Re: Crack in Computer Security Code Raises Red Flag
On Tue, 15 Mar 2005, The Wall Street Journal Wrote: SHA-1 is a federal standard promulgated by the National Institute of Standards and Technology and used by the government and private sector for handling sensitive information. It is thought to be the most widely used hash function, and it is regarded as the state of the art. ^^ NEXT! -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF Quadriplegics think before they write stupid pointless shit...because they have to type everything with their noses. http://www.tshirthell.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NSA names ECC as the exclusive technology for key agreement and digital signature standards for the U.S. government
Ian G wrote: NSA names ECC as the exclusive technology for key agreement and digital signature standards for the U.S. government Certicom's ECC-based solutions enable government contractors to add security that meets NSA guidelines I should note that OpenSSL also supports ECC. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote: Why not help us make Jabber/XMPP more secure, rather than overloading AIM? With AIM/MSN/Yahoo your account will always exist at the will of Unfortunately, I already have a large network of people who use AIM, and they all each have large networks of people who use AIM. Many of them still use the AIM client. Getting them to switch to gaim is feasible. Getting them to switch to Jabber is not. However, getting them to switch to gaim first, and then ultimately Jabber might be an option. Frankly, the former is more important to me in the short term. AOL, whereas with XMPP you can run your own server etc. Unfortunately Does can == have to? From what I remember of trying to run Jabber a few years ago, it did. the original Jabber developers did not build encryption in from the beginning and the existing methods have not been implemented widely (OpenPGP over Jabber) or are not very Jabberish (RFC 3923), so we need to improve what we have. Contributions welcome. See here for pointers: http://www.saint-andre.com/blog/2005-03.html#2005-03-15T11:23 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
On Tue, Mar 15, 2005 at 02:47:35PM -0500, Ian Goldberg wrote: this is actually a very good solution for me. The only thing I don't like about it is that it stores the private key on your machine. I understand why that is, but it also means that if you switch machines with the same login (home/work), you have to reverify the fingerprint out of band (assuming you care enough to do that in the first place). You can also just copy your otr.private_key file around. See, for example, http://chris.milbert.com/AIM_Encryption/ It would be helpful if you could specify the location of the private key file, so then it could be on a thumb drive or something similar. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Do You Need a Digital ID?
R.A. Hettinga wrote: http://www.pcworld.com/resource/printable/article/0,aid,120008,00.asp i've been asked to flush out my merged security taxonomy and glossary http://www.garlic.com/~lynn/index.html#glosnote to highlight the distinction between identity theft and account theft. typically identity theft is that enuf information is obtained to fraudulently be able to open new accounts in the victim's name (among other things) while account theft is that the thief has enuf information to perform fraudulent transactions against an existing account of the victim. account theft tends to be attacks on poor authentication procedures by account institutions and/or use of social engineering or phishing to obtain the victim's account authentication information (which shares a lot in common with straight identity theft). a common exploit is the use of skimming/sniffing of static authentication verification data that enables creating counterfeit tokens/cards that enables fraudulent transactions. given 3-factor authentication: * something you have * something you know * something you are there can be a great deal of confusion whether a token/card represents something you have or not. If a token/card contains valid authentication information and if that token/card is lost/stolen and a new account has to be created then it is likely the token/card represents something you have authentication. however, some infrastructure just utilize a token/card to provide the equilvalent of userid (say an account number which isn't required to be secret) and the actual authentication is in the form of a password/PIN ... i.e. something you know authentication. just because a token/card is involved along with a PIN/password doesn't automatically imply that two-factor authentication is involved. if a re-issued a new token/card (to replace a lost/stolen token/card) is identical to the lost/stolen token/card ... then it is likely that there is no something you have authentication involved (even tho a token/card is involved in the process) ... and therefor the infrastructure is just single factor authentication. at the basics, a digital signature is an indirect indication of something you have authentication aka the existance of a digital signature implies that the originator accessed and utilized a private key in the generation of the digital signature. a digital signature by itself says nothing about the integrity of that something you have authentication ... since the digital signature doesn't carry any indication of the integrity measures used to secure and access the associated private key. there is some temptation to claim that the a lot of the problems with establishment of digital signature technology is that the basic trust building blocks haven't been established. numerous institutions have spent a lot of time focusing on the trust infrastructures associated with certification authority operation and digital certificates which have nothing directly to do with any form of 3 factor authentication. the basic building block is that a financial (or other) institutions have ongoing relationships represented by established accounts and that the entities associated with those accounts have established authentication material. In the case of digital signatures, that would be public keys. To the degree that a relying party institution (financial or other) can trust what is represented by a digital signature is the integrity level of the environment that protects the access and use of the associated private key w/o additional knowledge, the relying party only knows that some entity accessed and utilized a specific private key ... as in a simple, single factor, something you have authentication. A digital signature by itself has no indication of the security and integrity level associated with the private key protection, access and use ... and/or if there is anything more than simple, single factor, something you have authentication. Furthermore, in the great majority of the transactions involving established relationships, there is no need for digital certificates to establish identication information straight-forward authentication tends to be sufficient. misc. past 3-factor authentication posts http://www.garlic.com/~lynn/subpubkey.html#3factor - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
On Tue, Mar 15, 2005 at 02:14:48PM -0500, Ian Goldberg wrote: OTR works over Jabber today. Granted, it's not very Jabberish (as far as I understand the term; I don't know the Jabber protocol very well): it just replaces the text of the message with ciphertext. [gaim, at least, doesn't seem to have a way to construct a more Jabberish message, as far as I could tell.] I'd be more than happy to help Jabber-ify the OTR protocol. The reason we designed OTR was exactly that the GPG-over-IM solutions have semantics that don't match those of a private conversation: you have long-term encryption keys, as well as digital signatures on messages. You don't *want* Bob to be able to prove to Charlie that Alice said what she did. [Yet you want Bob to be himself assured of Alice's authorship.] And a compromise of Bob's computer tomorrow should not expose today's messages. OTR also adds a couple of extra features (malleable encryption, publishing of the MAC keys, a toolkit for forging transcripts) to help Alice claim that someone's putting words in her mouth. Obviously I need to read up more on OTR, but thanks for the offer of assistance -- I'll reply further when my level of ignorance is not quite so high as it is now. /psa - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: PK - OTP?
Matt Crawford wrote: My educated-layman's opinion is that the following is not feasible, but I'd be happy to be shown wrong ... Given a closed public-key device such as a typical smart card with its limited set of operations (chiefly sign), is it possible to implement a challenge/response function such that * Both the challenge and the response are short enough for an average user to be willing to type them when needed. * The challenge can be generated, and the response verified using the cardholder's public key and a reasonable amount of computation. What's wrong with sending the device encryption of a random number (using the public key of the device), and the device sending back the number as proof of possession of the corresponding secret key? Best, Amir Herzberg - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
Ian G wrote: Adam Fields wrote: Given what may or may not be recent ToS changes to the AIM service, I've recently been looking into encryption plugins for gaim. Specifically, I note gaim-otr, authored by Ian G, who's on this list. Just a quick note of clarification, there is a collision in the name Ian G. 4 letters does not a message digest make. Perhaps if you were to prepend a random serial number to your name this problem would be alleviated? Best wishes, Jim Cheesman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Reuters -- British Firm Breaks Ground in Surveillance Science
http://www.reuters.com/newsArticle.jhtml?type=topNewsstoryID=7892255 http://www.reuters.com/printerFriendlyPopup.jhtml?type=topNewsstoryID=7892255 British Firm Breaks Ground in Surveillance Science Mon Mar 14, 2005 08:08 AM ET By Mark Trevelyan, Security Correspondent MALVERN, England (Reuters) - The suicide bomber clips a shrapnel-filled belt around his waist and buttons up his jacket to conceal it. As he turns back and forth in front of a semi-circular white panel, about the size of a shower cubicle, a computer monitor shows the metal-packed cylinders standing out clearly in white against his body. This is no real security alarm: it's a demonstration at the British technology group QinetiQ of a scanning device that sees under people's clothes to spot not just metal but other potential threats like ceramic knives or hidden drugs. The electromagnetic technology, known as Millimeter Wave (MMW), is just one aspect of a potential revolution in security screening being pioneered at QinetiQ, formerly part of the research arm of the British defense ministry. Actually, detecting a suicide bomber in the lobby of an airport is not a great thing to happen, Simon Stringer, new managing director of QinetiQ's security business, says with British understatement. It's slightly better than having him do it in the departure lounge or perhaps on the plane, but you're still doing to have to deal with a significant problem. That's why, he says, the trend for the future will be to move the scanners outside the terminal building and operate them in stand-off mode -- checking people from a distance before they even set foot inside. The advantage is obvious: to spot potential attackers without alerting them to the fact, and gain precious seconds for security forces to prevent an attack. ARE YOU SWEATING TOO MUCH? Another prospect in store for air travelers is hyperspectral sensing that will check for chemicals called pheromones, secreted by the human body, which may indicate agitation or stress. People under stress tend to exude slightly different pheromones, and you can pick this up ... There are sensing techniques we're working on, Stringer said. The stress may have an innocent cause, such as fear of flying, but could also betray the nervousness of a potential attacker. The point is to alert security staff to something unusual that may need further investigation. As with MMW, the technology could function at a distance and without the need for people to wait in line. By conducting such checks while people are approaching the airport and moving through it, authorities could avoid bottlenecks and queues. SUSPICIOUS MOVEMENTS As the passenger proceeds through the terminal, the next layer of surveillance could be carried out through cognitive software which monitors his or her movements and sounds a silent alarm if it picks up an unusual pattern. Someone who's been back in and out of the same place three times or keeps bumping into the same people might be something that's worthy of further investigation ... I think that's really the sort of capabilities we're going to be looking at, Stringer said in an interview. While many of these technologies are still under development, others have already been rolled out to clients by QinetiQ, which made group operating profit of 28 million pounds ($53.9 million) in the six months to last September. Millimeter wave, for example, has been tested at airports and, in a different application, is being used by British immigration authorities and Channel Tunnel operator Eurotunnel to detect illegal immigrants trying to enter the country as stowaways in the back of trucks. Stringer says the potential market for MMW runs into the hundreds of millions of dollars and goes well beyond the transport sector. We're spending quite a lot of time talking to multinationals who want to establish perimeter security systems around plant, installations and buildings, he said. QinetiQ -- owned 30 percent by private equity group Carlyle and 56 percent by the British government -- expects rapid growth for its security business as it gears up for a stock market launch. BIG BROTHER? But how will ordinary people embrace the prospect of surveillance technology that sees through their clothes, checks how much they're sweating and tracks their airport wanderings between the tax-free shops and the toilets? Stringer acknowledges that some might see this as George Orwell's Big Brother come true. There are always going to be issues of privacy here and they're not to be belittled, they're important. But he says smarter technology will actually make the checks less intrusive than those now in standard practice, such as being searched head to foot after setting off a metal detector alarm. Personally I find that more irritating than the idea of someone just scanning me as I walk through, he said. You're under surveillance in airports anyway. What you're
Re: $90 for high assurance _versus_ $349 for low assurance
On Tue, Mar 15, 2005 at 11:04:59AM -0500, Victor Duchovni wrote: On Wed, Mar 16, 2005 at 02:23:49AM +1300, Peter Gutmann wrote: Certainly with UIXC it's not worth anything. What is UIXC? lemme guess: universal indiscriminate cross certification oh wait, peter did define it: implicit not indiscriminate -- Ng Pheng Siong [EMAIL PROTECTED] http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: $90 for high assurance _versus_ $349 for low assurance
John, thanks for this fascinating report! Conclusion? `Not all CAs/certs are created equal`... therefore we should NOT automatically trust the contents of every certificate whose CA appears in the `root CA` list of the browser. Instead, browsers should allow users to select which CAs they trust sufficiently to identify sites, and to _know_ which CA is identifying the (protected) site they use. This is easy to do, and of course you can add this to your Mozilla/FireFox browser by installing our TrustBar (from http://TrustBar.mozdev.org). Best, Amir Herzberg John Levine wrote: Does anyone have a view on what low and high means in this context? Indeed, what does assurance mean? Just last week I was trying to figure out what the difference was between a StarterSSL certificate for $35 (lists at $49 but you might as well sign up for the no-commitment reseller price) and a QuickSSL cert for $169. If you look at the bits in the cert, they're nearly identical, both signed by Geotrust's root. As far as the verification they do, QuickSSL sends an e-mail to the domain's contact address (WHOIS or one of the standard domain addresses like webmaster), and if someone clicks through the URL, it's verified. StarterSSL even though it costs less has a previous telephone step where you give them a phone number, they call you, and you have to punch in a code they show you and then record your name. Score so far: QuickSSL 0.001, StarterSSL 0.0015. Both have various documents available with impressive certifications from well-paid accountants, none of which mean anything I can tell. Under some circumstances they might pay back some amount to someone defrauded by a spoofed cert, but if anyone's figured out how to take advantage of this, I'd be amazed. Comodo, who sell an inferior variety of cert with a chained signature (inferior because less software supports it, not because it's any less secure) is slightly more demanding, although I stumped then with abuse.net which isn't incorporated, isn't a DBA, and isn't anything else other than me. I invented some abuse.net stationery and faxed them a letter assuring that I was in fact me, which satisfied them. Back when I had a cert from Thawte, they wanted DUNS numbers which I didn't have, not being incorporated nor doing enough business to get a business credit rating, so they were satisfied with a fax of my county business license, a document which, if I didn't have one, costs $25 to get a real one, or maybe 15 minutes in Photoshop to make a fake one good enough to fool a fax machine. I gather that the fancier certs do more intrusive checking, but I never heard of any that did anything that might make any actual difference, like getting business documents and then checking with the purported issuer to see if they were real or, perish forbid, visiting the nominal location of the business to see if anything is there. So the short answer to what's the difference between a ten dollar cert and a $350 cert is: $340. Next question? Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor I shook hands with Senators Dole and Inouye, said Tom, disarmingly. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] . - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
At 10:19 PM 3/13/2005, Adam Fields wrote: Given what may or may not be recent ToS changes to the AIM service, I've recently been looking into encryption plugins for gaim. AOL says that the ToS bits are only for things like chatrooms; user-to-user AIM traffic doesn't even go through their servers. That doesn't mean they can't eavesdrop on it if they want to, or that they don't have mechanisms for automating MITM, so you may very well want to use encryption, but at least in the normal case your traffic is relatively private. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: PK - OTP?
My educated-layman's opinion is that the following is not feasible, but I'd be happy to be shown wrong ... Given a closed public-key device such as a typical smart card with its limited set of operations (chiefly sign), is it possible to implement a challenge/response function such that * Both the challenge and the response are short enough for an average user to be willing to type them when needed. * The challenge can be generated, and the response verified using the cardholder's public key and a reasonable amount of computation. What's wrong with sending the device encryption of a random number (using the public key of the device), and the device sending back the number as proof of possession of the corresponding secret key? Would it not be the case that the challenge would be as long as the key, and hence to long to reasonably expect a user to type into a keypad? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Security is the bits you disable before you ship
Steven M. Bellovin writes: That's not new, either. I believe it was Tony Hoare who likened this to sailors doing shore drills with life preservers, but leaving them home when they went to sea. I think he said that in the 1970s; he said this in his Turing Award lecture: The first principle was security... A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time... I note with fear and horror that even in 1980, language designers and users have not learned this lesson. This is true, however, I've seen Dan Bernstein (and you don't get much more careful or paranoid about security than Dan) write code like this: static char line[999]; len = 0; len += fmt_ulong(line + len,rp); len += fmt_str(line + len, , ); len += fmt_ulong(line + len,lp); len += fmt_str(line + len,\r\n); Of course, the number of characters that fmt_ulong will insert is limited by the number of bits in an unsigned long, and both strings are of constant length. -- --My blog is at blog.russnelson.com | The laws of physics cannot Crynwr sells support for free software | PGPok | be legislated. Neither can 521 Pleasant Valley Rd. | +1 315-323-1241 cell | the laws of countries. Potsdam, NY 13676-3213 | +1 212-202-2318 VOIP | - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
how to phase in new hash algorithms?
We all understand the need to move to better hash algorithms than SHA1. At a minimum, people should be switching to SHA256/384/512; arguably, Whirlpool is the right way to go. The problem is how to get there from here. OpenSSL 0.9.7 doesn't even include anything stronger than SHA1. As a practical matter, this means that no one can use anything stronger in certificates, especially root certificates. Worse yet, people can't use anything stronger for public consumption for at least five years after a stronger hash algorith is available -- we have to wait until most older software has died off, since most machines are never upgraded. This means that appearance of the code in client machines is on the critical path. I've heard that OpenSSL 0.9.8 will include stronger hashes, but there's no work in progress to backport the code to 0.9.7. So -- what should we as a community be doing now? There's no emergency on SHA1, but we do need to start, and soon. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Westlaw agrees to restrict access to Social Security numbers
http://www.siliconvalley.com/mld/siliconvalley/news/editorial/11162869.htm?template=contentModules/printstory.jsp The San Jose Mercury News Posted on Thu, Mar. 17, 2005 Westlaw agrees to restrict access to Social Security numbers WASHINGTON (AP) - A legal research company said Thursday it will greatly restrict customer access to Social Security numbers in response to complaints from Congress that its previous policy of limited sales of the numbers invited identity theft. Westlaw, a Minnesota-based legal research firm, said private companies and many government offices no longer will be able to obtain such information from the company. ``The events of the past months illustrate the importance of tougher controls, and we're pleased to be a part of a broader and ongoing effort that supports both individual privacy and homeland security concerns,'' said Peter Warwick, CEO of Thomson West, which operates the online Westlaw service. The company's practices came under fire from lawmakers after another data company, ChoicePoint, announced some 145,000 customers had been exposed to identity theft. Westlaw, which is owned by The Thomson Corp., has not suffered a similar breach, but Sen. Charles Schumer, D-N.Y., called on the company to tighten restrictions on the information available to customers in the wake of the ChoicePoint problem. Under the new policy, about 85 percent of Westlaw customers who previously had access to the Social Security number search will no longer have such access. All private companies, and many government offices, including the U.S. Senate, will no longer have access to Social Security numbers through Westlaw. Access will remain for some law enforcement agencies. Congress has stepped up pressure on data companies that collect huge amounts of private information. On Tuesday, ChoicePoint Inc. CEO Derek Smith appeared before a House Energy and Commerce Committee panel to publicly apologize to customers whose information may have been obtained surreptitiously. Appearing beside him was LexisNexis CEO Kurt Sanford, whose company also had a breach involving information on about 32,000 people. LexisNexis is owned by Reed Elsevier PLC. The two executives said they would support some proposals to toughen laws governing consumer privacy. They did not support a more sweeping prohibition on the sale of Social Security numbers, arguing such sales may be necessary for law enforcement or debt collection. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Cyber cops foil £220m Sumitomo bank raid
http://www.theregister.co.uk/2005/03/17/sumitomo_cyber-heist_foiled/print.html The Register Biting the hand that feeds IT The Register » Security » Network Security » Original URL: http://www.theregister.co.uk/2005/03/17/sumitomo_cyber-heist_foiled/ Cyber cops foil £220m Sumitomo bank raid By John Leyden (john.leyden at theregister.co.uk) Published Thursday 17th March 2005 11:51 GMT A hi-tech bid to steal £220m ($423m) from the London offices of the Japanese bank Sumitomo Mitsui has been foiled by police. A gang of cyber crooks compromised Sumitomo's computer systems in October 2004 prior to an unsuccessful attempt to transfer money to a series of 10 accounts overseas, the FT reports. Yeron Bolondi, 32, was arrested by Israeli police on Wednesday after an attempt to transfer £13.9m to a bank account in the country. He has been charged with money laundering and deception. The plan was thwarted before any cash was transferred, the BBC reports (http://news.bbc.co.uk/1/hi/uk/4356661.stm). Takashi Morita, head of communications at Sumitomo in Tokyo, told (http://news.independent.co.uk/uk/crime/story.jsp?story=620980) the Press Association that the bank had not suffered any losses as a result of the attempted heist. We have undertaken various measures in terms of security and we have not suffered any financial damage, he said. Details of how the bank's systems were compromised remain sketchy though several reports implicate the use of key logging software as part of the plot. A spokeswoman for the National High-Tech Crime Unit declined to comment on its ongoing investigation into the attempted robbery of Sumitomo. A spokesman for the bank in London declined to say anything, other than the attempted raid was a complete failure. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NSA warned Bush it needed to monitor networks
A few days ago, I posted this: WASHINGTON (AP) -- The National Security Agency warned President Bush in 2001 that monitoring U.S. adversaries would require a ``permanent presence'' on networks that also carry Americans' messages that are protected from government eavesdropping. ... ``Make no mistake, NSA can and will perform its missions consistent with the Fourth Amendment and all applicable laws,'' the document says. Today, I happened to learn the URL for the document itself: http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB24/nsa25.pdf . There's little that strikes me as sensitive in it, other than the (redacted) budget numbers. What's someplace between amusing and appalling is some of the other things that NSA had considered sensitive. For example, consider this paragraph, from page 5: The National Security Agency has a proud tradition of serving the nation. NSA has been credited with preventing or significantly shortening military conflicts, thereby saving lives of U.S. military and civilian personnel. NSA gives the nation a decisive edge in policy interactions with other nations, in countering terrorism, and in helping stem the flow of narcotics into our country. NSA has been the premier information agency of the industrial age, and through ongoing modernization and cutting edge research, will continue to be the premiere knowledge agency of the information age. That paragraph, believe it or not, was classified Secret. For what it's worth, the official definition of Secret, from Executive Order 12958 (http://www.dss.mil/seclib/eo12958.htm), is: Secret shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. What in that paragraph could cause serious damage? The notion that NSA gives the U.S. government an edge in policy interactions, i.e., it may spy on foreign governments? I'm shocked, shocked to hear that. Then there are the paragraphs on pages 16 and 17 that describe NSA's legislative lobbying on crypto legislation. Those were marked FUOO -- For Official Use Only. DD Form 254 says The For Official Use Only (FOUO) marking is assigned to information at the time of its creation in a DoD User Agency. It is not authorized as a substitute for a security classification marking but it is used on official government information that may be withheld from the public under exemptions 2 through 9 of the Freedom of Information Act. Why is that information eligible to be withheld? Because it tells the public that NSA is interested in legislation about crypto and exports? I could go on, but the topic of overclassification is well-worn. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Off-the-Record Messaging
http://www.cypherpunks.ca/otr/ Off-the-Record Messaging News - Downloads - Mailing Lists - Documentation - Frequently Asked Questions - Press Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing: Encryption No one else can read your instant messages. Authentication You are assured the correspondent is who you think it is. Deniability The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified. Perfect forward secrecy If you lose control of your private keys, no previous conversation is compromised. News 24 Feb 2005 otrproxy-0.2.0 released. Changes from 0.1.x: *There's now a GUI! See the README for more details. 23 Feb 2005 gaim-otr 2.0.1 released. Changes from 2.0.0: *Removed people without fingerprints from the Known Fingerprints list. *The column heads in the Known Fingerprints list cause sorting to happen in the expected way. 22 Feb 2005 Nikita made a 0.1.2 version of otrproxy for OSX. Changes from 0.1.1: *AIM screen names should be compared case- and space- insensitively. 16 Feb 2005 Version 2.0.1 of libotr released. Changes from 2.0.0: *Don't send encrypted messages to a buddy who has disconnected his private connection with us. *Don't show the user the the last message was resent notice if the message has never actually been sent before. *Fix a crash bug that happened when messages were retransmitted under certain circumstances. More News... Downloads OTR library and toolkit This is the portable OTR Messaging Library, as well as the toolkit to help you forge messages. You need this library in order to use the other OTR software on this page. [Note that some binary packages, particularly Windows, do not have a separate library package, but just include the library and toolkit in the packages below.] The current version is 2.0.1. README Source code (2.0.1) Compressed tarball (sig) Fedora Core 3 SRPM [Note that if you're compiling from source on win32, you may need to make this patch to libgcrypt-1.2.1.] Linux/x86 (2.0.1) Debian testing/unstable Debian testing/unstable dev package Fedora Core 3 RPM Fedora Core 3 dev RPM Linux/x86_64 (2.0.1) Fedora Core 3 RPM Fedora Core 3 dev RPM OTR plugin for gaim This is a plugin for gaim 1.x which implements Off-the-Record Messaging over any IM network gaim supports. The current version is 2.0.1. You may need the above library packages. README Source code (2.0.1) Compressed tarball (sig) Fedora Core 3 SRPM Linux/x86 (2.0.1) Debian testing/unstable (Debian stable does not have the required 1.x version of gaim) Fedora Core 3 RPM Linux/x86_64 (2.0.1) Fedora Core 3 RPM Windows (2.0.1) Win32 installer (sig) OTR localhost AIM proxy This is a localhost proxy you can use with almost any AIM client in order to participate in Off-the-Record conversations. The current version is 0.2.0, which means it's still a long way from done. Read the README file carefully. Some things it's still missing: *Username/password authentication to the proxy *Having the proxy be able to use outgoing proxies itself *Support for protocols other than AIM/ICQ *Configurability of the proxy types and ports it uses But it should work for most people. Please send feedback to the otr-users mailing list, or to the dev team. You may need the above library packages. README Source code (0.2.0) Compressed tarball (sig) Fedora Core 3 SRPM Linux/x86 (0.2.0) Debian testing/unstable Fedora Core 3 RPM Windows (0.2.0) Win32 installer (sig) OSX (0.2.0) OSX package Mailing Lists If you use OTR software, you should join at least the otr-announce mailing list, and possibly otr-users (for users of OTR software) or otr-dev (for developers of OTR software) as well. Documentation Here are some documents and papers describing OTR. The WPES presentation is quite useful to get started. *Protocol description * The WPES 2004 version of our paper * Our WPES presentation (Powerpoint) * Our WPES presentation (PDF) Frequently Asked Questions What implementations of Off-the-Record Messaging are there? Right now, there's the plugin for gaim, which is supported on Linux and Windows. There's also the OTR proxy, which is supported on Linux, Windows, and OSX. The OTR functionality is separated into the Off-the-Record Messaging Library (libotr), which is an LGPL-licensed library that can be used to (hopefully) easily produce OTR plugins for other IM software, or for other applications entirely. What is the license for the OTR software? The Off-the-Record Messaging
Re: Encryption plugins for gaim
On Tue, Mar 15, 2005 at 09:33:51PM +0100, Jim Cheesman wrote: | Ian G wrote: | | Adam Fields wrote: | | Given what may or may not be recent ToS changes to the AIM service, | I've recently been looking into encryption plugins for gaim. | Specifically, I note gaim-otr, authored by Ian G, who's on this list. | | | Just a quick note of clarification, there is a collision | in the name Ian G. 4 letters does not a message digest | make. | | | Perhaps if you were to prepend a random serial number to your name this | problem would be alleviated? They'd both randomly choose pi. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NSA warned Bush it needed to monitor networks
-- On 18 Mar 2005 at 22:52, Steven M. Bellovin wrote: That paragraph, believe it or not, was classified Secret. For what it's worth, the official definition of Secret, from Executive Order 12958 (http://www.dss.mil/seclib/eo12958.htm), is: Secret shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. Obviously any bureaucrat with the authority to categorize something as secret will more or less automatically so stamp any information that passes through his hands, to inflate his importance, and thus his job security and prospects for promotion. Similarly, he will spend any money he has authority to spend, thus the never ending conflict between congress and the SSSI bureacracy, who if they had their way would put every single american, plus the dead and the pets, on SSSI This results in top secret information being treated as not very secret at all, as documented by Richard Feynman, which in turn results in ever higher secrecy classifications, more top than top, a process of classification inflation and debasement. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG R4I4vh9JdcWBUfeQFXQ+i/TlFSVcljg/Og6KRDDj 4qwXmonSAX1xgyPdaB5TsB80yC66PjeWY5mzIpBuo - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: how to phase in new hash algorithms?
Steven M. Bellovin wrote: So -- what should we as a community be doing now? There's no emergency on SHA1, but we do need to start, and soon. The wider question is how to get moving on new hash algorithms. That's a bit tricky. Normally we'd look to see NIST or the NESSIE guys lead a competition. But NESSIE just finished a comp, and may not have the appetite for another. NIST likewise just came out with SHA256 et al, and they seem to have a full work load as it is trying to get DSS-2 out. How about the IACR? Would they be up to leading a competition? I don't know them at all myself, but if the Shandong results are heard at IACR conferences, then maybe it's time to take on a larger role. Most of the effort could be volunteer, and it would also be easy enough to schedule everything aligned with the conference circuit. Just a thought. Anyone know anyone at the IACR? iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
In message [EMAIL PROTECTED], Peter Saint-Andre writes: On Tue, Mar 15, 2005 at 02:02:31PM -0500, Adam Fields wrote: On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote: Why not help us make Jabber/XMPP more secure, rather than overloading AIM? With AIM/MSN/Yahoo your account will always exist at the will of Unfortunately, I already have a large network of people who use AIM, and they all each have large networks of people who use AIM. Many of them still use the AIM client. Getting them to switch to gaim is feasible. Getting them to switch to Jabber is not. However, getting them to switch to gaim first, and then ultimately Jabber might be an option. Frankly, the former is more important to me in the short term. Yep, the same old story. :-) AOL, whereas with XMPP you can run your own server etc. Unfortunately Does can == have to? From what I remember of trying to run Jabber a few years ago, it did. No, we have 200k registered users on the jabber.org server and some servers have even more. You can run your own server, though, and accept connections only from other servers you trust, etc. Let me second the recommendation for jabber (though I wish the code quality of some of the components were better). The protocol itself supports TLS for client-to-server encryption; you can also have AIM (or other IM) gateways on that server. In many situations (i.e., wireless), it protects the most vulnerable link from eavesdropping. While clearly not as good as end-to-end encryption, it's far better than nothing, especially in high-threat environments such as the IETF... (Of course, I only know of one open source client -- psi -- that checks the server certificate.) In theory, server-to-server communications can also be TLS-protected, though I don't know if any platforms support that. On top of any other encryption, many implementations support PGP encryption between correspondents. I don't know of any support for e2e-encrypted chat rooms. I haven't played with OTR, nor am I convinced of the threat model. That said, what you really need to watch out for is the transcript files on your own machine... --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Schneier: SHA-1 has been broken - Time for a second thought about SDLH ?
In message [EMAIL PROTECTED], Ralf Senderek w rites: And that is why I ask to give the Shamir Discrete Logarithm Hash Funktion a se cond thought. At leeast we have a proof of collision resistance under the assumptio n that factoring is infeasible for the modulus used. And that it more than we ever had regarding the MD4 series. BTW, choosing the next generation hash function should - as I think - not be dominated by terms of performance. (i.e done in the olde fashion) Dominated? No, of course not. But a hash function based on discrete log will be slow enough that no one will use it. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
