Re: AES Modes

2004-10-11 Thread Brian Gladman
Ian Grigg wrote:
Has anyone kept up to date with AES modes?
http://csrc.nist.gov/CryptoToolkit/modes
http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/
I'm looking for basic mode to encrypt blocks (using AES)
of about 1k in length, +/- an order of magnitude.  Looking
at the above table (2nd link) there are oodles of proposed
ones.
It would be nice to have a mode that didn't also require
a separate MAC operation - I get the impression that
this is behind some of the proposals?
I provide some code and some speed comparison data for some of the AES 
modes here:

  http://fp.gladman.plus.com/AES/index.htm
I focus mainly on the combined encryption/authentication modes but I 
only cover those that I believe are free of licensing costs.

Brian Gladman
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: AES Modes

2004-10-11 Thread Ian Grigg
Zooko provided a bunch of useful comments in private mail,
which I've edited and forward for list consumption.
Zooko Wilcox-O'Hearn wrote:
EAX is in the same class as CCM.  I think its slightly better.  Also 
there is GCM mode, which is perhaps a tiny bit faster, although maybe 
not if you have to re-key every datagram.  Not sure about the 
key-agility of these.

... I guess the IPv6 sec project has already specified such a thing in 
detail.  I'm not familiar with their solution.

If you really want interop and wide adoption, then the obvious thing to 
do is backport IPsec to IPv4.  Nobody can resist the authority of IETF!

Alternately, if you don't use a combined mode like EAX, then you 
should follow the generic composition cookbook from Bellare and 
Rogaway [1, 2].

Next time I do something like this for fun, I'll abandon AES entirely 
(whee!  how exciting) and try Helix [3].  Also, I printed out this 
intriguing document yesterday [4].  Haven't read it yet.  It focusses on 
higher-layer stuff -- freshness and sequencing.

Feel free to post to metzcrypt and give me credit for bringing the 
following four URLs to your attention.

[1] http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm#alternatives
[2] http://www.cs.ucsd.edu/users/mihir/papers/oem.html
[3] http://citeseer.ist.psu.edu/561058.html
[4] http://citeseer.ist.psu.edu/661955.html

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Cash, Credit -- or Prints?

2004-10-11 Thread R.A. Hettinga
http://online.wsj.com/article_print/0,,SB109744462285841431,00.html

The Wall Street Journal


 October 11, 2004


Cash, Credit -- or Prints?
Fingerprints May Replace
 Money, Passwords and Keys;
 One Downside: Gummi Fakes

By WILLIAM M. BULKELEY
Staff Reporter of THE WALL STREET JOURNAL
October 11, 2004; Page B1


Fingerprints aren't just for criminals anymore. Increasingly, they are for
customers.

Fingerprint identification is being used to speed up checkouts at Piggly
Wiggly supermarkets in South Carolina, and to open storage lockers at the
Statue of Liberty. Fingerprints are also being used as password substitutes
in cellphones and laptop computers, and in place of combinations to open up
safes.

But these aren't the fingerprints of yore, in which the person placed his
hand on an ink pad, then on paper. Instead, the user sets his hand on a
computerized device topped with a plate of glass, and an optical reader and
special software and chips identify the ridges and valleys of the
fingertips.

Fingerprint technology seems to be reaching critical mass and is spreading
faster than other widely promoted biometric identification methods, such
as eyeball scanning, handprint-geometry reading and facial recognition.
Interest in these and other new security systems was heightened by the
September 2001 terror attacks.

Fingerprints will be dominant for the foreseeable future, says Don
McKeon, the product manager for biometric security at International
Business Machines Corp.

One reason fingerprint-security is spreading is that technological advances
are bringing the cost down. Microsoft Corp. recently introduced a
stand-alone fingerprint reader for $54, and a keyboard and a mouse with
fingerprint readers. Last week, IBM said it would start selling laptop
computers with fingerprint readers built in. These products reduce the need
for personal-computer users to remember passwords.

A customer uses a fingerprint reader to pay at a Piggly Wiggly store,
cutting his checkout time.



Earlier this year, American Power Conversion Corp., a Rhode Island company
that makes backup computer batteries, started selling a fingerprint reader
for PCs with a street price of $45 -- less than half the price of
competitors at the time. American Power says it has sold tens of thousands
of the devices since.

Korea's LG Electronics Inc. has introduced a cellphone with a silicon chip
at its base that requires the owner's finger to be swiped across its
surface before the phone can be used. This summer, NTT DoCoMo Inc. started
selling a similar phone reader that is being used on Japanese trains as an
electronic wallet to pay fares or to activate withdrawals from on-board
cash machines.

Proponents have never had trouble explaining the benefits of fingerprints
as payment-and-password alternatives: Each person has a unique set, and
their use is established in the legal system as an authoritative means of
identification. But some people are uneasy about registering their
fingerprints because of the association with criminality and the potential
that such a universal identifier linked to all personal information would
reduce privacy.

Moreover, numerous businesses and governments have tested fingerprint
systems in the past only to rip them out when the hype failed to match
reality. That's partly because the optical readers have had problems with
certain people's fingers. Elderly people with dry skin, children who
pressed down too hard, even women with smaller fingers -- including many
Asians -- were often rejected as unreadable.

Security experts also have successfully fooled some systems by making
plaster molds of fingers and then creating fake fingers by filling the
molds with Silly-Putty-type plasticizers or gelatin similar to that used in
candy Gummi Bears.

But advocates say the rate of false rejections of legitimate users has been
greatly reduced by improved software. I'd say 99% of people can register
their fingers, says Brad Hill, who installed fingerprint-controlled lockers
at his souvenir store at the Statue of Liberty this summer when the
National Park Service forbade tourists from entering the statue while
carrying packages. Mr. Hill was worried that tourists would lose locker
keys when security screeners forced them to empty their pockets.

Some makers of readers also say their technology can solve the fake-finger
problem by taking readings from below the surface skin layer. Or they
suggest combining four-digit ID codes with fingerprint scanning to
virtually eliminate false readings.

Makers of fingerprint readers acknowledge the privacy concerns. But they
maintain that the threat of personal invasion is minimized because most
systems don't store the actual print, but instead use it to generate a
unique series of numbers that can't be reverse-engineered to re-create the
print. And public willingness to submit to fingerprint readers has soared
since the 2001 terrorist attacks, as the need for security overcomes
worries about 

Certificate serial number generation algorithms

2004-10-11 Thread Eric Rescorla
Does anyone know the details of the certificate generation algorithms
used by various CAs? 

In particular, Verisign's is very long and I seem to remember someone telling
me it was a hach but I don't recall the details...

Thanks,
-Ekr

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Certificate serial number generation algorithms

2004-10-11 Thread Peter Gutmann
Eric Rescorla [EMAIL PROTECTED] writes:

In particular, Verisign's is very long and I seem to remember someone telling
me it was a hach but I don't recall the details...

It's just a SHA-1 hash.  Many CAs use this to make traffic analysis of how
many (or few) certificates they're issuing impossible.  An additional
motivation for use by Verisign was to avoid certs with low serial numbers
having special significance.  While there are a few CA's that follow the
monotonically-increasing-integers scheme that certs were originally intended
to have (and all manner of other weirdness, 32-bit integer IDs of unknown
origin seem to be popular in the other category), most seem to use a binary
blob of varying length.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Certificate serial number generation algorithms

2004-10-11 Thread Richard Levitte - VMS Whacker
In message [EMAIL PROTECTED] on Sun, 10 Oct 2004 18:16:21 -0700, Eric Rescorla 
[EMAIL PROTECTED] said:

ekr Does anyone know the details of the certificate generation
ekr algorithms used by various CAs?

Variants I've heard of are:

 - A simple counter starting at 0 (well, actually, I know this one, as
   that's what OpenSSL does :-))
 - A simple counter starting with a random value (OpenSSL has an
   option for this).
 - A time-based value (I don't recall who did that)
 - A hash of some sort (I believe Verisign does that, among others)

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

-
A: Because it fouls the order in which people normally read text. 
Q: Why is top-posting such a bad thing? 
A: Top-posting. 
Q: What is the most annoying thing on usenet and in e-mail?

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]