mailer certificate retrieval via LDAP?

2006-06-09 Thread Steven M. Bellovin
Are there any common mailers -- open source preferred but not mandatory --
that can query LDAP directories to retrieve X.509 certificates for use in
S/MIME messages?  Evolution and Thunderbird are both able to send S/MIME,
but don't seem to have any easy certificate retrieval mechanisms.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: UK Detects Chip-And-PIN Security Flaw

2006-06-09 Thread Anne Lynn Wheeler

Anne amp; Lynn Wheeler wrote:
 for even more drift ... a news item from later yesterday

 UK Detects Chip-And-PIN Security Flaw
 http://www.cardtechnology.com/article.html?id=20060606I2K75YSX

 APACS says the security lapse came to light in a recent study of the
 authentication technology used in the UK's new chip-and-PIN card
 system.

 ... snip ...

 and some comment
 http://www.garlic.com/~lynn/aadsm23.htm#55 UK Detects Chip-And-PIN
 Security Flaw

 not too long after the exploit (from earlier deployments) being
 documented in 2002 ... it was explained to a group from the ATM
 industry ... leading somebody in the audience to quip do you mean
 that they managed to spend a couple billion dollars to prove that
 chips are less secure than magstripes.

the above from discussion on the subject in a different context
http://www.garlic.com/~lynn/2006l.html#33

the above reference goes into a little more detail of where the label 
yes card came for the counterfeit cards used in the SDA exploit.


as mentioned in earlier posting in this thread:
http://www.garlic.com/~lynn/aadsm23.htm#56 UK Detects Chip-And-PIN 
Security Flaw


part of the aads chip strawman
http://www.garlic.com/~lynn/x959.html#aads

requirements in the 90s was to be able to do dynamic data authentication
with higher security than the DDA chips (using the chippin 
terminology) with chip that cost less than the SDA chips (and also 
could meet the contactless transit power and timing profile requirements).


the x9a10 working group had already examined replay attack threat models 
(based on static data authentication) especially in light of the common 
skimming attacks that being used to harvest magstripes and PINs

that were starting to become common at the time.

for little more drift, there are assumptions about multi-factor 
authentication being more secure ... i.e. magstripes and PINs represent 
different factors. However, skimming attacks appearing by at least the
mid-90s where capturing magstripes and PINs as part of the same 
operation (invalidating a basic multi-factor security assumption).


also previously mentioned, x9a10 was specifying transaction 
authentication as opposed to session-like authentication ... because 
transaction authentication reduced several kinds of vulnerabilities that 
were frequently related to session operation (end-point threats, mitm 
threats, insider threats).


there were a number of chippin SDA deployments in the 90s ... a 
partial reference here:

http://www.garlic.com/~lynn/2006l.html#33

... which had provided opportunities for the yes card type attacks to 
evolve. by the time of the 2002 article about yes cards ... the 
article also mentioned that information about building counterfeit yes 
cards was widely available on the internet.


however, the information about yes card kind of attacks (skimming 
SDA data for replay attacks against terminals) was relatively readily 
available by 2000. In late fall of 2000, there was a small conference in 
London with principles of the lloyd's of london syndicates involved in 
insuring (brick  mortar) point-of-sale retail payment fraud discussing 
numerous threat models and countermeasures.


however, a lot of chippin deployments have been by people that are 
extremely chip centric ... interpreting everything from the context of 
the produced chips. there were some chippin deployments in 2001 that 
interpreted the yes card vulnerability from the standpoint that valid 
cards could do offline transactions. their yes card countermeasure was 
to produce valid cards that always did online transactions.


Some of the chippin aficionados, when various of the yes card details 
were explained in more details ... tended to have trouble coming to 
grips with it being an attack on terminals and the rest of the 
infrastructure ... not attacks on valid chips ... and also thought that 
the crooks were not playing fair in how they programmed the counterfeit 
chips.


one of the references in the 2002 article was to yes cards never going 
away. this also was somewhat behind the cited comment from ATM industry 
in conference not too long after the 2002 article about proving chips 
are less secure than magstripe.


a cornerstone countermeasure to attacks on valid chips (like lost/stolen 
vulnerabilities) was infrastructure feature that when a card did an 
online transaction (as opposed to offline), the online infrastructure 
could instruct the card to self-destruct. the infrastructure allowed 
valid cards to instruct chippin terminals that they were doing offline 
transactions ... but valid cards were programmed to sporadically do 
online transactions. if a valid chip was reported as compromised, the 
account could be flagged (as happens with all magstripe transactions) 
and the chip also be scheduled for self-destruct command, the next time 
it went online.


since a counterfeit yes card could be programmed to never go online, 
flagging an account (as works with magstripe 

UK Banks Expected To Move To DDA EMV Cards

2006-06-09 Thread Anne Lynn Wheeler

UK Banks Expected To Move To DDA EMV Cards
http://www.epaynews.com/index.cgi?survey=ref=browsef=viewid=11497625028614136145block=

... from above ...

Of the 6.2 billion card transactions in the UK each year, one in five 
occurs offline, which increases the risk of cloned cards being used at a 
retailer’s POS terminal. In short, a cloned credit or debit card may go 
unidentified if a transaction is not sent to a bank for approval.


... snip ...

re:
http://www.garlic.com/~lynn/aadsm24.htm#1 UK Detects Chip-And-PIN 
Security Flaw


note that the counterfeit yes card attack (from the late 90s) isn't on 
valid cards programmed to do offline (or online) transactions; the 
counterfeit yes card attack (built from skimmed SDA data) is on 
chippin terminals programmed to do what any authenticated card tells it 
to do (part of the chippin terminal standard):

http://www.garlic.com/~lynn/2006l.html#33

the countermeasure to counterfeit yes card attacks on chippin 
terminals is to program the terminal to ignore what the card tells it to 
do, and always do an online transcation. this makes chippin deployments 
subject to the same account flagging countermeasure that has been long 
used for magstripe cards. The counterfeit yes card exploit always 
doing offline transactions (making it immune to account flagging 
countermeasures) was somewhat prompted somebody several years ago to 
make the comment about spending several billion dollars to prove that 
chips were less secure than magstripe.


part of what had prompted the aads chip strawman effort
http://www.garlic.com/~lynn/x959.html#aads

in the 90s was the frequent comment about deployments being forced into 
doing SDA chip deployments because technology cost for DDA chip 
deployments was too uneconomical. Part of the aads chip strawman was to 
demonstrate technology doing dynamic data authentication (as 
countermeasure to skimming, harvesting and replay attacks) at the 
highest possible integrity ... for less cost than any SDA technology
(as well as being able to meet transit contactless power and timing 
profile requirements).
http://www.garlic.com/~lynn/aadsm23.htm#56 UK Detects Chip-And-PIN 
Security Flaw


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-06-09 Thread Max

On 6/8/06, Steven M. Bellovin [EMAIL PROTECTED] wrote:


You say you have a method to evaluate ciphers.  Without full details, no
one can form their own judgment if it's valid or not.  (My proposal
clearly isn't valid.)  You say you've evaluated AES and other ciphers.
Without full details, we don't know if your evaluation is correct.


I think they can prove their evaluation without publishing all the details.
What they need is just to provide an access to their distinguisher in
the form of blackbox.
To prove its meaningfulness, the distinguisher must show consistent
results in distinguishing AES-encrypted data (say, for a fixed
plaintext without repeating blocks on their choice) from random data.

Max

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: U. Washington Crypto Course Available Online For Free

2006-06-09 Thread John R. Black
Oops, I forgot about Neal!  :embarrassed:

He's a top-notch mathematician, has a couple of books on crypto (or 
crypto-related topics) and even wrote a controversial article with Menezes
recently that was discussed on this mailing list.

But I don't think he teaches a crypto class at UW?!


On Tue, Jun 06, 2006 at 09:28:41PM -0700, Andrew Tucker wrote:
 No cryptographers at UW?  I think Neil Koblitz would disagree with that:  
 http://www.math.washington.edu/~koblitz/
 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: U. Washington Crypto Course Available Online For Free

2006-06-09 Thread John R. Black

 It is taught by good people, but I find it a bit strange they are all
 Microsoft employees.  This is perhaps because U. Wash doesn't have any
 cryptographers.
 
 I hardly think that you can discount the skills of Josh Beneloh and 
 Brian LaMacchia.
 
Who is discounting?  I said they are good people but that they work
for Microsoft and not for the University of Washington.


 That changes in the fall: they hired an excellent young cryptographer
 named Yoshi Kohno.
 
 Damn, I was trying to hire Yoshi...
 
So were we (here at the University of Colorado).  So was everyone! :)

john//

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: U. Washington Crypto Course Available Online For Free

2006-06-09 Thread Greg Rose

At 16:29  -0600 2006/06/08, John R. Black wrote:

  It is taught by good people, but I find it a bit strange they are all

 Microsoft employees.  This is perhaps because U. Wash doesn't have any
 cryptographers.

 I hardly think that you can discount the skills of Josh Beneloh and
 Brian LaMacchia.


Who is discounting?  I said they are good people but that they work
for Microsoft and not for the University of Washington.


Yes, my apologies, I misparsed your statement.

Greg.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: mailer certificate retrieval via LDAP?

2006-06-09 Thread Victor Duchovni
On Thu, Jun 08, 2006 at 02:32:01PM -0400, Steven M. Bellovin wrote:

 Are there any common mailers -- open source preferred but not mandatory --
 that can query LDAP directories to retrieve X.509 certificates for use in
 S/MIME messages?  Evolution and Thunderbird are both able to send S/MIME,
 but don't seem to have any easy certificate retrieval mechanisms.
 

Thunderbird supports PKCS#11 plugins modules, so all you need is PKCS#11
plugin for LDAP. So question looks like a question about availability
of plugins, rather than MUAs...

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: mailer certificate retrieval via LDAP?

2006-06-09 Thread Jeff . Hodges
You should consider also posting your query to ldap@umich.edu


JeffH



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


whole load of new RFCs announced yesterday on LDAP and SASL

2006-06-09 Thread Anne Lynn Wheeler

possibly fastest way of getting sense of all the new rfcs is to go to
http://www.garlic.com/~lynn/rfcietff.htm

and click on Date in the RFCs listed by section. Clicking on each 
individual RFC number (in the june section) will bring up that RFC 
summary in the lower frame. Clicking on the .txt= field will 
retrieve the actual RFC.


another approach is to click on Term (term-RFC#) in the RFCs listed 
by section and then clikc on either LDAP (or SASL) in the Acronym 
fastpath.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: mailer certificate retrieval via LDAP?

2006-06-09 Thread Alex Iliev
On Thu, Jun 08, 2006 at 02:32:01PM -0400, Steven M. Bellovin wrote:
 Are there any common mailers -- open source preferred but not mandatory --
 that can query LDAP directories to retrieve X.509 certificates for use in
 S/MIME messages?  Evolution and Thunderbird are both able to send S/MIME,

This works for me in a vanilla (well, debian) Thunderbird, using our
university LDAP directory (at Dartmouth). The certificates are present under
key userCertificate;binary in the LDAP, in base64.

Alex

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]