lynn Wheeler -  http://www.garlic.com/~lynn/ 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: SSL, client certs, and MITM (was WYTM?)

[David Honig]

At 07:11 PM 10/22/03 -0400, Perry E. Metzger wrote:
>
>Indeed. Imagine if we waited until airplanes exploded regularly to
>design them so they would not explode, or if we had designed our first
>suspension bridges by putting up some randomly selected amount of
>cabling and seeing if the bridge collapsed. That's not how good
>engineering works.

No.  But how quickly we forget how many planes *did* break up,
how many bridges *did* fall apart, because engineering sometimes
goes into new territory.

Even now.  You start using new composite materials in planes, and wonder why
they fall out of the sky when their tails snap off.  
Eventually (though not yet) Airbus et al
will get a clue how they fail differently from familiar metals.  
Even learning about now-mundane metal fatigue in planes involved
breakups and death.

(Safety) engineering *is* (unfortunately, but perhaps by practical necessity)
somewhat reactive.  It tries very hard not to be, but it is.

dh





-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Protection against offline dictionary attack on static files

[Arcane Jill]

>   for (int i=r; ; i=(i+1)%M)

That's assuming integers of sufficient precision to store M, obviously.
Jill


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: SSL, client certs, and MITM (was WYTM?)

[Anne & Lynn Wheeler]

Internet groups starts anit-hacker initiative
http://www.computerweekly.com/articles/article.asp?liArticleID=125823&liArti 
cleTypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1

one of the threats discussed in the above is the domain name ip-address 
take-over mentioned previously
http://www.garlic.com/~lynn/aadsm15.htm#28

which was one of the primary justifications supposedly for SSL deployment 
(am i really talking to the server that I think i'm talking to).
--
Anne & Lynn Wheelerhttp://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: SSL, client certs, and MITM (was WYTM?)

[Anton Stiglic]

- Original Message - 
From: "Tom Otvos" <[EMAIL PROTECTED]>

> As far as I can glean, the general consensus in WYTM is that MITM attacks
are very low (read:
> inconsequential) probability.

I'm not certain this was the consensus.

We should look at the scenarios in which this is possible, and the tools
that
are available to accomplish the attack.  I would say that the attack is more
easily done inside a local network (outside the network you have to get
control
of the ISP or some node, and this is more for the "elite").
But statistics show that most exploits are accomplished because of employees
within a company (either because they are not aware of basic security
principals,
or because the malicious person was an employee within), so I find this
scenario
(attack from inside the network) to be plausible.

Take for an example a large corporation of 100 or more employees, there has
got to be a couple of people that do on-line purchasing from work, on-line
banking, etc...  I would say that it is possible that an employee (just
curious, or
really malicious) would want to intercept these communications

So how difficult is it to launch an MITM attack on https?  Very simple it
seems.  My hacker friends pointed out to me two softwares, ettercap and
Cain:
http://ettercap.sourceforge.net/
http://www.oxid.it/cain.html

Cain is the newest I think, and remarkably simple to use.  It has a very
nice
GUI and it doesn't take much hacking ability to use it.  I've been using it
recently for educational purposes and find it very easy to use, and I don't
consider myself a hacker.

Cain allows you to do MITM (in HTTPS, DNS and SSHv1) on a local
network.  It can generate certificates in real time with the same common
name as the original.  The only thing is that the certificate will probably
not
be signed by a trusted CA, but most users are not security aware and
will just continue despite the warning.

So given this information, I think MITM threats are real.  Are these attacks
being done in practice?  I don't know, but I don't think they would easily
be reported if they were, so you  can guess what my conclusion is...

--Anton



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Intel announces DRM-enabled motherboard

[Peter Gutmann]

Intel has just announced a desktop motherboard with Wave's Embassy chip built
in at http://www.intel.com/design/motherbd/rh/index.htm.  Embassy is a DRM
chip that was more recently re-targeted slightly for, uhh, non-DRM
TCPA/TPM/whatever when they realised that DRM hardware was a bit of a hard
sell.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: SSL, client certs, and MITM (was WYTM?)

[Peter Gutmann]

[EMAIL PROTECTED] (David Wagner) writes:

>When I establish a credit card with Visa, I generate a new client certificate
>for this purpose and register it with www.visa.com.  When I want to buy a
>fancy hat from www.amazon.com, Amazon re-directs me to
>https://ssl.visa.com/buy.cgi?payto=amazon&amount=$29.99&item=hat My web
>browser opens a SSL channel to Visa's web server, authenticating my presence
>using my client cert.  Visa presents me a description of the item Amazon
>claims I want to buy, and asks me to confirm the request over that
>authenticated channel.  If I confirm it, Visa forwards payment to Amazon and
>debits my account.  Visa can tell whose account to debit by looking at the
>mapping between my client certs and account numbers.  If Amazon wants to
>coordinate, it can establish a separate secure channel with Visa. (Key
>management for vendors is probably easier than for customers.)
>
>Does this work?

In theory, yes.  See "SET" :-).  It runs into a lot of the problems that SET
ran into as well, e.g. that half the merchants use the CC# (technically the
PAN) as the primary key for all their accounts so they want to process
everything themselves (the SET specs were changed at one point to make the PAN
visible to the merchant so they could continue this practice, completely
defeating one of the main benefits of the scheme), that no-one wants to pay to
build that sort of infrastructure, that [insert standard SET lament with
backing violins].

So in theory, yes, it would work.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Protection against offline dictionary attack on static files

[Arcane Jill]

Hi,

It's possible I may be reinventing the wheel here, so my apologies if 
that's so, but it occurs to me that there's a defence against an offline 
dictionary attack on an encrypted file. Here's what I mean: Say you have 
a file, and you want to keep it secret. What do you do? Obviously you 
either encrypt it directly, or you store it in an encrytped volume 
(thereby encrypting it indirectly). Problem? Maybe an attacker can 
somehow get hold of the encrypted file or volume ... maybe your laptop 
gets stolen  maybe other people have access to your machine. In 
principle, you're protected by your passphrase, but if an attacker can 
get hold of the file, they can try an offline dictionary attack to guess 
your passphrase, so unless you're very good at inventing high entropy 
passphrases /and remembering them without writing them down/, there may 
still be a risk.

Here's the defence:

To encrypt a file:
   Generate a random number R between 0 and M-1 (for some fixed M, a 
power of 256)
   Type in your passphrase P
   Let S = R || P (where || stands for concatenation)
   Let K = hash(S)
K is now your encryption key. R is to be thrown away.

To decrypt the same file:
   Generate a random number r between 0 and M-1
   Type in your passphrase P
   for (int i=r; ; i=(i+1)%M)
   {
   Let S = I || P
   Let K = hash(S)
   Try to decrypt using key K
   }
This places a computational burden on your PC at decrypt-time. The 
larger you choose M, the more CPU time it will take to figure out K. So, 
you choose M such that it takes your PC about one second to find K, then 
your attacker will experience the same burden - but multiplied a 
squillionfold (a "squillion" being the entropy of your passphrase). This 
means that even if your passphrase consists of just two words from a 
dictionary, /and/ your attacker suspects this, it will still take him or 
her over a hundred and fifty years to decrypt (assuming your attacker 
has a PC of equivalent power). Even if your attacker has a faster PC 
than you, it will still be relatively easy to pick a 
strong-yet-memorable passphrase, since better tech can only ease the 
attacker's problem, not remove it. All of a sudden, weak passphrases 
turn into strong ones, and strong passphrases turn into computationally 
infeasible ones.

Is this useful?
Has anyone come up with it before? (Someone must have ... but I don't 
recall seeing the technique used in applications)

Jill

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: SSL, client certs, and MITM (was WYTM?)

[Peter Gutmann]

"Perry E. Metzger" <[EMAIL PROTECTED]> writes:

>TLS is just a pretty straightforward well analyzed protocol for protecting a
>channel -- full stop. It can be used in a wide variety of ways, for a wide
>variety of apps. It happens to allow you to use X.509 certs, but if you
>really hate X.509, define an extension to use SPKI or SSH style certs. TLS
>will accommodate such a thing easily. Indeed, I would encourage you to do
>such a thing.

Actually there's no need to even extend TLS, there's a standard and very
simple technique which is probably best-known from its use in SSH but has been
in use in various other places as well:

1. The first time your server fires up, generate a self-signed cert.

2. When the user connects, have them verify the cert out-of-band via its
   fingerprint.  Even a lower-security simple phrase or something derived from
   the fingerprint is better than nothing.

3. For subsequent connections, warn if the cert fingerprint has changed.

That's currently being used by a number of TLS-using apps, and works at least
as well as any other mechanism.  At a pinch, you can even omit (2) and just
warn if a key that doesn't match the one first encountered is used, that'll
catch everything but an extremely consistent MITM.  Using something like SSH
keys isn't going to give you any magical security that X.509 certs doesn't,
you'll just get something equivalent to the above mechanism.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: SSL, client certs, and MITM (was WYTM?)

[Ian Grigg]

Tom Weinstein wrote:

> The economic view might be a reasonable view for an end-user to take,
> but it's not a good one for a protocol designer. The protocol designer
> doesn't have an economic model for how end-users will end up using the
> protocol, and it's dangerous to assume one. This is especially true for
> a protocol like TLS that is intended to be used as a general solution
> for a wide range of applications.


I agree with this.  Especially, I think we are
all coming to the view that TLS/SSL is in fact
a general purpose channel security protocol,
and should not be viewed as being designed to
protect credit cards or e-commerce especially.

Given this, it is unreasonable to talk about
threat models at all, when discussing just the
protocol.  I'm coming to the view that protocols
don't have threat models, they only have
characteristics.  They meet requirements, and
they get deployed according to the demands of
higher layers.

Applications have threat models, and in this is
seen the mistake that was made with the ITM.
Each application has to develop its own threat
model, and from there, its security model.

Once so developed, a set of requirements can
be passed on to the protocol.  Does SSL/TLS
meet the requirements passed on from on high?
That of course depends on the application and
what requirements are set.

So, yes, it is not really fair for a protocol
designer to have to undertake an economic
analysis, as much as they don't get involved
in threat models and security models.  It's
up to the application team to do that.

Where we get into trouble a lot in the crypto
world is that crypto has an exaggerated
importance, an almost magical property of
appearing to make everything safe.  Designers
expect a lot from cryptographers for these
reasons.  Too much, really.  Managers demand
some special sprinkling of crypto fairy dust
because it seems to make the brochure look
good.

This will always be a problem.  Which is why
it's important for the crypto guy to ask the
question - what's *your* threat model?  Stick
to his scientific guys, as it were.


> In some ways, I think this is something that all standards face. For any
> particular application, the standard might be less cost effective than a
> custom solution. But it's much cheaper to design something once that
> works for everyone off the shelf than it would be to custom design a new
> one each and every time.


Right.  It is however the case that secure
browsing is facing a bit of a crisis in
security.  So, there may have to be some
changes, one way or another.

iang

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]