Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-10 Thread Victor Duchovni
On Thu, Dec 08, 2005 at 05:10:20PM -0800, Ed Gerck wrote:

 PGP is public-key email without PKI.

This is true for use in geodesic networks, but not true for
inter-organization email, one ends up introducing gateway systems, that
create an ad-hoc PKI of gateways that have exchanged keys and users
that have authenticated to the gateways when one of the sides has no
such gateway. Key management does not go away.

 So is IBE.

I disagree here, with IBE there still needs a way to securely obtain
the site public key for each site. Granted, you don't need a per-user
key, but this does not make the problem of key management go away.

My *personal* view is that patent encumbered technologies don't have a
major role to play in anything quite as ubiquitous as email.


 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-10 Thread Anne Lynn Wheeler
Ed Gerck wrote:
 I believe that's what I wrote above. This rather old point (known to the
 X.509 authors, as one can read in their documents) is why X.509 simplifies
 what it provides to the least possible _to_automate_ and puts all the local 
 human-based security decisions in the CPS.
 (The fact that the CPS is declared to be out of scope of X.509 is both a
 solution and a BIG problem as I mentioned previously.)

i like the explanation that some attempted to give at the acm sigmod
conference in san jose (circa 1992)  of what was going on in the
x.5xx standards activities; ... a bunch of network engineers trying to
re-invent 1960s database technology ...

the x.509 digital certificates being a stale, static cachable entry of
something in x.500 ldap database ... that was armored for survival in
potentially hostile environment and for relying parties that didn't have
ability to access the real database entry.

cps was something that was needed for trusted third party certification
authority operation ... not for x.509 identity certificate itself. the
issue is when you effectively have these stale, static cacheable,
armored database entries that aren't part of an organization and
business processes that relying parties belong to. traditional access to
database entries (whether you are directly accessing the entry or a
stale, static cached copy of the database entry) ... the business
processes accessing the data and the businesses responsible for the data
are part of the same operation and/or belong to organizations that have
binding contractual relationships.

it is only when you have parties responsible for the information
(trusted third party certification authorities) that are 1) totally
different from the parties relying on the information  and/or 2) the
different parties have no contractual relationships.

one could hypothesize that the creation of CPS were to provide some sort
of substitute for contractual relationship between different
organizations/parties where the relying party has no means of directly
accessing the information and must rely on a stale, static digital
certificate representation (of that information), provided by an
organization that the relying party has no contractual relationship
(just claiming to be a trusted third party certification authority
possibly wasn't enough of a sense of security for some relying parties
and so CPS were invented to provide relying parties a higher sense of
comfort in lieu of having something like an actual contractual

that makes CPSs a substitute for contractual relationships when x.509
digital certificates are used for trusted third party certification
authorities where the relying parties and the TTP/CAs are different

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-10 Thread Anne Lynn Wheeler
Ed Gerck wrote:
  PGP is public-key email without PKI. So is IBE. And yet neither of
them has
 all the identical, same basic components that PKI also needs. Now, when you
 look at the paper on email security at
 you see that the issue of what components PKI needs (or not) is not
 relevant to the analysis.

usually when you are doing baseline ... you start with the simplest,
evaluate that and then incrementally add complexity. in that sense
PGP is much closer to the simplest baseline ... and PKI becomes added
complexity ... inverting you classification; email PKI is PGP with
digital certificates added.

you then could add various layers of public key operation where the
relying parties have direct access to the information in one way or
another and therefor don't require stale, static, armored cached copies
(digital certificate) of the real information.

then you can go thru numerous layers of PKI ... are the relying parties
and the digital certificate creators part of the same business
organizations ... and therefor require neither contractual relationship
and/or CPS as a substitute for contractual relationship.

then add trusted third party certification authority PKI ... where the
relying parties and the certification authorities have direction
contractual relationship and thefore don't require CPS as a substitute
for contractual relationship.

it is when you get to trusted third party certification authority PKI
... where the relying parties and the ttp/ca are part of totally
different business operations and have no contractual relationship that
you then get into the issue of how does a relying party actually know
than it should be trusting a ttp/ca.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-10 Thread Anne Lynn Wheeler
James A. Donald wrote:
 However, the main point of attack is phishing, when an
 outsider attempts to interpose himself, the man in the
 middle, into an existing relationship between two people
 that know and trust each other. 

in the public key model ... whether it involves pgp, pki, digital
certificates, what-ever; the local user (relying party) has to have a
local trusted repository for public keys. in the pki model, this tends
to be restricted to public keys of certification authorities ... so that
the relying party can verify the digital signature on these
message/document constructs called digital certificates.

in the traditional, ongoing relationship scenario, relying parties
directly record authentication information of the parties they are
dealing with. if a relying party were to directly record the public key
of the people they are communicating with ... it is the trusting of that
public key and the validating of associated public key operations that
provide for the countermeasure for man-in-the-middle attacks and
phishing attacks.

the issue that has been repeatedly discussed is that supposedly the
existing SSL domain name digital certificates was to prevent
impresonation and mitm-attacks. however, because of various
infrastructure shortcomings ... an attacker can still operate with
perfectly valid SSL domain name digital certificates ... and it doesn't
stop the MITM-attack and/or phishing.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-10 Thread Ed Gerck

Anne  Lynn Wheeler wrote:

usually when you are doing baseline ... you start with the simplest,
evaluate that and then incrementally add complexity. 

I think that's where PKI got it wrong in several parts and not
just the CPS. It started with the simplest (because it was meant to
work for a global RA -- remember X.500?) and then complexity was
added. Today, in the most recent PKIX dialogues, even RFC authors
often disagree on what is meant in the RFCs. Not to mention the

As another example, at least one IBE offer does not talk about
key lifetime at all -- in fact, the documentation online talks
about using the same key for _all_ future communications. When this,
of course, fails and key expiration is introduced, it will be
over an existing baseline... a patch. Key revocation will be
even harder to introduce in IBE.

As new capabilities conflict with the old, the end result of this
approach seems to ne a lot of patched in complexity and vulnerabilities.

It seems better to start with a performance specification for the full
system. The code can follow the specs as close as possible for
each version, the specs can change too, but at least the grand
picture should exist beforehand. This is what this thread's subject
paper is about, the grand picture for secure email and why aren't
we there yet (Phil's PGP is almost 15 years old) -- what's missing.

BTW, there's a new version out for the X.509 / PKI, PGP, and IBE
Secure Email Technologies paper and Blog comments in the site as well,

Ed Gerck

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-10 Thread Bill Stewart

At 09:40 AM 12/8/2005, Aram Perez wrote:

On Dec 7, 2005, at 10:24 PM, James A. Donald wrote:

Software is cheaper than boats - the poorest man can
afford the strongest encryption, but he cannot afford
the strongest boat.

If it is that cheap, then why are we having this discussion? Why
isn't there a cheap security solution that even my mother can use?

Usability is a hard problem, and security is a really broad field.
PGP, for instance, did a pretty good job of security a decade ago,
given Phil's threat models, (ignoring a few algorithm problems
that were mostly related to trying to skimp on bits
and the subsequent weaknesses in MD5),
but the usability was pretty rough back then,
and version compatibility has gotten enough worse that
Hugh Daniel and I can no longer reliably communicate with PGP.

But even if we both drop back to GPG on text files,
and use remailers run by friends on Tor nodes run by random strangers,
KGB-proof security would require protection against
black-bag jobs on Hugh's keyboards and duping employees
at my company's IT department into weakening my Windows XP configuration.
(For cost-effectiveness and avoidance of detection,
I'd recommend the latter strategy, probably by selling them
some new nifty administration tool or Instant Messaging client :-)

The real security issue for your mother is threat models.
If your mom isn't using a Mac or administering her own Linux box,
then her biggest security threat is that she's computing
on a box made of Swiss cheese (though XP does seem to be
noticeably better than Win95/98/ME) and probably using a browser
that's happy to accept random software installed by spammers
and phishers, and if she's not using webmail,
she's probably running a mail client that happily displays
clickable links to phishing sites purporting to be eBay or her bank.
And that's mostly independent of whether she can trustably
send email to other members of the Ladies' Sewing Circle and
Terrorist Society without the Feds reading it,
which is the kind of problem PGP was trying to solve,
because her bank and eBay don't cryptographically sign their mail.

Popularity of a product is critical to its security;
you don't gain anonymity if the Feds can recognize that
you're one of the dozen users of a given application.
Your mom can use Skype, but nobody she knows uses Crypto Kong,
and I only know a few people who use PGP to email their mom.
But some of the Instant Messaging systems use crypto;
too bad that they're continually trying to be incompatible
with each other to gain market share.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

secure links using classical (i.e., non-quantum) physics

2005-12-10 Thread Steven M. Bellovin

Totally Secure Classical Communication Utilizing Johnson (-like) Noise 
and Kirchoff's Law
Authors: Laszlo B. Kish
Comments: 14 pages; Google search terms: +totally +secure +communication
Subj-class: General Physics
Journal-ref: Manuscript featured by Science, vol. 309, p. 2148 (2005, 
September 30)

An absolutely secure, fast, inexpensive, robust, maintenance-free 
and low-power- consumption communication is proposed. The states of the 
information bit are represented by two resistance values. The sender 
and the receiver have such resistors available and they randomly select 
and connect one of them to the channel at the beginning of each clock 
period. The thermal noise voltage and current can be observed but 
Kirchoff's law provides only a second-order equation. A secure bit is 
communicated when the actual resistance values at the sender's side and 
the receiver's side differ. Then the second order equation yields the 
two resistance values but the eavesdropper is unable to determine the 
actual locations of the resistors and to find out the state of the 
sender's bit. The receiver knows that the sender has the inverse of his 
bit, similarly to quantum entanglement. The eavesdropper can decode the 
message if, for each bits, she inject current in the wire and measures 
the voltage change and the current changes in the two directions. 
However, in this way she gets discovered by the very first bit she 
decodes. Instead of thermal noise, proper external noise generators 
should be used when the communication is not aimed to be stealth.

--Steven M. Bellovin,

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

[Clips] Engineer Outwits Fingerprint Recognition Devices with Play-Doh

2005-12-10 Thread R. A. Hettinga
Same story, different malleable substance...

--- begin forwarded text

 Delivered-To: [EMAIL PROTECTED]
 Date: Sat, 10 Dec 2005 11:08:14 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Engineer Outwits Fingerprint Recognition Devices with

  Web LinuxElectrons

 Engineer Outwits Fingerprint Recognition Devices with Play-Doh

  Friday, December 09 2005 @ 05:50 PM CST
  Contributed by: ByteEnable
 Potsdam, New York - Eyeballs, a severed hand, or fingers carried in ziplock
 bags. Back alley eye replacement surgery. These are scenarios used in
 recent blockbuster movies like Steven Spielberg's Minority Report and
 Tomorrow Never Dies to illustrate how unsavory characters in high-tech
 worlds beat sophisticated security and identification systems.

 Sound fantastic? Maybe not. Biometrics is the science of using biological
 properties, such as fingerprints, an iris scan, or voice recognition, to
 identify individuals. And in a world of growing terrorism concerns and
 increasing security measures, the field of biometrics is rapidly expanding.

  Biometric systems automatically measure the unique physiological or
 behavioral 'signature' of an individual, from which a decision can be made
 to either authenticate or determine that individual's identity, explained
 Stephanie C. Schuckers, an associate professor of electrical and computer
 engineering at Clarkson University. Today, biometric systems are popping
 up everywhere - in places like hospitals, banks, even college residence
 halls - to authorize or deny access to medical files, financial accounts,
 or restricted or private areas.

  And as with any identification or security system, Schuckers adds,
 biometric devices are prone to 'spoofing' or attacks designed to defeat

  Spoofing is the process by which individuals overcome a system through an
 introduction of a fake sample. Digits from cadavers and fake fingers
 molded from plastic, or even something as simple as Play-Doh or gelatin,
 can potentially be misread as authentic, she explains. My research
 addresses these deficiencies and investigates ways to design effective
 safeguards and vulnerability countermeasures. The goal is to make the
 authentication process as accurate and reliable as possible.

  Schuckers' biometric research is funded by the National Science Foundation
 (NSF), the Office of Homeland Security and the Department of Defense. She
 is currently assessing spoofing vulnerability in fingerprint scanners and
 designing methods to correct for these as part of a $3.1 million
 interdisciplinary research project funded through the NSF. The project,
 ITR: Biometrics: Performance, Security and Societal Impact, investigates
 the technical, legal and privacy issues raised from broader applications of
 biometric system technology in airport security, computer access, or
 immigration. It is a joint initiative among researchers from Clarkson, West
 Virginia University, Michigan State University, St. Lawrence University,
 and the University of Pittsburgh.

  Fingerprint scanning devices often use basic technology, such as an
 optical camera that take pictures of fingerprints which are then read by
 a computer. In order to assess how vulnerable the scanners are to spoofing,
 Schuckers and her research team made casts from live fingers using dental
 materials and used Play-Doh to create molds. They also assembled a
 collection of cadaver fingers.

 Clarkson University Associate Professor of Electrical and Computer
 Engineering Stephanie C. Schuckers, with imitation fingers. Simple casts
 made from a mold and material such as Play-doh, clay or gelatin can be used
 to fool most fingerprint recognition devices. Schuckers, an expert in
 biometrics, the science of using biological properties, such as
 fingerprints or voice recognition, to identify individuals, is a partner in
 a $3.1 million interdisciplinary biometrics research project funded by the
 National Science Foundation with support from the Department of Homeland
  In the laboratory, the researchers then systematically tested more than 60
 of the faked samples. The results were a 90 percent false verification rate.

  The machines could not distinguish between a live sample and a fake one,
 Schuckers explained. Since liveness detection is based on the recognition
 of physiological activities as signs of life, we hypothesized that
 fingerprint images from live fingers would show a specific changing
 moisture pattern due to perspiration but cadaver and spoof fingerprint
 images would not.

  In live fingers, perspiration starts around the pore, and spreads along
 the ridges, creating a distinct signature of the process. Schuckers and her
 research team designed a computer algorithm that would detect this pattern