[Clips] Bypassing the Password Prompt
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Mon, 17 Oct 2005 20:02:26 -0400 To: Philodox Clips List [EMAIL PROTECTED] From: R.A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Bypassing the Password Prompt Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.washingtonpost.com/wp-dyn/content/article/2005/10/15/AR2005101500178_pf.html The Washington Post washingtonpost.com Bypassing the Password Prompt By Mike Musgrove Washington Post Staff Writer Sunday, October 16, 2005; F07 So many passwords, so little memory. In a digital era where everybody can access everything from bank information to vacation photos online, passwords are everywhere and many folks in the plugged-in world are finding they have more than they can remember. Password-management software, designed to give people a safe place to stash all those secret codes, has become a mini-industry unto itself. For Mac users, Apple has even built a password-stashing program, called Keychain, into the operating system. Security expert Bruce Schneier, the author of a free program for Windows users, got so tired of having to keep a lot of seldom-used passwords in his head that he designed a digital-locker program that he gives away at his security-focused blog, http://www.schneier.com/ . Schneier says his program, which is basically a notepad locked under its own password, uses military-level encryption. Basically, the idea is that you could hand this file to your worst enemy, and he still couldn't get to your passwords, he said. Just don't come complaining to him if you forget the password that you use to open the program because he has no way to access it. Schneier's program requires users to copy and paste their password from his program to any password-protected application or Web site. For users looking to reclaim a few more precious seconds from their daily Web routine, there's another program that makes things even a little easier. A security widget from Siber Systems Inc., a small software company in Fairfax, automates the process of logging on to password-protected Web sites. Click on your Hotmail entry in the program, for example, and RoboForm will automatically enter your information and log you in to the Web-based e-mail program. If you like, the program will even randomly generate a password for you, all the better for protecting that valuable info locked up at your online stock account. Siber Systems marketing executive Bill Carey says that the program, which will also stash your credit card information and fill it out when you make purchases online, has been downloaded 6 million times since its launch in 2001. The company offers a free trial version of the software at http://www.roboform.com/ ; the full version costs $29.95. Sometimes Web users can circumvent the process of having to use a password at all. For Web surfers who don't want to register at pesky news sites that want your e-mail address and demographic information, one site, http://www.bugmenot.com , is a clearinghouse for bogus accounts. It'll set you up with cheeky fake names and passwords -- like [EMAIL PROTECTED] and death_to_logons -- that already work on the site you're trying to access. Though Bugmenot.com is primarily a handy way to avoid registering at a news site -- the site lists washingtonpost.com as an offender -- it also pitches itself as a social movement for those who find it annoying that such Web sites ask for personal information. The site has a petition online, a protest to demonstrate the pointless nature of forced Web site registration schemes and the dubious demographic data they collect. By signing the petition, Bugmenot.com users vow to create a fake account at one of the top ten offending sites on Nov. 13, which the site dubs Internet Advertiser Wakeup Day. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Estonians vote in world's first nationwide Internet election
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Mon, 17 Oct 2005 20:11:31 -0400 To: Philodox Clips List [EMAIL PROTECTED] From: R.A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Estonians vote in world's first nationwide Internet election Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.siliconvalley.com/mld/siliconvalley/news/editorial/12903730.htm?template=contentModules/printstory.jsp The San Jose Mercury News Posted on Fri, Oct. 14, 2005? Estonians vote in world's first nationwide Internet election TALLINN, Estonia (AP) - This tiny former Soviet republic nicknamed ``e-Stonia'' because of its tech-savvy population is breaking new ground in digital democracy. This week, Estonia became the first country in the world to hold an election allowing voters nationwide to cast ballots over the Internet. Fewer than 10,000 people, or 1 percent of registered voters, participated online in elections for mayors and city councils across the country, but officials hailed the experiment conducted Monday to Wednesday as a success. Election officials in the country of 1.4 million said they had received no reports of flaws in the online voting system or hacking attempts. But critics say the fact that no problems emerged shouldn't give people comfort that Internet voting is safe from hacks, identity fraud and vote count manipulation. Potential attackers, they say, may simply wait until Internet voting is more widely used -- by which time it would be harder to stop. In the United States, the Pentagon canceled an Internet voting plan for military and overseas citizens in 2004 because of security concerns. Plans for large-scale voting in Britain have also been dropped. ``The benefits don't come anywhere near the risks,'' said Jason Kitcat, an online consultant and researcher at the University of Sussex, England. ``It's a waste of money and a waste of government energy.'' He acknowledged that Estonia's system was the most secure to date, but said no system was ``good enough for a politically binding election.'' Thousands of people voted online in Democratic primaries in Arizona in 2000 and Michigan in 2004. The city of Geneva, Switzerland, has held several online referendums, the first in January 2003. But Estonia is the first to extend it to voters nationwide, experts said. ``They have the perfect population size to do something like this,'' said Thad Hall, a University of Utah political scientist and co-author of a book on Internet voting. ``As they have success, people will start to copy their success.'' Estonia has the most advanced information infrastructure of any formerly communist eastern European state. It gave the Linux-based voting system a trial run in January, when about 600 people voted online in a referendum in the capital, Tallinn. The plan is to allow online voting in the next parliamentary elections in 2007. ``I believe this is the future,'' said Mait Sooaru, director of an Estonian information logistics company who cast his electronic ballot Monday. ``It was easy and pretty straightforward.'' To cast an online ballot, voters need a special ID card, a $24 device that reads the card and a computer with Internet access. Some 80 percent of Estonian voters have the ID cards, which have been used since 2002 for online access to bank accounts and tax records. Election committee officials said the ID card system had proven effective and reliable and dismissed any security concerns with using it for the online ballot. Arne Koitmae, of Parliament's elections department, said Internet voting would make it easier for people in remote rural locations to vote. Election officials said only 9,317 people out of 1.06 million registered voters opted to vote online. Estonians were also given the option of voting by mail and in person on Sunday. Koitmae said many ID card users still lack the reading device, which explains the low turnout of online voting. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: EDP (entropy distribution protocol), userland PRNG design
I can't say I a fan of the idea of having multiple ways of mixing entropy into the system. In particular, the idea of producing output by XORing your PRNGs output with the output of a semi-public RNG seems like a bad idea to me, because an attacker can easily control those values by taking over the web server or modifying packets in the network, and if they can somehow predict your PRNG outputs then they will be able to actually control the final output. Ah yes, leveraging a known output into a controlled output would be bad indeed. I prefer a multi-stage design, as described by various people smarter than I am: source(s) -- mixer -- pool -- extractor -- X9.31 Where can I find out more about the design choices for these stages? I believe most common hardware RNGs produce data at fairly high rates, often over 100 kbytes per second. Some do, some don't. Depends on the random source they are tapping. Mine, the Atom Age HWRNG, produces them at 9600bps: http://atom_age.tripod.com Here are two others: The Intel Random Number Generator http://www.cryptography.com/resources/whitepapers/IntelRNG.pdf The Via C3 Nehemiah RNG http://www.cryptography.com/resources/whitepapers/VIA_rng.pdf The actual output rate depends on things like whitening and von Neumann correctors, and so may vary. In any case, the source has some limit on the entropy rate, and oversampling won't help you generate random bits any faster; you will get more bits but no more randomness. With HWRNGs based on radioactive decay, going fast means using some very unsafe substances. There are some very fast RNGs, such as the quantis: http://www.idquantique.com/products/quantis.htm However, that's a sealed opaque package, so I don't fully trust it. I've been wondering if there's a way I could use it such that I didn't have to fully trust it. For example, if I could combine several, so that an effective attack would require collusion of several parties. Instead of treating the two entropy sources as somehow different in your mixing strategy, just use the HWRNG for most of the inputs, but every tenth sample (or whatever), instead use the hash of all the random-looking system data you can get ahold of. Only doing it occasionally means there is a reasonable chance that sufficient changes have happend to the system since the sample worthwhile in terms of entropy gained, and doing a large block of it all at once prevents iterative guessing attacks if an attacker can control your HWRNG outputs but not your system statistics. That seems like a very ad-hoc system that treats the HWRNG and random-looking system data as somehow different (one is used for 90% of the samples, one for 10%). Encrypting the output using keys generated by the PRNG is a good idea, but you presented it in a somewhat confusing way, in that it sounded almost like you were doing message transfer. [...] At not point do the two sides actually exchange messages, I don't follow. I'm transmitting entropy from the source to where it is needed; surely this is a message of some kind? I think I see what you mean, though, in that you don't need to think of the encryption as part of the network protocol, but rather as processing of the already-transmitted data. If you want to try to keep the entropy values sent from the box with the HWRNG to the client a secret from people on the network, just open up a TLS session. TLS is SSL, right? Transmitting over SSL would limit the strength to the minimum of the strength of the asymmetric and symmetric ciphers. Using my method alone would not involve PK, so would be faster, need less entropy to start with, and also the upper bound on strength is the same or higher. What I'm saying is that a chain is only as strong as its weakest link, and my protocol has one less link. at little or no extra cost. You can buy a PCI board with a low-end Hifn crypto chip on it for less than $80 online. For anyone who is interested, here is a link: http://www.hifn.com/info/candp/Boardpartners.html -- http://www.lightconsulting.com/~travis/ -- We already have enough fast, insecure systems. -- Schneier Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
SecurID and garage door openers
Speaking of two-factor authentication, can anyone explain how servers validate the code from a SecurID token in the presence of clockskew? Does it look backwards and forwards in time a few minutes? Similarly, how do those garage door openers with rolling codes work, given that the user may have pressed the button many times accidentally while out of range of the receiver? Is there any interest in reviewing the security of consumer-level devices? I ran across this when trying to pick a fairly secure cordless telephone; there's precious little information on the algorithms and keys used in the sales brochures. I've heard horror stories such as a DSSS phone that actually uses a normal analog transmission in one of the directions. Same issue with garage door openers, alarm systems with remote controls, etc. PS: How many cypherpunks does it take to open a garage door? http://www.cap-lore.com/Garage/ -- http://www.lightconsulting.com/~travis/ -- We already have enough fast, insecure systems. -- Schneier Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SecurID and garage door openers
On 18 okt, Greg Rose wrote: Similarly, how do those garage door openers with rolling codes work, given that the user may have pressed the button many times accidentally while out of range of the receiver? Ahh, one of the dirty little secrets. If the base receives two sequential outputs from a registered token, even if they are a long way away from the currently expected output, it will resynchronize to that. I guess this varies. At least my former car had a warning in the manual, regarding the remote, that it could get out of sync if I pressed the buttons too many time while out of range. So I guess at least some manufacturers did something a little bit better. /MaF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SecurID and garage door openers
- Original Message -
From: Travis H. [EMAIL PROTECTED]
Subject: SecurID and garage door openers
Similarly, how do those garage door openers with rolling codes work,
given that the user may have pressed the button many times
accidentally while out of range of the receiver?
My understanding is that since it is a purely monotonic counter it is plenty
possible to do one of two things:
send {counter, data} instead of {data}, receiver stores last counter to
avoid replays
have the receiver just keep counting forward for a while (not a good idea
Is there any interest in reviewing the security of consumer-level
devices?
I'd be willing to take a look at the protocol, but dissection is not my
specialty.
PS: How many cypherpunks does it take to open a garage door?
http://www.cap-lore.com/Garage/
Currently, not very many, with proper designs openly published, not very
many because not very many companies will use it. However, it could be a
useful way for some cipherpunks to make some extra money. Anyone else up for
it? and how about the car alarm?
Joe
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
