Re: Crack in Computer Security Code Raises Red Flag

[J.A. Terranson]

On Tue, 15 Mar 2005, The Wall Street Journal Wrote:

> SHA-1 is a federal standard promulgated by the National
> Institute of Standards and Technology and used by the government and
> private sector for handling sensitive information. It is thought to be the
> most widely used hash function, and it is regarded as the state of the art.
  ^^
NEXT!

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF

"Quadriplegics think before they write stupid pointless
shit...because they have to type everything with their noses."

http://www.tshirthell.com/


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: NSA names ECC as the exclusive technology for key agreement and digital signature standards for the U.S. government

[Ben Laurie]

Ian G wrote:
NSA names ECC as the exclusive technology for key agreement and digital
signature standards for the U.S. government
Certicom's ECC-based solutions enable government contractors to add 
security
that meets NSA guidelines
I should note that OpenSSL also supports ECC.
--
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Encryption plugins for gaim

[Adam Fields]

On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote:
> Why not help us make Jabber/XMPP more secure, rather than overloading
> AIM? With AIM/MSN/Yahoo your account will always exist at the will of

Unfortunately, I already have a large network of people who use AIM,
and >they< all each have large networks of people who use AIM. Many of
them still use the AIM client. Getting them to switch to gaim is
feasible. Getting them to switch to Jabber is not. However, getting
them to switch to gaim first, and then ultimately Jabber might be an
option. Frankly, the former is more important to me in the short
term.

> AOL, whereas with XMPP you can run your own server etc. Unfortunately

Does "can" == "have to"? From what I remember of trying to run Jabber
a few years ago, it did.

> the original Jabber developers did not build encryption in from the
> beginning and the existing methods have not been implemented widely
> (OpenPGP over Jabber) or are not very Jabberish (RFC 3923), so we need
> to improve what we have. Contributions welcome. See here for pointers:
> 
> http://www.saint-andre.com/blog/2005-03.html#2005-03-15T11:23

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Encryption plugins for gaim

[Adam Fields]

On Tue, Mar 15, 2005 at 02:47:35PM -0500, Ian Goldberg wrote:
> > this is actually a very good solution for
> > me. The only thing I don't like about it is that it stores the private
> > key on your machine. I understand why that is, but it also means that
> > if you switch machines with the same login (home/work), you have to
> > reverify the fingerprint out of band (assuming you care enough to do
> > that in the first place).
> 
> You can also just copy your otr.private_key file around.  See, for
> example, http://chris.milbert.com/AIM_Encryption/

It would be helpful if you could specify the location of the private
key file, so then it could be on a thumb drive or something similar.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Do You Need a Digital ID?

[Anne & Lynn Wheeler]

R.A. Hettinga wrote:

 
i've been asked to flush out my merged security taxonomy and glossary
http://www.garlic.com/~lynn/index.html#glosnote
to  highlight the distinction between identity theft and account theft. 
 typically identity theft is that enuf information is obtained to 
fraudulently be able to open new accounts in the victim's name (among 
other things) while account theft is that the thief has enuf information 
to perform fraudulent transactions against an existing account of the 
victim.

account theft tends to be attacks on poor authentication procedures by 
account institutions and/or use of social engineering or phishing to 
obtain the victim's account authentication information (which shares a 
lot in common with straight identity theft).

a common exploit is the use of skimming/sniffing of static 
authentication verification data that enables creating counterfeit 
tokens/cards that enables fraudulent transactions.

given 3-factor authentication:
* something you have
* something you know
* something you are
there can be a great deal of confusion whether a token/card represents 
"something you have" or not. If a token/card contains valid 
authentication information and if that token/card is lost/stolen and a 
new account has to be created  then it is likely the token/card 
represents "something you have" authentication.

however, some infrastructure just utilize a token/card to provide the 
equilvalent of userid (say an account number which isn't required to be 
secret) and the actual authentication is in the form of a password/PIN 
... i.e. "something you know" authentication. just because a token/card 
is involved along with a PIN/password doesn't automatically imply that 
two-factor authentication is involved.

if a re-issued a new token/card (to replace a lost/stolen token/card) is 
identical to the lost/stolen token/card ... then it is likely that there 
is no "something you have" authentication involved (even tho a 
token/card is involved in the process) ... and therefor the 
infrastructure is just single factor authentication.

at the basics, a digital signature is an indirect indication of 
"something you have" authentication  aka the existance of a digital 
signature implies that the originator accessed and utilized a private 
key in the generation of the digital signature. a digital signature by 
itself says nothing about the integrity of that "something you have" 
authentication ... since the digital signature doesn't carry any 
indication of the integrity measures used to secure and access the 
associated private key.

there is some temptation to claim that the a lot of the problems with 
establishment of digital signature technology is that the basic trust 
building blocks haven't been established. numerous institutions have 
spent a lot of time focusing on the trust infrastructures associated 
with certification authority operation and digital certificates  
which have nothing directly to do with any form of 3 factor authentication.

the basic building block is that a financial (or other) institutions 
have ongoing relationships represented by established accounts and that 
the entities associated with those accounts have established 
authentication material. In the case of digital signatures, that would 
be public keys. To the degree that a relying party institution 
(financial or other) can trust what is represented by a digital 
signature is the integrity level of the environment that protects the 
access and use of the associated private key  w/o additional 
knowledge, the relying party only knows that some entity accessed and 
utilized a specific private key ... as in a simple, single factor, 
"something you have" authentication.

A digital signature by itself has no indication of the security and 
integrity level associated with the private key protection, access and 
use ... and/or if there is anything more than simple, single factor, 
"something you have" authentication.

Furthermore, in the great majority of the transactions involving 
established relationships, there is no need for digital certificates to 
establish identication information  straight-forward authentication 
tends to be sufficient.

misc. past 3-factor authentication posts
http://www.garlic.com/~lynn/subpubkey.html#3factor


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Encryption plugins for gaim

[Ian G]

Ian Goldberg wrote:
...Unfortunately
the original Jabber developers did not build encryption in from the
beginning and the existing methods have not been implemented widely
(OpenPGP over Jabber) or are not very Jabberish (RFC 3923), so we need
to improve what we have. Contributions welcome. See here for pointers:
http://www.saint-andre.com/blog/2005-03.html#2005-03-15T11:23

OTR works over Jabber today.  Granted, it's not very "Jabberish" (as far
as I understand the term; I don't know the Jabber protocol very well):
it just replaces the text of the message with ciphertext.  [gaim, at
least, doesn't seem to have a way to construct a more "Jabberish"
message, as far as I could tell.]
My thoughts are similar.  When I first got into the
design, I thought that the privacy aspects of the
protocol would be integral with the messaging system,
but that proved to be not the case.
For several reasons, I think the privacy layer is
going to end up being totally divorced from the messaging
layer.  As a stab at these:
   *  there are many messaging systems, and there are
  efforts at integrating these, so any decent
  privacy layer has to think about hops,
   *  we desperately want to preserve many messaging
  systems in violent competition,
   *  any privacy layer that involves a "decrypt at
  server and then re-encrypt" is not a privacy
  layer, as the threat is 99.9% at the node
  (all three - alice, bob, server) and not on
  the wire,
   *  involving the server in any identity and privacy
  concerns brings up conflicts such as asking the
  server to know who the user is, excrow, liability,...,
   *  messaging systems move at different paces and
  incorporating crypto into them may result in
  yoyo behaviour for safe chat - there today,
  gone tomorrow on the new alpha,
   *  the final authentication - alice of bob and v.v.
  - is something that is best done divorced from the
  lowtech as much as possible, so that means some
  sort of plugin and leveraging off pgp-style WoT.
  Integrating that step into the messaging system
  gives you "S/MIME authentication" which doesn't
  scale.
That was scratched off without pause...
Hence, my own efforts will probably go in these two
parallel directions:
*  opportunistic key exchange followed by chat
   in SDP1 over SOX.  (Note that SOX is also
   encrypted client-to-server so for much of
   the journey packets will be doubly encrypted,
   but end-to-end is the target).  This method
   will be integrated and fast but lack user
   authentication.  This is uninteresting to
   anyone outside the SOX world.
*  OpenPGP packets without any interference,
   and a sort of plugin ability to bootstrap
   a fast key exchange, with fingerprint display.
   Key signing to follow later...  Now this is
   much more interesting as conceivably the same
   protocol would (once designed!) work over
   email, Jabber, AIM, etc.  At least, that would
   be the intention.

I'd be more than happy to help Jabber-ify the OTR protocol.  The reason
we designed OTR was exactly that the GPG-over-IM solutions have
semantics that don't match those of a private conversation: you have
long-term encryption keys, as well as digital signatures on messages.

I'm not sure what this obsession with digital signatures
over messages is.  That probably wants to be unwound.  If
people are "signing a contract" over chat or indeed email,
then they probably need a lot more support in the tech and
a lot more warning, training, and legal support as to the
ramifications.  C.f.,
http://www.financialcryptography.com/mt/archives/000250.html
I agree that encrypting a chat message straight GPG/OpenPGP-
over-IM would probably be clunky.  I was more envisaging
using OpenPGP to handle the clunky key exchange and then
go fast from there.

You don't *want* Bob to be able to prove to Charlie that Alice said what
she did.  [Yet you want Bob to be himself assured of Alice's
authorship.]  And a compromise of Bob's computer tomorrow should not
expose today's messages.
OTR also adds a couple of extra features (malleable encryption,
publishing of the MAC keys, a toolkit for forging transcripts) to help
Alice claim that someone's putting words in her mouth.

(Note however that my efforts are towards integrating
two separate disparate systems - payments and IM - and
I am less concerned with the privacy aspects as Ian
Goldberg is.  This is one area where I'm adopting a
wait and see attitude because I'm not convinced that
this is an entirely tech issue.  But whichever, when
we get to that stage there is nothing wrong with doing
several possibilities.)
iang (the other other one)
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"

Re: Encryption plugins for gaim

[Peter Saint-Andre]

On Tue, Mar 15, 2005 at 02:02:31PM -0500, Adam Fields wrote:
> On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote:
> > Why not help us make Jabber/XMPP more secure, rather than overloading
> > AIM? With AIM/MSN/Yahoo your account will always exist at the will of
> 
> Unfortunately, I already have a large network of people who use AIM,
> and >they< all each have large networks of people who use AIM. Many of
> them still use the AIM client. Getting them to switch to gaim is
> feasible. Getting them to switch to Jabber is not. However, getting
> them to switch to gaim first, and then ultimately Jabber might be an
> option. Frankly, the former is more important to me in the short
> term.

Yep, the same old story. :-)

> > AOL, whereas with XMPP you can run your own server etc. Unfortunately
> 
> Does "can" == "have to"? From what I remember of trying to run Jabber
> a few years ago, it did.

No, we have 200k registered users on the jabber.org server and some
servers have even more. You can run your own server, though, and accept
connections only from other servers you trust, etc.

/psa


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Encryption plugins for gaim

[Peter Saint-Andre]

On Tue, Mar 15, 2005 at 02:14:48PM -0500, Ian Goldberg wrote:

> OTR works over Jabber today.  Granted, it's not very "Jabberish" (as far
> as I understand the term; I don't know the Jabber protocol very well):
> it just replaces the text of the message with ciphertext.  [gaim, at
> least, doesn't seem to have a way to construct a more "Jabberish"
> message, as far as I could tell.]
> 
> I'd be more than happy to help Jabber-ify the OTR protocol.  The reason
> we designed OTR was exactly that the GPG-over-IM solutions have
> semantics that don't match those of a private conversation: you have
> long-term encryption keys, as well as digital signatures on messages.
> You don't *want* Bob to be able to prove to Charlie that Alice said what
> she did.  [Yet you want Bob to be himself assured of Alice's
> authorship.]  And a compromise of Bob's computer tomorrow should not
> expose today's messages.
> 
> OTR also adds a couple of extra features (malleable encryption,
> publishing of the MAC keys, a toolkit for forging transcripts) to help
> Alice claim that someone's putting words in her mouth.

Obviously I need to read up more on OTR, but thanks for the offer of
assistance -- I'll reply further when my level of ignorance is not quite
so high as it is now.

/psa


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Schneier: SHA-1 has been broken - Time for a second thought about SDLH ?

[Ralf Senderek]

Bruce Schneier wrote: (in Cryptogram)

> SHA-1 has been broken.  Not a reduced-round version. Not a simplified version.
> The real thing.
> 
> "One-way hash functions are supposed to have two properties.  One, they're one
> way.  This means that it is easy to take a message and compute the hash value,
> but it's impossible to take a hash value and recreate the original message.
> (By 'impossible' I mean 'can't be done in any reasonable amount of time.')
> Two, they're collision free.  This means that it is impossible to find two
> messages that hash to the same hash value.  The cryptographic reasoning behind
> these two properties is subtle, and I invite curious readers to learn more in
> my book Applied Cryptography.
> 
> "Breaking a hash function means showing that either -- or both -- of those
> properties are not true."
> 
> Last month, three Chinese cryptographers showed that SHA-1 is not
> collision-free.  That is, they developed an algorithm for finding collisions
> faster than brute force.

[ ... ]

> Jon Callas, PGP's CTO, put it best: "It's time to walk, but not run, to the
> fire exits.  You don't see smoke, but the fire alarms have gone off."  That's
> basically what I said last August.
> 
> "It's time for us all to migrate away from SHA-1.

[ ... ]

> 
> "Most of the hash functions we have, and all the ones in widespread use, are
> based on the general principles of MD4.  Clearly we've learned a lot about
> hash functions in the past decade, and I think we can start applying that
> knowledge to create something even more secure."

And that is why I ask to give the Shamir Discrete Logarithm Hash Funktion a 
second 
thought. At leeast we have a proof of collision resistance under the assumption
that factoring is infeasible for the modulus used.

And that it more than we ever had regarding the MD4 series.

BTW, choosing the next generation hash function should - as I think - not be 
dominated by terms of performance. (i.e done in the olde fashion)

Ralf Senderek



*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*
* Ralf Senderek  <[EMAIL PROTECTED]> http://senderek.com*  What is privacy  *
* Sandstr. 60   D-41849 Wassenberg  +49 2432-3960   *  without  *
* PGP: AB 2C 85 AB DB D3 10 E7  CD A4 F8 AC 52 FC A9 ED *Pure Crypto?   *
49466008763407508762442876812634724277805553224967086648493733366295231438448


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: PK -> OTP?

[Amir Herzberg]

Matt Crawford wrote:
My educated-layman's opinion is that the following is not feasible, but 
I'd be happy to be shown wrong ...

Given a closed public-key device such as a typical smart card with its 
limited set of operations (chiefly "sign"), is it possible to implement 
a challenge/response function such that

* Both the challenge and the response are short enough for an average 
user to be willing to type them when needed.

* The challenge can be generated, and the response verified using the 
cardholder's public key and a reasonable amount of computation.
What's wrong with sending the device encryption of a random number 
(using the public key of the device), and the device sending back the 
number as proof of possession of the corresponding secret key?

Best, Amir Herzberg
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Encryption plugins for gaim

[Jim Cheesman]

Ian G wrote:
Adam Fields wrote:
Given what may or may not be recent ToS changes to the AIM service,
I've recently been looking into encryption plugins for gaim.
Specifically, I note gaim-otr, authored by Ian G, who's on this list.

Just a quick note of clarification, there is a collision
in the name Ian G.  4 letters does not a message digest
make.

Perhaps if you were to prepend a random serial number to your name this 
problem would be alleviated?

Best wishes,
Jim Cheesman

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Security is the bits you disable before you ship

[Florian Weimer]

* Peter Gutmann quotes CNET:

>   GCC 4.0 also introduces a security feature called Mudflap,  [...]

> So you have an interesting definition of a security feature as "the
> bit you disable before the product goes into the environment where
> it'll be subject to attack".

Actually, mudflap is not a security feature (and I'd be surprised if
Mark claimed it was).  It's a debugging tool, not a silver bullet.
mudflap simply wasn't designed to stop buffer overflow exploits (or to
make them at least somewhat harder), but to find memory management
bugs.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reuters -- British Firm Breaks Ground in Surveillance Science

[David Chessler]

http://www.reuters.com/newsArticle.jhtml?type=topNews&storyID=7892255


British Firm Breaks Ground in Surveillance Science
Mon Mar 14, 2005 08:08 AM ET
By Mark Trevelyan, Security Correspondent
MALVERN, England (Reuters) - The "suicide bomber" clips a shrapnel-filled 
belt around his waist and buttons up his jacket to conceal it.

As he turns back and forth in front of a semi-circular white panel, about 
the size of a shower cubicle, a computer monitor shows the metal-packed 
cylinders standing out clearly in white against his body.

This is no real security alarm: it's a demonstration at the British 
technology group QinetiQ of a scanning device that sees under people's 
clothes to spot not just metal but other potential threats like ceramic 
knives or hidden drugs.

The electromagnetic technology, known as Millimeter Wave (MMW), is just one 
aspect of a potential revolution in security screening being pioneered at 
QinetiQ, formerly part of the research arm of the British defense ministry.

"Actually, detecting a suicide bomber in the lobby of an airport is not a 
great thing to happen," Simon Stringer, new managing director of QinetiQ's 
security business, says with British understatement.

"It's slightly better than having him do it in the departure lounge or 
perhaps on the plane, but you're still doing to have to deal with a 
significant problem."

That's why, he says, the trend for the future will be to move the scanners 
outside the terminal building and operate them in "stand-off mode" -- 
checking people from a distance before they even set foot inside.

The advantage is obvious: to spot potential attackers without alerting them 
to the fact, and gain precious seconds for security forces to prevent an 
attack.

ARE YOU SWEATING TOO MUCH?
Another prospect in store for air travelers is "hyperspectral sensing" that 
will check for chemicals called pheromones, secreted by the human body, 
which may indicate agitation or stress.

"People under stress tend to exude slightly different pheromones, and you 
can pick this up ... There are sensing techniques we're working on," 
Stringer said.

The stress may have an innocent cause, such as fear of flying, but could 
also betray the nervousness of a potential attacker. The point is to alert 
security staff to something unusual that may need further investigation.

As with MMW, the technology could function at a distance and without the 
need for people to wait in line. By conducting such checks while people are 
approaching the airport and moving through it, authorities could avoid 
bottlenecks and queues.

SUSPICIOUS MOVEMENTS
As the passenger proceeds through the terminal, the next layer of 
surveillance could be carried out through "cognitive software" which 
monitors his or her movements and sounds a silent alarm if it picks up an 
unusual pattern.

"Someone who's been back in and out of the same place three times or keeps 
bumping into the same people might be something that's worthy of further 
investigation ... I think that's really the sort of capabilities we're 
going to be looking at," Stringer said in an interview.

While many of these technologies are still under development, others have 
already been rolled out to clients by QinetiQ, which made group operating 
profit of 28 million pounds ($53.9 million) in the six months to last 
September.

Millimeter wave, for example, has been tested at airports and, in a 
different application, is being used by British immigration authorities and 
Channel Tunnel operator Eurotunnel to detect illegal immigrants trying to 
enter the country as stowaways in the back of trucks.

Stringer says the potential market for MMW runs into the hundreds of 
millions of dollars and goes well beyond the transport sector.

"We're spending quite a lot of time talking to multinationals who want to 
establish perimeter security systems around plant, installations and 
buildings," he said.

QinetiQ -- owned 30 percent by private equity group Carlyle and 56 percent 
by the British government -- expects rapid growth for its security business 
as it gears up for a stock market launch.

BIG BROTHER?
But how will ordinary people embrace the prospect of surveillance 
technology that sees through their clothes, checks how much they're 
sweating and tracks their airport wanderings between the tax-free shops and 
the toilets?

Stringer acknowledges that some might see this as George Orwell's Big 
Brother come true. "There are always going to be issues of privacy here and 
they're not to be belittled, they're important."

But he says smarter technology will actually make the checks less intrusive 
than those now in standard practice, such as being searched head to foot 
after setting off a metal detector alarm.

"Personally I find that more irritating than the idea of someone just 
scanning me as I walk through," he said.

"You're under surveillance in airpor

Re: $90 for high assurance _versus_ $349 for low assurance

[Ng Pheng Siong]

On Tue, Mar 15, 2005 at 11:04:59AM -0500, Victor Duchovni wrote:
> On Wed, Mar 16, 2005 at 02:23:49AM +1300, Peter Gutmann wrote:
> > Certainly with UIXC it's not worth anything.
> 
> What is UIXC?

lemme guess: universal & indiscriminate cross certification

oh wait, peter did define it: "implicit" not "indiscriminate"

-- 
Ng Pheng Siong <[EMAIL PROTECTED]> 

http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: $90 for high assurance _versus_ $349 for low assurance

[Amir Herzberg]

John, thanks for this fascinating report!
Conclusion? `Not all CAs/certs are created equal`... therefore we should 
NOT automatically trust the contents of every certificate whose CA 
appears in the `root CA` list of the browser. Instead, browsers should 
allow users to select which CAs they trust sufficiently to identify 
sites, and to _know_ which CA is identifying the (protected) site they use.

This is easy to do, and of course you can add this to your 
Mozilla/FireFox browser by installing our TrustBar (from 
http://TrustBar.mozdev.org).

Best, Amir Herzberg
John Levine wrote:
Does anyone have a view on what "low" and "high" means in this
context?  Indeed, what does "assurance" mean?

Just last week I was trying to figure out what the difference was
between a StarterSSL certificate for $35 (lists at $49 but you might
as well sign up for the no-commitment reseller price) and a QuickSSL
cert for $169.  If you look at the bits in the cert, they're nearly
identical, both signed by Geotrust's root.
As far as the verification they do, QuickSSL sends an e-mail to the
domain's contact address (WHOIS or one of the standard domain
addresses like webmaster), and if someone clicks through the URL, it's
verified.  StarterSSL even though it costs less has a previous
telephone step where you give them a phone number, they call you, and
you have to punch in a code they show you and then record your name.
Score so far: QuickSSL 0.001, StarterSSL 0.0015.
Both have various documents available with impressive certifications
from well-paid accountants, none of which mean anything I can tell.
Under some circumstances they might pay back some amount to someone
defrauded by a spoofed cert, but if anyone's figured out how to take
advantage of this, I'd be amazed.
Comodo, who sell an inferior variety of cert with a chained signature
(inferior because less software supports it, not because it's any less
secure) is slightly more demanding, although I stumped then with
abuse.net which isn't incorporated, isn't a DBA, and isn't anything
else other than me.  I invented some abuse.net stationery and faxed
them a letter assuring that I was in fact me, which satisfied them.
Back when I had a cert from Thawte, they wanted DUNS numbers which I
didn't have, not being incorporated nor doing enough business to get a
business credit rating, so they were satisfied with a fax of my county
business license, a document which, if I didn't have one, costs $25 to
get a real one, or maybe 15 minutes in Photoshop to make a fake one
good enough to fool a fax machine.  

I gather that the fancier certs do more intrusive checking, but I
never heard of any that did anything that might make any actual
difference, like getting business documents and then checking with the
purported issuer to see if they were real or, perish forbid, visiting
the nominal location of the business to see if anything is there.
So the short answer to what's the difference between a ten dollar cert
and a $350 cert is:   $340.
Next question?
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"I shook hands with Senators Dole and Inouye," said Tom, disarmingly.
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
.
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Encryption plugins for gaim

[Bill Stewart]

At 10:19 PM 3/13/2005, Adam Fields wrote:
Given what may or may not be recent ToS changes to the AIM service,
I've recently been looking into encryption plugins for gaim.
AOL says that the ToS bits are only for things like chatrooms;
user-to-user AIM traffic doesn't even go through their servers.
That doesn't mean they can't eavesdrop on it if they want to,
or that they don't have mechanisms for automating MITM,
so you may very well want to use encryption,
but at least in the normal case your traffic is relatively private.
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: PK -> OTP?

[Matt Crawford]

My educated-layman's opinion is that the following is not feasible, 
but I'd be happy to be shown wrong ...
Given a closed public-key device such as a typical smart card with 
its limited set of operations (chiefly "sign"), is it possible to 
implement a challenge/response function such that
* Both the challenge and the response are short enough for an average 
user to be willing to type them when needed.
* The challenge can be generated, and the response verified using the 
cardholder's public key and a reasonable amount of computation.
What's wrong with sending the device encryption of a random number 
(using the public key of the device), and the device sending back the 
number as proof of possession of the corresponding secret key?
Would it not be the case that the challenge would be as long as the 
key, and hence to long to reasonably expect a user to type into a 
keypad?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Security is the bits you disable before you ship

[Russell Nelson]

Steven M. Bellovin writes:
 > That's not new, either.  I believe it was Tony Hoare who likened this 
 > to sailors doing shore drills with life preservers, but leaving them 
 > home when they went to sea.  I think he said that in the 1970s; he said 
 > this in his Turing Award lecture:
 > 
 >  The first principle was security...  A consequence of this
 >  principle is that every occurrence of every subscript of
 >  every subscripted variable was on every occasion checked
 >  at run time...  I note with fear and horror that even in
 >  1980, language designers and users have not learned this
 >  lesson.

This is true, however, I've seen Dan Bernstein (and you don't get much
more careful or paranoid about security than Dan) write code like
this:

static char line[999];

  len = 0;
  len += fmt_ulong(line + len,rp);
  len += fmt_str(line + len," , ");
  len += fmt_ulong(line + len,lp);
  len += fmt_str(line + len,"\r\n");
 

Of course, the number of characters that fmt_ulong will insert is
limited by the number of bits in an unsigned long, and both strings
are of constant length.

-- 
--My blog is at blog.russnelson.com | The laws of physics cannot
Crynwr sells support for free software  | PGPok | be legislated.  Neither can
521 Pleasant Valley Rd. | +1 315-323-1241 cell  | the laws of countries.
Potsdam, NY 13676-3213  | +1 212-202-2318 VOIP  | 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

how to phase in new hash algorithms?

[Steven M. Bellovin]

We all understand the need to move to better hash algorithms than SHA1. 
At a minimum, people should be switching to SHA256/384/512; arguably, 
Whirlpool is the right way to go.  The problem is how to get there from 
here.

OpenSSL 0.9.7 doesn't even include anything stronger than SHA1.  As a 
practical matter, this means that no one can use anything stronger in 
certificates, especially root certificates.  Worse yet, people can't 
use anything stronger for public consumption for at least five years 
after a stronger hash algorith is available -- we have to wait until
most older software has died off, since most machines are never
upgraded.  This means that appearance of the code in client machines is 
on the critical path.  I've heard that OpenSSL 0.9.8 will include 
stronger hashes, but there's no work in progress to backport the code 
to 0.9.7.  

So -- what should we as a community be doing now?  There's no emergency 
on SHA1, but we do need to start, and soon.

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Encryption plugins for gaim

[Really jbash at velvet.com]

> If you want encryption with authentication, there's the gaim-encryption
> plugin. I get the feeling gaim-otr is for more specific circumstances.

Actually, the only "specific circumstance" that OTR is really aimed at
is the IM environment. That is, it's an encryption scheme specifically
designed for the mode of use you'd most expect to see in IM, and it's
intended to be a complete answer for general-purpose one-to-one IM
communication.

The forward deniability is a special feature, but all the other features
you'd want are in there... including authentication between the parties
at the time the message is sent. From the point of view of the two
communicating parties, OTR has basically the same privacy and
authenticity guarantees as gaim-encryption, with forward deniability
added in.

The OTR project is trying to get OTR included in as many IM clients
as possible, with the idea of making it the de facto standard for
IM encryption.

I'd say it's ready for real use, although it's by no means static; there
are things that are known to still need to be added to the protocol.

-- jbash

PS: Sorry about the weird "From" address... I read the list through a
news gateway, and this is the only way to get a post accepted.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: $90 for high assurance _versus_ $349 for low assurance

[John Levine]

>John, thanks for this fascinating report!

>Conclusion? `Not all CAs/certs are created equal`... therefore we
>should NOT automatically trust the contents of every certificate
>whose CA appears in the `root CA` list of the browser.

Although some certs make more intrusive checks, it all strikes me as
security theater.  In particular, although some of them make some
effort to verify that I am who I say I am, I don't see any of them
making any effort to verify that my web sites are what they say they
are.  It would be an interesting experiement to register, say,
PAYPAL-VERIFICATION.COM (which is available) with my own info in
WHOIS, then apply for a cert from Verisign saying that it's me, and
see if they ask if I'm Paypal.  My guess is that they wouldn't.

Treating CAs differently would be a fine idea if there were a real
difference, but $300 or $1000 still isn't anywhere close to what it
would cost to do a meaningful investigation of someone's identity.

I've been proposing for a while that we try industry-specific branded
certs.  The branding would put a logo in the signing cert (there's
already a field for it) and adjust browsers to display the signing
cert's logo in a place where users can't put anything else, e.g., the
corner that usually displays the IE "e" or Firefox bat.  Industry
specific means that the certs would be issued by a regulator or
industry association who already knows who the legitimate entities
are, such as the FDIC for banks in the US, so there's no extra step of
introducing the certified parties to the certifier.

The point of branding the signer is that you then have a single brand
that you want to tell people to look for, e.g. "Would you bank at an
office without the FDIC logo in the window?  Look for the same logo
on your bank's web site."

There remain some issues, notably how you keep fake signing certs out
of computers of people who will click the OK box in a window that says
"Harvest all your account numbers and steal all your money?"  But it
seems to me a reasonable approach to more credible online identity for
often-faked targets.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Proposed Law Against 'Phishing' Would Be Difficult to Enforce

[R.A. Hettinga]

The Wall Street Journal


 March 16, 2005 6:59 p.m. EST

 E-COMMERCE/MEDIA



Proposed Law Against 'Phishing'
 Would Be Difficult to Enforce

By DAVID KESMODEL
THE WALL STREET JOURNAL ONLINE
March 16, 2005 6:59 p.m.


A proposed measure in Congress to crack down on "phishing" scams -- a type
of online identity theft -- probably would do little to curtail the
activity because it is nearly impossible to catch many of the perpetrators,
security experts say.

U.S. Sen. Patrick Leahy, a Vermont Democrat, introduced a bill last month
that would impose jail sentences of up to five years and fines of up to
$250,000 against people convicted of phishing. Several Democrats have filed
a companion bill in the House. Republicans have yet to take a position on
the legislation, called the Antiphishing Act of 2005, but there is growing
concern on Capitol Hill about identity theft.

In a phishing scheme, impostors use e-mails and Web sites to trick
consumers into releasing key personal information such as bank-account
numbers. In a common attack, consumers will get an e-mail that looks as if
it came from a bank or retailer. The e-mail points to a phony Web site,
where consumers are asked to enter vital information. Criminals have gotten
very good at mimicking legitimate e-mails and Web sites, making their
attacks more effective.

Unfortunately, criminals have also grown more savvy when it comes to
covering their tracks. The biggest challenge for the proposed legislation
is that many of the offenders reside overseas, and they use byzantine crime
networks to keep their own identities concealed. What's more, the average
phishing site exists for less than six days, estimates the Antiphishing
Working Group, an industry trade organization that supports Sen. Leahy's
bill. "It is difficult, if not impossible," to find the offenders and
prosecute them, said Gary Steele, chief executive of Proofpoint Inc., an
e-mail security provider. He said the main strength of Sen. Leahy's bill
would be to make the public more aware of phishing threats.

'Unusual Activity'

Prosecutors have thus far used traditional laws against wire fraud and
identity theft to fight phishing, but Sen. Leahy argues the legislation
would make it easier to prosecute a person suspected of engaging in such a
scheme. It would criminalize the act of setting up a phishing site,
enabling prosecutors to go after someone before any financial fraud occurs.
The law also would criminalize "pharming," a related type of fraud in which
hackers manipulate settings on users' computers so that they will go to a
counterfeit Web site when they try to visit a legitimate Web site for a
bank or other service.

Research firm Gartner Inc. estimates that 130 million U.S. Internet users
have been targets of a phishing scheme through e-mail. The Antiphishing
Working Group said it received reports of 2,560 active phishing Web sites
in January, up from 1,740 in December. The group, whose members include
banks, Internet service providers and security firms, says that in some
phishing ploys, up to 5% of the targets take the bait.

Major U.S banks, as well as online auction site eBay Inc. and its PayPal
online payment unit, have been among the frequent targets of phishing
attacks. Recently, Washington Mutual Inc.'s customers received
legitimate-looking e-mails that told them that the bank's account review
team had "identified some unusual activity in your account." It pointed
customers to a Web site and asked them to enter their name, account number
and other data, and to review account transactions to make sure the account
"has not been compromised." Last year, Wells Fargo & Co. said customers
were being asked to provide their name, social security number, account
number and ATM pin for the alleged purpose of updating them on changes in
bank policy.

These days, a prevalent phishing scam is to send consumers e-mails
declaring that the recipient has won a lottery. The messages ask for a bank
account number so winnings can be delivered, said Avivah Litan, a vice
president with Gartner. "The lottery trick is really the biggest thing
now," she said. It plays "on people's imaginations that they won a lottery
or are eligible for an award."

Jody Westby, a managing director for PricewaterhouseCoopers LLP
specializing in cybercrime, said far more cooperation among countries is
needed to combat phishing. In February, online-security firm VeriSign Inc.
said 58% of the phishing sites it examined in last year's fourth quarter
were located outside the U.S., in countries including China, Germany and
Taiwan. "I applaud [Sen. Leahy] for his efforts and certainly think it is a
step in the right direction, but I think it butts against technological and
jurisdictional realities," Ms. Westby said.

Skeptics of the proposed federal legislation point to the 2003 Can-Spam
Act, a federal law designed to stanch the deluge of spam in Americans'
inboxes

Westlaw agrees to restrict access to Social Security numbers

[R.A. Hettinga]

The San Jose Mercury News

Posted on Thu, Mar. 17, 2005

Westlaw agrees to restrict access to Social Security numbers


WASHINGTON (AP) - A legal research company said Thursday it will greatly
restrict customer access to Social Security numbers in response to
complaints from Congress that its previous policy of limited sales of the
numbers invited identity theft.

Westlaw, a Minnesota-based legal research firm, said private companies and
many government offices no longer will be able to obtain such information
from the company.

``The events of the past months illustrate the importance of tougher
controls, and we're pleased to be a part of a broader and ongoing effort
that supports both individual privacy and homeland security concerns,''
said Peter Warwick, CEO of Thomson West, which operates the online Westlaw
service.

The company's practices came under fire from lawmakers after another data
company, ChoicePoint, announced some 145,000 customers had been exposed to
identity theft.

Westlaw, which is owned by The Thomson Corp., has not suffered a similar
breach, but Sen. Charles Schumer, D-N.Y., called on the company to tighten
restrictions on the information available to customers in the wake of the
ChoicePoint problem.

Under the new policy, about 85 percent of Westlaw customers who previously
had access to the Social Security number search will no longer have such
access.

All private companies, and many government offices, including the U.S.
Senate, will no longer have access to Social Security numbers through
Westlaw. Access will remain for some law enforcement agencies.

Congress has stepped up pressure on data companies that collect huge
amounts of private information.

On Tuesday, ChoicePoint Inc. CEO Derek Smith appeared before a House Energy
and Commerce Committee panel to publicly apologize to customers whose
information may have been obtained surreptitiously.

Appearing beside him was LexisNexis CEO Kurt Sanford, whose company also
had a breach involving information on about 32,000 people. LexisNexis is
owned by Reed Elsevier PLC.

The two executives said they would support some proposals to toughen laws
governing consumer privacy.

They did not support a more sweeping prohibition on the sale of Social
Security numbers, arguing such sales may be necessary for law enforcement
or debt collection.

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Cyber cops foil £220m Sumitomo bank raid

[R.A. Hettinga]

The Register


 Biting the hand that feeds IT

The Register » Security » Network Security »

 Original URL:
http://www.theregister.co.uk/2005/03/17/sumitomo_cyber-heist_foiled/

Cyber cops foil £220m Sumitomo bank raid
By John Leyden (john.leyden at theregister.co.uk)
Published Thursday 17th March 2005 11:51 GMT

A hi-tech bid to steal £220m ($423m) from the London offices of the
Japanese bank Sumitomo Mitsui has been foiled by police. A gang of cyber
crooks compromised Sumitomo's computer systems in October 2004 prior to an
unsuccessful attempt to transfer money to a series of 10 accounts overseas,
the FT reports.

Yeron Bolondi, 32, was arrested by Israeli police on Wednesday after an
attempt to transfer £13.9m to a bank account in the country. He has been
charged with money laundering and deception. The plan was thwarted before
any cash was transferred, the BBC reports
(http://news.bbc.co.uk/1/hi/uk/4356661.stm).

Takashi Morita, head of communications at Sumitomo in Tokyo, told
(http://news.independent.co.uk/uk/crime/story.jsp?story=620980) the Press
Association that the bank had not suffered any losses as a result of the
attempted heist. "We have undertaken various measures in terms of security
and we have not suffered any financial damage," he said. Details of how the
bank's systems were compromised remain sketchy though several reports
implicate the use of key logging software as part of the plot.

A spokeswoman for the National High-Tech Crime Unit declined to comment on
its ongoing investigation into the attempted robbery of Sumitomo.

A spokesman for the bank in London declined to say anything, other than the
attempted raid was "a complete failure".
-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: NSA warned Bush it needed to monitor networks

[Steven M. Bellovin]

A few days ago, I posted this:
>
>WASHINGTON (AP) -- The National Security Agency warned President
>Bush in 2001 that monitoring U.S. adversaries would require a
>``permanent presence'' on networks that also carry Americans'
>messages that are protected from government eavesdropping.
>
>...
>
>
>``Make no mistake, NSA can and will perform its missions consistent
>with the Fourth Amendment and all applicable laws,'' the document
>says.
>

Today, I happened to learn the URL for the document itself:
http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB24/nsa25.pdf .  There's 
little that strikes me as sensitive in it, other than the (redacted) 
budget numbers.  What's someplace between amusing and appalling is some 
of the other things that NSA had considered sensitive.  For example, 
consider this paragraph, from page 5:

The National Security Agency has a proud tradition of serving the
nation.  NSA has been credited with preventing or significantly
shortening military conflicts, thereby saving lives of U.S.
military and civilian personnel.  NSA gives the nation a decisive
edge in policy interactions with other nations, in countering
terrorism, and in helping stem the flow of narcotics into our
country.  NSA has been the premier information agency of the
industrial age, and through ongoing modernization and cutting edge
research, will continue to be the premiere knowledge agency of the
information age.

That paragraph, believe it or not, was classified Secret.  For what
it's worth, the official definition of "Secret", from Executive Order
12958 (http://www.dss.mil/seclib/eo12958.htm), is:

 "Secret" shall be applied to information, the unauthorized
 disclosure of which reasonably could be expected to cause serious
 damage to the national security that the original classification
 authority is able to identify or describe.

What in that paragraph could cause "serious damage"?  The notion that
NSA gives the U.S. government an edge in policy interactions, i.e.,
it may spy on foreign governments?  I'm shocked, shocked to hear that.

Then there are the paragraphs on pages 16 and 17 that describe
NSA's legislative lobbying on crypto legislation.  Those were marked
FUOO -- For Official Use Only.  DD Form 254 says

The "For Official Use Only" (FOUO) marking is assigned to
information at the time of its creation in a DoD User
Agency. It is not authorized as a substitute for a security
classification marking but it is used on official government
information that may be withheld from the public under
exemptions 2 through 9 of the Freedom of Information Act.

Why is that information eligible to be withheld?  Because it tells
the public that NSA is interested in legislation about crypto and
exports?

I could go on, but the topic of overclassification is well-worn.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Off-the-Record Messaging

[R.A. Hettinga]

Off-the-Record Messaging

News - Downloads - Mailing Lists - Documentation - Frequently Asked
Questions - Press

Off-the-Record (OTR) Messaging allows you to have private conversations
over instant messaging by providing:
 Encryption
No one else can read your instant messages.
 Authentication
You are assured the correspondent is who you think it is.
 Deniability
The messages you send do not have digital signatures that are  checkable by
a third party. Anyone can forge messages after a  conversation to make them
look like they came from you. However,  during a conversation, your
correspondent is assured the messages  he sees are authentic and unmodified.
 Perfect forward secrecy
If you lose control of your private keys, no previous conversation  is
compromised.

 News
24 Feb 2005
otrproxy-0.2.0 released. Changes from 0.1.x:
*There's now a GUI! See the README for more details.
 23 Feb 2005
gaim-otr 2.0.1 released. Changes from 2.0.0:
*Removed people without fingerprints from the Known Fingerprints
list.
*The column heads in the Known Fingerprints list cause sorting 
to
happen in the expected way.
 22 Feb 2005
Nikita made a 0.1.2 version of otrproxy for OSX. Changes from 0.1.1:
*AIM screen names should be compared case- and space- 
insensitively.
 16 Feb 2005
Version 2.0.1 of libotr released. Changes from 2.0.0:
*Don't send encrypted messages to a buddy who has disconnected
his private connection with us.
*Don't show the user the "the last message was resent" notice if
the message has never actually been sent before.
*Fix a crash bug that happened when messages were retransmitted
under certain circumstances.

 More News...

Downloads

OTR library and toolkit

This is the portable OTR Messaging Library, as well as the toolkit to help
you forge messages. You need this library in order to use the other OTR
software on this page. [Note that some binary packages, particularly
Windows, do not have a separate library package, but just include the
library and toolkit in the packages below.] The current version is 2.0.1.

 README
Source code (2.0.1)
 Compressed tarball (sig)
 Fedora Core 3 SRPM
[Note that if you're compiling from source on win32, you may need to make
this patch to libgcrypt-1.2.1.]
 Linux/x86 (2.0.1)
 Debian testing/unstable
Debian testing/unstable dev package
Fedora Core 3 RPM
Fedora Core 3 dev RPM
Linux/x86_64 (2.0.1)
 Fedora Core 3 RPM
Fedora Core 3 dev RPM

OTR plugin for gaim

This is a plugin for gaim 1.x which implements Off-the-Record Messaging
over any IM network gaim supports. The current version is 2.0.1. You may
need the above library packages.

 README
Source code (2.0.1)
 Compressed tarball (sig)
 Fedora Core 3 SRPM
Linux/x86 (2.0.1)
 Debian testing/unstable (Debian stable does not have the required 1.x
version of gaim)
 Fedora Core 3 RPM
Linux/x86_64 (2.0.1)
 Fedora Core 3 RPM
Windows (2.0.1)
 Win32 installer (sig)

 OTR localhost AIM proxy

This is a localhost proxy you can use with almost any AIM client in order
to participate in Off-the-Record conversations. The current version is
0.2.0, which means it's still a long way from done. Read the README file
carefully. Some things it's still missing:
*Username/password authentication to the proxy
*Having the proxy be able to use outgoing proxies itself
*Support for protocols other than AIM/ICQ
*Configurability of the proxy types and ports it uses
 But it should work for most people. Please send feedback to the otr-users
mailing list, or to the dev team. You may need the above library packages.

 README
Source code (0.2.0)
 Compressed tarball (sig)
 Fedora Core 3 SRPM
Linux/x86 (0.2.0)
 Debian testing/unstable
Fedora Core 3 RPM
Windows (0.2.0)
 Win32 installer (sig)
 OSX (0.2.0)
 OSX package

Mailing Lists

If you use OTR software, you should join at least the otr-announce mailing
list, and possibly otr-users (for users of OTR software) or otr-dev (for
developers of OTR software) as well.

 Documentation

Here are some documents and papers describing OTR. The WPES presentation is
quite useful to get started.
*Protocol description
*   The WPES 2004 version of our paper
*   Our WPES presentation (Powerpoint)
*   Our WPES presentation (PDF)

Frequently Asked Questions
What implementations of Off-the-Record Messaging are there?
Right now, there's the plugin for gaim, which is supported on Linux and
Windows. There's also the OTR proxy, which is supported on Linux, Windows,
and OSX. The OTR functionality is separated into the Off-the-Record
Messaging Library (libotr), which is an LGPL-licensed library that can be
used to (hopefully) easily produce OTR plugins for other IM software, or
for other applications entirely.
 What is the license for the OTR software?
The Off-the-Record Messaging L

Non-repudiation

[Jerrold Leichter]

With all the discussion we've seen on this topic, I'm surprised no one has 
mentioned "Non-Repudiation in Electronic Commerce", by Jianying Zhou.

I haven't read this book, but Rob Slade gave it a good review in a year-old 
RISKS that I happened to stumble across.  Any comments from list members?

-- Jerry
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Encryption plugins for gaim

[Adam Shostack]

On Tue, Mar 15, 2005 at 09:33:51PM +0100, Jim Cheesman wrote:
| Ian G wrote:
| 
| >Adam Fields wrote:
| >
| >>Given what may or may not be recent ToS changes to the AIM service,
| >>I've recently been looking into encryption plugins for gaim.
| >>Specifically, I note gaim-otr, authored by Ian G, who's on this list.
| >
| >
| >Just a quick note of clarification, there is a collision
| >in the name Ian G.  4 letters does not a message digest
| >make.
| 
| 
| Perhaps if you were to prepend a random serial number to your name this 
| problem would be alleviated?

They'd both randomly choose pi.



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: NSA warned Bush it needed to monitor networks

[James A. Donald]

--
On 18 Mar 2005 at 22:52, Steven M. Bellovin wrote:
> That paragraph, believe it or not, was classified Secret.
> For what it's worth, the official definition of "Secret",
> from Executive Order 12958
> (http://www.dss.mil/seclib/eo12958.htm), is:
>
>   "Secret" shall be applied to information, the unauthorized 
>   disclosure of which reasonably could be expected to cause
>   serious damage to the national security that the original
>   classification authority is able to identify or describe.

Obviously any bureaucrat with the authority to categorize
something as secret will more or less automatically so stamp
any information that passes through his hands, to inflate his
importance, and thus his job security and prospects for
promotion.  Similarly, he will spend any money he has authority
to spend, thus the never ending conflict between congress and
the SSSI bureacracy, who if they had their way would put every
single american, plus the dead and the pets, on SSSI

This results in "top secret" information being treated as not
very secret at all, as documented by Richard Feynman, which in
turn results in ever higher secrecy classifications, more top
than top, a process of classification inflation and debasement. 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 R4I4vh9JdcWBUfeQFXQ+i/TlFSVcljg/Og6KRDDj
 4qwXmonSAX1xgyPdaB5TsB80yC66PjeWY5mzIpBuo


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: how to phase in new hash algorithms?

[Ian G]

Steven M. Bellovin wrote:
So -- what should we as a community be doing now?  There's no emergency 
on SHA1, but we do need to start, and soon.
The wider question is how to get moving on new hash
algorithms.  That's a bit tricky.
Normally we'd look to see NIST or the NESSIE guys
lead a competition.  But NESSIE just finished a
comp, and may not have the appetite for another.
NIST likewise just came out with SHA256 et al, and
they seem to have a full work load as it is trying
to get DSS-2 out.
How about the IACR?  Would they be up to leading
a competition?  I don't know them at all myself,
but if the Shandong results are heard at IACR
conferences, then maybe it's time to take on a
larger role.
Most of the effort could be volunteer, and it would
also be easy enough to schedule everything aligned
with the conference circuit.
Just a thought.  Anyone know anyone at the IACR?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Encryption plugins for gaim

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Peter Saint-Andre writes:
>On Tue, Mar 15, 2005 at 02:02:31PM -0500, Adam Fields wrote:
>> On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote:
>> > Why not help us make Jabber/XMPP more secure, rather than overloading
>> > AIM? With AIM/MSN/Yahoo your account will always exist at the will of
>> 
>> Unfortunately, I already have a large network of people who use AIM,
>> and >they< all each have large networks of people who use AIM. Many of
>> them still use the AIM client. Getting them to switch to gaim is
>> feasible. Getting them to switch to Jabber is not. However, getting
>> them to switch to gaim first, and then ultimately Jabber might be an
>> option. Frankly, the former is more important to me in the short
>> term.
>
>Yep, the same old story. :-)
>
>> > AOL, whereas with XMPP you can run your own server etc. Unfortunately
>> 
>> Does "can" == "have to"? From what I remember of trying to run Jabber
>> a few years ago, it did.
>
>No, we have 200k registered users on the jabber.org server and some
>servers have even more. You can run your own server, though, and accept
>connections only from other servers you trust, etc.
>

Let me second the recommendation for jabber (though I wish the code 
quality of some of the components were better).  The protocol itself 
supports TLS for client-to-server encryption; you can also have AIM (or 
other IM) gateways on that server.  In many situations (i.e., 
wireless), it protects the most vulnerable link from eavesdropping.  
While clearly not as good as end-to-end encryption, it's far better 
than nothing, especially in high-threat environments such as the 
IETF...  (Of course, I only know of one open source client -- psi -- 
that checks the server certificate.)  In theory, server-to-server 
communications can also be TLS-protected, though I don't know if any 
platforms support that.

On top of any other encryption, many implementations support PGP 
encryption between correspondents.  I don't know of any support for 
e2e-encrypted chat rooms.

I haven't played with OTR, nor am I convinced of the threat model.  
That said, what you really need to watch out for is the transcript 
files on your own machine...

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Schneier: SHA-1 has been broken - Time for a second thought about SDLH ?

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Ralf Senderek w
rites:

>
>And that is why I ask to give the Shamir Discrete Logarithm Hash Funktion a se
>cond 
>thought. At leeast we have a proof of collision resistance under the assumptio
>n
>that factoring is infeasible for the modulus used.
>
>And that it more than we ever had regarding the MD4 series.
>
>BTW, choosing the next generation hash function should - as I think - not be 
>dominated by terms of performance. (i.e done in the olde fashion)
>

"Dominated"?  No, of course not.  But a hash function based on discrete 
log will be slow enough that no one will use it.  

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]