World-Renowned Cryptographer Arjen Lenstra Joins Bell Labs

2005-02-02 Thread R.A. Hettinga
http://www.mysan.de/international/article32397.html

mysan.de/international -


World-Renowned Cryptographer Arjen Lenstra Joins Bell Labs


 Adds Valuable Talent to Lucent Technologies#039; Network Security Research

 MURRAY HILL, N.J., Feb. 1 /PRNewswire-FirstCall/ -- Lucent Technologies
(NYSE:LU) today announced that Arjen Lenstra, a world-renowned expert in
evaluating, designing and developing the cryptographic algorithms and
protocols that protect sensitive information as it is communicated
electronically, has joined Bell Labs#039; Computing Sciences Research
Center.
Prior to joining Bell Labs, Lenstra was vice president of Information
Security Services at Citigroup. Lenstra specializes in the security of
systems that are widely used in e-commerce applications, such as key size
selection, an important factor in how electronic transactions are secured,
and the evaluation of cryptosystems such as RSA and ElGamal, encryption
systems used in e-commerce protocols.
quot;Arjen is a significant addition to an already world-class group of
researchers at Bell Labs who are developing the algorithms, architectures
and systems necessary to ensure the security and reliability of
networks,quot; said Jeff Jaffe, president, Bell Labs Research and Advanced
Technologies. quot;His expertise will have a profound impact not just on
Lucent#039;s business, but on the business of our customers as well.
We#039;re thrilled to have him on board.quot;
Lenstra focuses on how academic cryptologic research and computational
number theory impact practical security applications and practices. This is
important because the vast majority of the crypto work happening today in
research labs and universities around the world, while important and
useful, is often too costly for practical implementation. Lenstra believes
that bridging the gap between what#039;s theoretically possible and
what#039;s practical is a major research challenge; it is the area he will
concentrate on at Bell Labs.
quot;I joined Bell Labs because I wanted to go back to designing
algorithms and tackling hard problems in computational number theory in a
way that will make a difference to people outside of academia,quot; said
Lenstra. quot;What I found compelling about the Labs was that everyone I
spoke with here knew exactly how the research they were doing helped the
company or its customers in some meaningful way.quot;
quot;Arjen#039;s network security expertise will further enhance Bell
Labs#039; capability in this critical area and will enable Lucent to
continue improving the security of the solutions we offer to our
customers,quot; said Linda Bramblett, director of Lucent Worldwide
Services#039; Security Practice. quot;We are pleased that Arjen
recognized the company#039;s commitment to stay at the forefront of
developing the next generation of security solutions and services, and that
he will be part of the Bell Labs team helping us do just that.quot;
One recent example of Lenstra#039;s expertise came after a recent
cryptography conference where it was shown that some widely used hash
functions -- cryptographic quot;fingerprintsquot; used in network
protocols in such industries as banking to create secure digital signatures
-- are weaker than expected, leaving online transactions potentially
vulnerable to attack. Lenstra assessed these theories and demonstrated that
their real-life impact was minimal. This kind of analysis helps
Lucent#039;s customers avoid needless spending by evaluating the actual
risk of developments advertised as quot;cryptographic disastersquot; to
assess whether they have any significant real- life impact.
Lenstra#039;s formal training is in computational number theory, a field
concerned with finding and implementing efficient computer algorithms for
solving various problems rooted in number theory. Lenstra was a key
contributor to the team that successfully factored RSA-155, a 512-bit
number, which at the time was the default key size used to secure
e-commerce transactions on the Internet. This was a significant
accomplishment because the RSA public-key cryptosystem relies on the
inability to factor such a number, and Lenstra#039;s team was able to do
so in less than seven months, suggesting this approach was not as secure as
had been believed.
Lenstra invented a number of widely used algorithms, cryptographic systems
and software packages including FreeLIP, software used for efficient
development and implementation of cryptographic protocols. In addition,
Lenstra co-authored the influential paper quot;Selecting Cryptographic Key
Sizes,quot; which offered guidelines for determining key sizes for
cryptosystems based on a set of explicitly formulated hypotheses and data
points about the cryptosystems.
Lenstra has a bachelor#039;s degree in mathematics and physics, a
master#039;s degree in mathematics, and a doctorate in mathematics and
computer science from the University of Amsterdam. He has spent his career
working, teaching or consulting 

FSTC Announces Availability of FSTC Counter-Phishing Project Whitepaper and Supporting Documents

2005-02-02 Thread R.A. Hettinga

--- begin forwarded text


Date: Tue, 01 Feb 2005 14:38:24 -0500
From: Zachary Tumin [EMAIL PROTECTED]
Subject: FSTC Announces Availability of FSTC Counter-Phishing Project
 Whitepaper and Supporting Documents
To: 'Members' members@ls.fstc.org
Reply-To: [EMAIL PROTECTED]
Thread-Index: AcUIlZgU2CHR/ELITdGfx45tInzmrg==

To: All FSTC Members and Friends
From:   Zach Tumin, Executive Director

I am pleased to announce the availability of FSTC's Understanding and
Countering the Phishing Threat, the summary whitepaper of findings and
recommendations of the FSTC Counter-Phishing Project. The whitepaper
contains valuable data, published here for the first time, including FSTC's
Phishing Attack Life Cycle and FSTC's Taxonomy of Phishing Attacks. This
and all other project deliverables are located at

http://fstc.org/projects/counter-phishing-phase-1/

In addition to the whitepaper, the following deliverables are being made
available on the site, as follows:

TO ALL: Results Summary: FSTC Counter-Phishing Solutions Survey: An
overview of the 60+ solutions currently offered on the marketplace, broken
down by where they map against the FSTC Phishing Attack Life Cycle

TO ALL: Vocabulary of Phishing Terms: A glossary of terms used throughout
the project. The project team used these to speak the same language when
talking about the problem and potential solutions, whether internally, or
with vendors, or with customers

TO FSTC MEMBERS ONLY: Results Summarized By Solution: identifies solutions
by company and product name as they map against the different phases of the
FSTC Phishing Attack Life Cycle

TO FSTC MEMBERS ONLY: Directory of Survey Respondents: contact information
for each company/solution provider that responded to the survey

FOR PURCHASE: Cost/Impact Spreadsheet Tool: a tool that provides a means
to estimate the direct and indirect costs/impacts of phishing to a financial
institution

FSTC extends its gratitude to its member organizations for their efforts and
contributions in completing this important industry research, and to the
project's talented management team for helping our members realize their
goals.




To subscribe or unsubscribe from this elist use the subscription
manager: http://ls.fstc.org/subscriber

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Dell to Add Security Chip to PCs

2005-02-02 Thread R.A. Hettinga
http://online.wsj.com/article_print/0,,SB110727370814142368,00.html

The Wall Street Journal

  February 1, 2005 11:04 a.m. EST

Dell to Add Security Chip to PCs

By GARY MCWILLIAMS
Staff Reporter of THE WALL STREET JOURNAL
February 1, 2005 11:04 a.m.


HOUSTON -- Dell Inc. today is expected to add its support to an industry
effort to beef up desktop and notebook PC security by installing a
dedicated chip that adds security and privacy-specific features, according
to people familiar with its plans.

Dell will disclose plans to add the security features known as the Trusted
Computing Module on all its personal computers. Its support comes in the
wake of similar endorsements by PC industry giants Advanced Micro Devices
Inc., Hewlett-Packard Co., Intel Corp. and International Business Machines
Corp. The technology has been promoted by an industry organization called
the Trusted Computing Group.

The company is also expected to unveil new network PCs.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Is 3DES Broken?

2005-02-02 Thread Daniel Carosone
On Mon, Jan 31, 2005 at 10:38:53PM -0500, Steven M. Bellovin wrote:
 When using CBC mode, one should not encrypt more than 2^32 64-bit 
 blocks under a given key.  That comes to ~275G bits, which means that 
 on a GigE link running flat out you need to rekey at least every 5 
 minutes, which is often impractical. 

Notably for those encrypting data at rest, it's also rather smaller
than current hard disk sizes, which are much harder to re-key.

(Even for those only encrypting data in flight, it has practical
implications regarding the feasibility of capturing that data for later
analysis)

--
Dan.


pgpeucg0rdznT.pgp
Description: PGP signature


Call For Papers : HITB Security Conference Bahrain 2005

2005-02-02 Thread alpha
Hack In The Box Security Conference 2005 : Bahrain
--

Greetings,

We are inviting individuals or groups who are
interested in computer and network security, challenges and
practices to send in their papers for inclusion in HITBSecConf2005 Bahrain.
This deep knowledge network security event will take place from April 10th - 
13th in the city of Manama, Bahrain.

Topics of interest include, but are not limited to the following:

 Analysis of network and security vulnerabilities
 Firewall technologies
 Intrusion detection / prevention
 Data Recovery and Incident Response
 GPRS and CDMA Security
 Identification and Entity Authentication
 Network Protocol and Analysis
 Smart Card Security
 Virus and Worms
 WLAN and Bluetooth Security.
 Analysis of malicious code
 Applications of cryptographic techniques
 Analysis of attacks against networks and machines
 Denial-of-service attacks and countermeasures
 File system security
 Security in heterogeneous and large-scale environments
 Espionage and Counter Intelligence
 Techniques for developing secure systems
 Military Security / Technology


Summaries not exceeding 250 words should be submitted (in plain text format) to 
cfp -at- hackinthebox.org for review and possible inclusion in the program. All 
flights and hotel accomodation will be provided should your paper be accepted.

## Note: We do not accept product or vendor related pitches. If your talk 
involves an advertisement for a new product or service your company is 
offering, please do not submit.


For event sponsorship details please contact Jorge Sebastiao 
(jorge[at]esgulf.com)


For further details regarding what we have planned, please take a look at our 
official conference website:
 http://conference.hackinthebox.org/hitbsecconf2005/index.php?cat=1


Thank you,

alphademon[at]hackinthebox.org
-
HackInTheBox Security Conference 2005
Bahrain
Apr 10 - 13 2005
-

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Is 3DES Broken?

2005-02-02 Thread james hughes
On Jan 31, 2005, at 10:38 PM, Steven M. Bellovin wrote:
When using CBC mode, one should not encrypt more than 2^32 64-bit
blocks under a given key.  That comes to ~275G bits, which means that
on a GigE link running flat out you need to rekey at least every 5
minutes, which is often impractical.  Since I've seen Gigabit Ethernet
cards for US$25, this bears thinking about -- and while 10GigE is
still too expensive for most people, its prices are dropping rapidly.
With 10GigE, you'd have to rekey every 27.5 seconds...
For reference purposes, with AES you'd be safe for 2^64*128 bits.
That's a Big Number of seconds.
		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
I would also like to reinforce Prof. Bellovin's comment that the 3DES 
block size is too small.

In bulk storage system encryption, 3DES will require rekey every 
~~65GBytes. Most PC's have more than this.

With AES the number is ~250 Exabytes (which is 250 billion gigabytes).
Thanks!
jim
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: how to tell if decryption was successfull?

2005-02-02 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Andreas writes:
[newbie here]

I was wondering how can one tell if some data was successfully 
decrypted. Isn't there an assumption going on about what the cleartext 
data should be? Text? Image? ZIP file? Ziped jpeg? Another cyphertext? 
rot-13?

There are a lot of ways to tell, but you generally have to have some 
idea what you're looking for.  For two examples of how to do it, see
http://www1.cs.columbia.edu/~smb/papers/probtxt.ps (or .pdf) and
http://www1.cs.columbia.edu/~smb/papers/recog.ps (or .pdf)

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Dell to Add Security Chip to PCs

2005-02-02 Thread Trei, Peter
Seeing as it comes out of the TCG, this is almost certainly
the enabling hardware for Palladium/NGSCB. Its a part of
your computer which you may not have full control over.

Peter Trei


Tyler Durden
 ANyone familiar with computer architectures and chips able to 
 answer this 
 question:
 
 That chip...is it likely to be an ASIC or is there already 
 such a thing as 
 a security network processor? (ie, a cheaper network 
 processor that only 
 handles security apps, etc...)

 
 -TD
 
 From: R.A. Hettinga [EMAIL PROTECTED]
 HOUSTON -- Dell Inc. today is expected to add its support to 
 an industry
 effort to beef up desktop and notebook PC security by installing a
 dedicated chip that adds security and privacy-specific 
 features, according
 to people familiar with its plans.
 
 Dell will disclose plans to add the security features known 
 as the Trusted
 Computing Module on all its personal computers. Its support 
 comes in the
 wake of similar endorsements by PC industry giants Advanced 
 Micro Devices
 Inc., Hewlett-Packard Co., Intel Corp. and International 
 Business Machines
 Corp. The technology has been promoted by an industry 
 organization called
 the Trusted Computing Group.
 
 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: how to tell if decryption was successfull?

2005-02-02 Thread Matt Crawford
On Feb 1, 2005, at 13:29, Andreas wrote:
I was wondering how can one tell if some data was successfully 
decrypted. Isn't there an assumption going on about what the cleartext 
data should be? Text? Image? ZIP file? Ziped jpeg? Another cyphertext? 
rot-13?
Embedded checksums or hash codes added before encryption.  The types of 
those checks must not interact badly with the encryption.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Call For Papers : HITB Security Conference Bahrain 2005

2005-02-02 Thread Adam Shostack
Posting to Dave Aitel's DailyDave list, HD Moore complained that he
had not been reimbursed for 2003.  The organizers responded that
payment is forthcoming.  Richard Thieme suggested that the correct
response is to ensure you put forth no money to speak at this event.



On Tue, Feb 01, 2005 at 06:58:18PM -0800, alpha wrote:
| Hack In The Box Security Conference 2005 : Bahrain
| --
| 
| Greetings,
| 
| We are inviting individuals or groups who are
| interested in computer and network security, challenges and
| practices to send in their papers for inclusion in HITBSecConf2005 Bahrain.
| This deep knowledge network security event will take place from April 10th - 
13th in the city of Manama, Bahrain.
| 
| Topics of interest include, but are not limited to the following:
| 
| · Analysis of network and security vulnerabilities
| · Firewall technologies
| · Intrusion detection / prevention
| · Data Recovery and Incident Response
| · GPRS and CDMA Security
| · Identification and Entity Authentication
| · Network Protocol and Analysis
| · Smart Card Security
| · Virus and Worms
| · WLAN and Bluetooth Security.
| · Analysis of malicious code
| · Applications of cryptographic techniques
| · Analysis of attacks against networks and machines
| · Denial-of-service attacks and countermeasures
| · File system security
| · Security in heterogeneous and large-scale environments
| · Espionage and Counter Intelligence
| · Techniques for developing secure systems
| · Military Security / Technology
| 
| 
| Summaries not exceeding 250 words should be submitted (in plain text format) 
to cfp -at- hackinthebox.org for review and possible inclusion in the program. 
All flights and hotel accomodation will be provided should your paper be 
accepted.
| 
| ## Note: We do not accept product or vendor related pitches. If your talk 
involves an advertisement for a new product or service your company is 
offering, please do not submit.
| 
| 
| For event sponsorship details please contact Jorge Sebastiao 
(jorge[at]esgulf.com)
| 
| 
| For further details regarding what we have planned, please take a look at our 
official conference website:
|  http://conference.hackinthebox.org/hitbsecconf2005/index.php?cat=1
| 
| 
| Thank you,
| 
| alphademon[at]hackinthebox.org
| -
| HackInTheBox Security Conference 2005
| Bahrain
| Apr 10 - 13 2005
| -
| 
| -
| The Cryptography Mailing List
| Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Dell to Add Security Chip to PCs

2005-02-02 Thread Erwann ABALEA
On Wed, 2 Feb 2005, Trei, Peter wrote:

 Seeing as it comes out of the TCG, this is almost certainly
 the enabling hardware for Palladium/NGSCB. Its a part of
 your computer which you may not have full control over.

Please stop relaying FUD. You have full control over your PC, even if this
one is equiped with a TCPA chip. See the TCPA chip as a hardware security
module integrated into your PC. An API exists to use it, and one if the
functions of this API is 'take ownership', which has the effect of
erasing it and regenerating new internal keys.

-- 
Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


MSN Belgium to use eID cards for online checking

2005-02-02 Thread R.A. Hettinga
http://www.theregister.co.uk/2005/02/01/msn_belgium_id_cards/print.html

The Register


 Biting the hand that feeds IT

The Register » Internet and Law » Digital Rights/Digital Wrongs »

 Original URL: http://www.theregister.co.uk/2005/02/01/msn_belgium_id_cards/

MSN Belgium to use eID cards for online checking
By Jan Libbenga (libbenga at yahoo.com)
Published Tuesday 1st February 2005 14:34 GMT

Microsoft will integrate the Belgian eID Card with MSN Messenger.
Microsoft's Bill Gates and Belgian State Secretary for e-government Peter
Vanvelthoven announced the alliance today in Brussels. We're working to
ensure that our technologies support e-ID, to help make online transactions
and communications more secure, Gates said. eID stands for Electronic
Identity Card. The card contains an electronic chip and gradually will
replace the existing ID card system in Belgium. By end-2005, over 3 million
eID cards will be distributed in the country.

Microsoft believes that combined with the eID Card MSN Messenger chatrooms
will be much safer. Users would have a trustworthy way of identifying
themselves online. The Belgian Federal Computer Crime Unit (FCCU) could
even refuse young children access to certain chatrooms based on their
electronic identity.

We're not sure yet when we will be able to deliver this integration, Bill
Gates said. But developers here in Belgium and the US have proven the
concept and are working already on the actual solution.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Peppercoin Small Payments Processing Suite Available to First Data Channels

2005-02-02 Thread R.A. Hettinga
http://biz.yahoo.com/prnews/050202/new005_1.html

Yahoo! Finance


Press Release
Source: Peppercoin

Peppercoin Small Payments Processing Suite Available to First Data Channels
Wednesday February 2, 9:03 am ET

Small Transaction Suite Certified for Sale Through Processor's Merchant
Acquiring Partners

WALTHAM, Mass., Feb. 2 /PRNewswire/ -- Peppercoin, a payments company that
enables profitable, new business models for low-priced digital content and
physical goods, today announced its Small Transaction Suite is authorized
for sale by First Data's merchant acquiring partners, to satisfy the small
payment needs of the 3.5 million merchant clients they serve.

Peppercoin offers merchants a hosted small-payment service, based on credit
and debit card usage, which enables merchants to optimize revenue and
profitability. Peppercoin is the only small-payment vendor that addresses
the digital, mobile and physical point-of-sale (POS) markets.

Our agreement with First Data Merchant Services validates Peppercoin's
ability to deliver a desired and profitable small payment solution to the
financial services market, as well as the growing need for small payment
credit and debit card payments solutions, said Mark Friedman, president of
Peppercoin. FDMS will enable a small payment business model that enhances
merchant and acquirer revenue with one complete payment application.

Significant Market Opportunity:

Consumers are demonstrating a clear and growing preference to use their
credit and debit cards for all sizes and types of purchases. In a 2004
study, Ipsos-Insight estimated that roughly 37.5 million US consumers would
choose to use their credit and debit cards for transactions below $5.

Each year, more than 354 billion cash transactions occur in the U.S. for
less than $5 at the physical point-of-sale, representing $1.32 trillion in
aggregate revenue. Leading markets include vending ($18 billion), parking
($10 billion), coin-op ($6 billion) and quick-serve-restaurants ($110
billion).

The online and mobile small payment opportunities are substantial as well;
fueled by music, games, video, publishing and services. TowerGroup
estimates the digital micropayments opportunity reached more than $3
billion in 2004. And a September 2004 Ipsos-Insight study revealed that, in
just one year, the number of US consumers who have made small online
purchases grew 250%, from 4 million to 14 million.

About Peppercoin, Inc.

Peppercoin enables profitable new business models for low-priced digital
content and physical goods. Peppercoin's small payment products help
merchants, banks, and other payments companies build market adoption
quickly through a flexible, consumer-friendly approach. Peppercoin
integrates easily with existing business models and systems to accelerate
revenues and increase profits while dramatically lowering transaction and
customer service costs. For more information visit
http://www.peppercoin.com.
All trademarks are the property of their respective owners.

Contact:   Mark McClennan or Scott Love
   Schwartz Communications
   781-684-0770
   [EMAIL PROTECTED]




 Source: Peppercoin

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Is 3DES Broken?

2005-02-02 Thread bear


On Mon, 31 Jan 2005, Steven M. Bellovin wrote:
snip re: 3des broken?

[Moderator's note: The quick answer is no. The person who claims
 otherwise is seriously misinformed. I'm sure others will chime
 in. --Perry]

I'll be happy to second Perry's comment -- I've seen no evidence
whatsoever to suggest that it's been broken.  But there are some
applications where it's a bad choice for cryptographic reasons.

When using CBC mode, one should not encrypt more than 2^32 64-bit
blocks under a given key.

I think you meant ECB mode?

whichever it is, as you point out there are other and more secure
modes available for using 3DES if you have a fat pipe to encrypt.

Bear

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Can you help develop crypto anti-spoofing/phishing tool ?

2005-02-02 Thread Amir Herzberg
We develop TrustBar, a simple extension to FireFox ( Mozilla), that 
displays the name and logo of SSL protected sites, as well as of the CA 
(so users can notice the use of untrusted CA). I think it is fair to say 
that this extension fixes some glitches in the deployment of SSL/TLS, 
i.e. in the most important practical cryptographic solution.

TrustBar works pretty well for several alpha users. The solution 
benefited a lot from discussions on this list, including substantial 
input by Ian. You can download it from http://trustbar.mozdev.org (and 
it is completely script so what you download is also the source code).

I am hoping some of you may be able to help improve, evaluate and deploy 
this solution. In particular, we need implementations for other browsers 
(e.g. IE...); we can also use help in continuing our development as 
several pretty cool ideas are not done yet, due to other commitments of 
us (Ahamd Gbara and me). For example, we designed a simple mechanism to 
allow sites to protect (cryptographically) also pages where SSL is too 
expensive, but it is waiting for implementation for a while...  And of 
course we need evaluations, code reviews, testing... In fact, I wouldn't 
object if some serious open-code developer assumed responsibility...

If people are interested, and want to discuss face to face, I'll be in 
RSA on 15-18/February...

Best, Amir Herzberg
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Dell to Add Security Chip to PCs

2005-02-02 Thread Ian G
Erwann ABALEA wrote:
On Wed, 2 Feb 2005, Trei, Peter wrote:
 

Seeing as it comes out of the TCG, this is almost certainly
the enabling hardware for Palladium/NGSCB. Its a part of
your computer which you may not have full control over.
   

Please stop relaying FUD. You have full control over your PC, even if this
one is equiped with a TCPA chip. See the TCPA chip as a hardware security
module integrated into your PC. An API exists to use it, and one if the
functions of this API is 'take ownership', which has the effect of
erasing it and regenerating new internal keys.
 

So .. the way this works is that Dell  Microsoft
ship you a computer with lots of nice multimedia
stuff on it.  You take control of your chip by erasing
it and regenerating keys, and then the multimedia
software that you paid for no longer works?
I'm just curious on this point.  I haven't seen much
to indicate that Microsoft and others are ready
for a nymous, tradeable software assets world.
iang
--
News and views on what matters in finance+crypto:
   http://financialcryptography.com/
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Dell to Add Security Chip to PCs

2005-02-02 Thread Dan Kaminsky
Uh, you *really* have no idea how much the black hat community is 
looking forward to TCPA.  For example, Office is going to have core 
components running inside a protected environment totally immune to 
antivirus.  Since these components are going to be managing 
cryptographic operations, the well defined API exposed from within the 
sandbox will have arbitrary content going in, and opaque content coming 
out.  Malware goes in (there's not a executable environment created that 
can't be exploited), sets up shop, has no need to be stealthy due to the 
complete blockage of AV monitors and cleaners, and does what it wants to 
the plaintext and ciphertext (alters content, changes keys) before 
emitting it back out the opaque outbound interface.

So, no FUD, you lose :)
--Dan

Erwann ABALEA wrote:
On Wed, 2 Feb 2005, Trei, Peter wrote:
 

Seeing as it comes out of the TCG, this is almost certainly
the enabling hardware for Palladium/NGSCB. Its a part of
your computer which you may not have full control over.
   

Please stop relaying FUD. You have full control over your PC, even if this
one is equiped with a TCPA chip. See the TCPA chip as a hardware security
module integrated into your PC. An API exists to use it, and one if the
functions of this API is 'take ownership', which has the effect of
erasing it and regenerating new internal keys.
 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Researchers Combat Terrorists by Rooting Out Hidden Messages

2005-02-02 Thread J.A. Terranson

On Wed, 2 Feb 2005, Alan wrote:

 If you really want to send secret messages, just send it in the chaff in
 spam.  Everyone is programmed to ignore it or filter it out.

Yeah, but it doesn't make for great story copy or funding proposals ;-)

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF

 Civilization is in a tailspin - everything is backwards, everything is
upside down- doctors destroy health, psychiatrists destroy minds, lawyers
destroy justice, the major media destroy information, governments destroy
freedom and religions destroy spirituality - yet it is claimed to be
healthy, just, informed, free and spiritual. We live in a social system
whose community, wealth, love and life is derived from alienation,
poverty, self-hate and medical murder - yet we tell ourselves that it is
biologically and ecologically sustainable.

The Bush plan to screen whole US population for mental illness clearly
indicates that mental illness starts at the top.

Rev Dr Michael Ellner

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Researchers Combat Terrorists by Rooting Out Hidden Messages

2005-02-02 Thread AW
Just herd of this  http://www.spammimic.com/
AW
Alan wrote:
On Tue, 2005-02-01 at 23:21 -0800, Steve Schear wrote:
If you really want to send secret messages, just send it in the chaff in
spam.  Everyone is programmed to ignore it or filter it out.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]