PORTIA workshop on sensitive data, July 8-9, 2004, Stanford Univ.
Date: Mon, 5 Jul 2004 13:29:39 -0400 (EDT) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: PORTIA workshop on sensitive data, July 8-9, 2004, Stanford Univ. The final workshop program is available at http://crypto.stanford.edu/portia/workshops/2004_7_prog.html Some potential topics for breakout sessions are available at http://crypto.stanford.edu/portia/workshops/2004_7_breakout.html Directions to the workshop venue and parking instructions are at http://www.stanfordalumni.org/aboutsaa/saamap.html?content_instance_id=106281 All interested parties are welcome to attend. If you have any questions, please contact the workshop organizers (Joan Feigenbaum, Vitaly Shmatikov, and Vicky Weissman) at [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
The Ricardian Contract - using mundane cryptography to achieve powerful governance
Original Message Subject: Financial Cryptography Update: The Ricardian Contract Date: Wed, 7 Jul 2004 11:17:46 +0100 From: [EMAIL PROTECTED] ( Financial Cryptography Update: The Ricardian Contract ) July 07, 2004 http://www.financialcryptography.com/mt/archives/000175.html Presented yesterday at the IEEE's first Workshop on Electronic Contracting, a new paper entitled The Ricardian Contract covers the background and essential structure of Systemics'' innovation in digital contracts. It is with much sadness that I am writing this blog instead of presenting, but also with much gladness that Mark Miller, of E and capabilities fame, was able to step in at only a few hours notice. http://iang.org/papers/ricardian_contract.html That which I invented (with help from Gary Howland, my co-architect of the Ricardo system for secure assets transfer) was a fairly mundane document, digitised mundanely, and wrapped in some equally mundane crypto. If anything, it's a wonderful example of how to use very basic crypto and software tools in a very basic fashion to achieve something much bigger than its parts. In fact, we thought it so basic that we ignored it, thinking that people will just copy it. But, no-one else did, so nearly a decade after the fact, I've finally admitted defeat and gone back to documenting why the concept was so important. The Ricardian Contract worked to the extent that when people got it, they got it big. In a religious sense, which meant that its audience was those who'd already issued, and intiutively felt the need. Hasan coined the phrase that the contract is the keystone of issuance, and now Mark points out that a major element of the innovation was in the bringing together of the requirements from the real business across to the tech. They are both right. Much stuff didn't make it into the paper - it had hit 20 pages by the time I was told I was allowed 8. Slashing mercilessly reduced it, but I had to drop the requirements section, something I now regret. Mark's comment on business requirements matches the central message of FC7 - that financial cryptography is a cross-discipline game. Hide yourself in your small box, at your peril. But, no person can appreciate all the apposite components within FC7, so we are forced to build powerful, cross-discipline tools that ease that burden. The Ricardian Contract is one such - a tool for bringing the technical world and the legal world together in issuance of robust financial value. -- Powered by Movable Type Version 2.64 http://www.movabletype.org/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: authentication and authorization (was: Question on the state of the security industry)
At 07:23 AM 7/5/2004, Anton Stiglic wrote: Identity has many meanings. In a typical dictionary you will find several definitions for the word identity. When we are talking about information systems, we usually talk about a digital identity, which has other meanings as well. If you are in the field of psychology, philosophy, or computer science, identity won't mean the same thing. One definition that relates to computer science that I like is the following: the individual characteristics by which a thing or person is recognized or known. another way of looking at it in an authentication/authorization infrastructure is that some set of privileges are asserted ... this is typically done by having some sort of identification associated with those privileges (like an account number or userid). There can be some confusion whether what is being asserted is a tag, identity or identification. if the tag being asserted, is something like a person's name, the institution is likely just using it for a tag to look up the set of privileges associated with that name (they may not actually care who you are ... they want to know what privileges are associated with the name/tag). then there is some sort of authentication as to the binding to those set of privileges aka 3-factor authentication taxonomy * something you know * something you have * something you are note, in some scenarios it is possible that knowing the account number provides both the privilege assertion as well as the something you know authentication (aka knowing the account number is sufficient to make withdrawals). in any case there are frequently used institutional processes that can be characterized by assertion of privileges and authentication. The taxonomy of those processes can be considered independent of the terms used to label the processes (is a guard really interested in who you are or just finding out what privileges and permissions you have). so we have an environment with institutions and CSOs and an attitude that the institution and the institution integrity must be protected from outsiders (and criminal insiders) however, with the prevalent use of static data and something you know authentication paradigms ... there is huge amounts of static data laying around, ripe for the harvesting ... where the criminal impersonates an individual. so one view is that the vulnerability is the extensive use by institutions of static data and something you know authentication, where the individual may have little or no ability to protect the majority of the information. The crime appears to be against the individual and the source of the information may be totally unrelated to where the crime actually occurs. Assuming that the source of the vulnerability are the institutional infrastructures, some laws have been passed to try and hold the institutions responsible for the protection of individual information. in some scenarios, institutions are charged with protecting individual information from the institution itself (which sort of inverts a security officers job of protecting institution from others). However, in some scenarios http://www.garlic.com/~lynn/2001h.html#61 the common use of static data is so pervasive that an individual's information is found at thousands of institutions. The value of the information to the criminal is that the same information can be used to perpetrate fraud across all institutions and so the criminal value is enormous. However the value to each individual institution may be minimal. As a result there can be situations where an individual institution hasn't the infrastructure or the funding to provide the countermeasures necessary to keep the criminals away from the information (they simply don't have the resources to provide security proportional to the risk). The value of the static data authentication information to a criminal is far greater than the value of the information to the institution ... or the cost to the criminal to acquire the information is possibly orders of magnitude less than the value of the information (for criminal purposes). Given such a situation the infrastructures simply don't have the resources to provide the countermeasures adequate to meet the attacks they are going to experience (there is such a huge mismatch between the value of the information to the individual institutions and the value of the information to the criminal). Which results in my assertion that there has to be a drastic move away from the existing static data authentication paradigm because there is such a mismatch between the value to secure the information verses the value of attacks to obtain the information. It isn't that theory can't provide mechanisms to protect the information it that the information is spread far and wide and is in constant use by thousands of business processes, and that protection problem is analogous to the problem of having people memorize a hundred different
Re: Question on the state of the security industry (second half not necessarily on topic)
In message [EMAIL PROTECTED], Jason H olt writes: [...] I had the same question about the NSA when some friends were interviewing there. Apparently investigators will just show up at your house and want to know all sorts of things about your friends, who you may or may not know to be in the process of looking for work there. As I understand it, the investigators don't even carry NSA badges; they're DSS or private investigators. In all seriousness, background investigations have been outsourced... I had a similar experience a few years ago. I was supposed to visit the --- agency. Someone I had *not* been dealing with called to ask for my social security number and birthdate. I declined, on the grounds that I had no idea who he was. But if I'm not legitimate, how do I know you're going to visit tomorrow? My reply was you're from --- and you don't think people can learn things they're not supposed to know? He was livid -- if you don't tell me, you can't visit. I told him that that was fine with me, and he should get my usual contact to call me. But he's unavailable today!. I indicated that I was still unconcerned -- and 10 minutes later, this unavailable person called me... On the other hand, when my broker called last week and asked for some confidential info, he was very understanding and co-operative when I declined to give out that information over the phone when he had called me. So it's not completely hopeless. --Steve Bellovin, http://www.research.att.com/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Using crypto against Phishing, Spoofing and Spamming...
Florian Weimer wrote: * Amir Herzberg: # Protecting (even) Naïve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites, at http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/trusted%20credentials%20area.PDF The trusted credentials area is an interesting concept. Thanks. However, experience suggests that given the current business models, we cannot build the required logotype registry. All registries which are used on the Internet (for IP address assignments, BGP prefixes, DNS names, and even X.509 certificates) are known to fail under stress. I'm not sure what you mean by `logotype registry`. Such a registry already exist (off-web), i.e. national trademark offices, e.g. www.uspto.gov. These bodies could issue logo certificates. Or, private companies, e.g. verisign, can issue logo certificates, based on the official trademark registers; that shouldn't be hard. As to a registry to hold these certificates - the site (e.g. bank) would probably keep it... and many other places (this is signed i.e. not risky to keep). Finally, of course, until such certificates are available, we simply use the manual binding of logos/icons/names to public keys, on the first time you enter a secure site using a browser with our enchancement. It works great... very convenient, and very clear (see screen shots in paper). -- Best regards, Amir Herzberg Associate Professor, Computer Science Dept., Bar Ilan University http://amirherzberg.com (information and lectures in cryptography security) begin:vcard fn:Amir Herzberg n:Herzberg;Amir org:Bar Ilan University;Computer Science adr:;;;Ramat Gan ;;52900;Israel email;internet:[EMAIL PROTECTED] title:Associate Professor tel;work:+972-3-531-8863 tel;fax:+972-3-531-8863 x-mozilla-html:FALSE url:http://AmirHerzberg.com version:2.1 end:vcard
Re: Using crypto against Phishing, Spoofing and Spamming...
There was an early attempt to use cryptography to authenticate online credit card transactions, the SET protocol pushed by Visa and Mastercard in the late 1990s. SET would require PC users to download a digital wallet application which would hold cryptographic credentials that would be used to authorize a transaction. The wallet software would then issue a digital signature when the user approved a purchase. SET failed due to the complexity of distributing the software and setting up the credentials. I think another reason was the go-fast atmosphere of the late 90s, where no one wanted to slow down the growth of ecommerce. The path of least resistance was simply to bring across the old way of authorizing transactions by card number. Only now are we belatedly beginning to pay the price for that decision. If anything, it's surprising that it has taken this long. If phishing scams had sprung up five years ago it's possible that SET would have had a fighting chance to survive. I predict that we will eventually move to a SET-like system; not necessarily that exact protocol, but something based on cryptographic authorizations for online purchases rather than the card number based systems in use today. In considering such solutions, it is important to distinguish threat models. Phishing is so harmful because it succeeds without even breaking in to users' computers. A SET-like system can protect against such scams. Defending against breakin attacks is a harder problem, but that doesn't mean that solving the easier problem is useless. Contrary perhaps to the conventional wisdom, I am optimistic that we will see increases in computer security over the next several years and that break-ins, although not eliminated, will be greatly reduced. This model makes it even more important to move towards cryptographic assurance for payment systems. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
identification + Re: authentication and authorization
I believe that a significant part of the problems discussed here is that the three concepts named in the subject line are not well-defined. This is not a question of semantics, it's a question of logical conditions that are at present overlapping and inconsistent. For example, much of what is called identity theft is actually authentication theft -- the stolen credentials (SSN, driver's license number, address, etc) are used to falsely *authenticate* a fraudster (much like a stolen password), not to identify. Once we understand this, a solution, thus, to what is called identity theft is to improve the *authentication mechanisms*, for example by using two-factor authentication. Which has nothing to do with identification, impersonation, or even the security of identification data. In further clarifying the issue, it seems that what we need first is a non-circular definition for identity. And, of course, we need a definition that can be applied on the Internet. Another important goal is to permit a safe automatic processing of identification, authentication and authorization [1]. Let me share with you my conclusion on this, in revisiting the concept of identification some time ago. I found it useful to ask the meta question -- what is identification, that we can identify it? In short, a useful definition of identification should also work reflexively and self-consistently [2]. In this context, what is to identify? I think that to identify is to look for connections. Thus, in identification we should look for logical and/or natural connections. For example: - between a fingerprint and the person that has it, - between a name and the person that answers by that name, - between an Internet host and a URL that connects to it, - between an idea and the way we can represent it in words, - conversely, between words and the ideas they represent, - etc. Do you, the reader, agree? If you agree you have just identified. If you do not agree, likewise you have identified! The essence of identification is thus to find connections -- where absence of connections also counts. Identification can thus be understood not only in the sense of an identity connection, but in the wider sense of any connection. Which one to use is just a matter of protocol expression, need, cost and (very importantly) privacy concerns. The word coherence is useful here, meaning any natural or logical connection. To identify is to look for coherence. Coherence with and between a photo, a SSN, an email address, a public-key and other attributes: *Identification is a measure of coherence*. The same ideas can be applied to define authentication and authorization in a self-consistent way, without overlapping with each other. Comments? Cheers, Ed Gerck [1] The effort should also aim to safely automate the process of reliance by a relying-party. This requires path processing and any algorithm to eliminate any violations of those policies (i.e., vulnerabilities) that might be hard to recognize or difficult to foresee, which would interfere with the goal of specifying a wholly automated process of handling identification, authentication and authorization. [2] This answer should be useful to the engineering development of all Internet protocols, to all human communication modes, to all information transfer models and anywhere one needs to reach beyond one's own point in space and time. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
EZ Pass and the fast lane ....
--- begin forwarded text Date: Fri, 2 Jul 2004 21:34:20 -0400 From: Dave Emery [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: EZ Pass and the fast lane User-Agent: Mutt/1.4.1i Sender: [EMAIL PROTECTED] Having been inspired by some subversive comments on cypherpunks, I actually looked up the signaling format on the EZ-Pass toll transponders used throughout the Northeast. (On the Mass Pike, and most roads and bridges in NYC and a number of other places around here). They are the little square white plastic devices that one attaches to the center of one's windshield near the mirror and which exchange messages with an interrogator in the FAST LANE that debits the tolls from an account refreshed by a credit card (or other forms of payment). They allow one to sail through the toll booths at about 15-20 mph without stopping and avoid the horrible nuisance of digging out the right change while rolling along at 70 mph in heavy traffic. Turns out they use Manchester encoded on-off keying (EG old fashioned pulsed rf modulation) at 500 kilobits/second on a carrier frequency of 915 mhz at a power a little under 1 mw (0 dbm). The 915 mhz is time shared - the units are interrogated by being exposed to enough 915 mhz pulsed energy to activate a broadband video detector looking at energy after a 915 mhz SAW filter (presumably around -20 dbm or so). They are triggered to respond by a 20 us pulse and will chirp in response to between a 10 and 30 us pulse. Anything longer and shorter and they will not respond. The response comes about 100-150 us after the pulse and consists of a burst of 256 bits followed by a 16 bit CRC. No present idea what preamble or post amble is present, but I guess finding this out merely requires playing with a transponder and DSO/spectrum analyzer. Following the response but before the next interrogation the interrogator can optionally send a write burst which also presumably consists of 256 bits and CRC. Both the interrogators and transponders collect two valid (correct) CRC bursts on multiple interrogations and compare bit for bit before they decide they have seen a valid message. Apparently an EEPROM in the thing determines the partition between fixed bits set at the factory (eg the unit ESN) and bits that can get written into the unit by the interrogators. This is intended to allow interrogators at on ramps to write into the unit the ramp ID for units at off ramps to use to compute the toll... (possibilities for hacking here are obvious for the criminally inclined - one hopes the system designers were thoughtful and used some kind of keyed hash). No mention is made of encryption or challenge response authentication but I guess that may or may not be part of the design (one would think it had better be, as picking off the ESN should be duck soup with suitable gear if not encrypted). But what I have concluded is that it should be quite simple to detect a response from one's transponder and activate a LED or beeper, and hardly difficult to decode the traffic and display it if it isn't encrypted. A PIC and some simple rf hardware ought to do the trick, even one of those LED flashers that detect cellphone energy might prove to work. Perhaps someone more paranoid (or subversive) than I am will follow up and actually build such a monitor and report whether there are any interogations at OTHER than the expected places... -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493 --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: authentication and authorization (was: Question on the state of the security industry)
However, in some scenarios http://www.garlic.com/~lynn/2001h.html#61 the common use of static data is so pervasive that an individual's information is found at thousands of institutions. The value of the information to the criminal is that the same information can be used to perpetrate fraud across all institutions and so the criminal value is enormous. However the value to each individual institution may be minimal. As a result there can be situations where an individual institution hasn't the infrastructure or the funding to provide the countermeasures necessary to keep the criminals away from the information (they simply don't have the resources to provide security proportional to the risk). The value of the static data authentication information to a criminal is far greater than the value of the information to the institution ... or the cost to the criminal to acquire the information is possibly orders of magnitude less than the value of the information (for criminal purposes). Agreed. This is where federated identity management becomes a tricky problem to solve. It is important to get something like the Liberty Alliance right. A solution that I like can be found here (there is also a ppt presentation that can be found on the site): http://middleware.internet2.edu/pki04/proceedings/cross_domain_identity.pdf Given such a situation the infrastructures simply don't have the resources to provide the countermeasures adequate to meet the attacks they are going to experience (there is such a huge mismatch between the value of the information to the individual institutions and the value of the information to the criminal). Which results in my assertion that there has to be a drastic move away from the existing static data authentication paradigm because there is such a mismatch between the value to secure the information verses the value of attacks to obtain the information. It isn't that theory can't provide mechanisms to protect the information it that the information is spread far and wide and is in constant use by thousands of business processes, and that protection problem is analogous to the problem of having people memorize a hundred different 8+character passwords that change every month (which is also a shortcoming of the static data authenticaton paradigm). Yes, theory is far more advanced than what is used in practice. With Zeroknowledge proofs and attribute authentication, based on secrets stored on smart cards held by the proper owners, and possibility to delegate part of the computation to a server (so clients can authenticate on low powered devices), without revealing information about the secret, etc... I agree that what you call static data authentication paradigm is the cause of many problems, including identity theft. It is one reason why Identity Management is a hot topic these days; businesses are loosing control of all these static data associated to the various systems they have, and when an employee leaves a company he often has an active account on some system even months after his departure. This is the de-provisioning problem. Not to sure about the wording however, if you take a zeroknowledge Proof to authenticate possession of an attribute, prover will hold some static data (some sort of secret), the only difference is that the verifier doesn't need to know the secret, and in fact you can't learn anything from looking at the communication link when the proof is executed. You can't learn anything either by modifying the protocol from the verifier's point (malicious verifier). But if you can steal the secret that the prover possesses, than you can impersonate her. --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
FUJITSU DEVELOPS ENCRYPTION TECH THAT TAKES 20 MILLION YEARS TO BREAK
http://www.antaranews.net/en/index.php?id=s6384 Tokyo, July 8 (ANTARA/AFP) - Japanese IT giant Fujitsu Ltd. said Wednesday it has developed credit card encryption technology which is impossible to break with existing means ... snip ... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]