RSA SecurID SID800 Token vulnerable by design

2006-09-08 Thread Hadmut Danisch 
Hi,

I recently tested an RSA SecurID SID800 Token
http://www.rsasecurity.com/products/securid/datasheets/SID800_DS_0205.pdf


The token is bundled with some windows software designed to make
user's life easier. Interestingly, this software provides a function
which directly copies the current token code into the cut-and-paste
buffer, when the token is plugged in into USB. This is weak by design.

The security of these tokens is based on what RSA calls "two-factor
user authentication": It takes both a secret (PIN) and the
time-dependend Token-Code to authenticate. The security of the
Token-Code depends on the assumption that the token is resistant
against malware or intruders on the computer used for communication
(web browser, VPN client,...).

However, if the Token Code can be read over the USB bus, this
assumption does not hold. A single attack on the PC where the token is
plugged in would compromise both the PIN (e.g. with a keylogger) and
the token itself (e.g. writing a daemon which continuously polls the
token and forwards the token in real time to a remote attacker.

Ironically this could make an attack even easier: If some malware
simultaneously monitors the token and the keyboard, it is much easier
to detect that the keystrokes are actually related to some login
procedure:

Whenever the 6-digit token code appears in the keyboard or
cut-and-paste input stream, you can be pretty sure that in a sliding
window of about the last 100-200 keystrokes both the PIN and the
address of the server to login is contained. Makes it really easy to
automatically detect secrets in the input stream.

Thus, two different authentication methods are together weaker than
each single one.

regards
Hadmut

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Raw RSA

2006-09-08 Thread Leichter, Jerry 
| > | If an attacker is given access to a raw RSA decryption oracle (the
| > | oracle calculates c^d mod n for any c) is it possible to extract the
| > | key (d)?
| > If I hand you my public key, I have in effect handed you an oracle that
| > will compute c^d mod n for any c.  What you are asking is whether you
| > can then extract my private key e - which is exactly what the security
| > claims for RSA say you cannot do.  (Note that I chose to call my
| > public key d and by private key e - but since the two keys are
| > completely equivalent in RSA, that's just naming.)
| 
| I want to extract the exponent that is used by the oracle: this is the
| difference between the chosen-plaintext attack (it does not require an
| oracle, since it is a public key scheme) and the chosen-ciphertext
| attack (CCA1).
I don't follow.  For RSA, the only difference between encryption and
decryption, and public and private key, and hence between chosen
plaintext and chosen ciphertext, is the arbitrary naming of one of
a pair of mutually-inverse values as the "private" key and the other
as the "public" key.
-- Jerry
 
| -- 
| Regards,
| ASK
| 
| -
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
| 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Enigma cracking machines reconstructed

2006-09-08 Thread Perry E. Metzger 

  LONDON (Reuters) - A code-cracking machine that enabled Britain to
  read Nazi military ciphers during World War Two has been rebuilt by
  enthusiasts after a 10-year project.

http://news.scotsman.com/latest.cfm?id=1318542006&format=print

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

secure key storage APIs

2006-09-08 Thread Travis H. 

Hey,

Does anyone know of any OSS OS facilities for managing keys?

With ssh-agent and gpg-agent providing access to key storage
by inherited processes, and the keys themselves being vulnerable
as stored on-disk, I wonder if there isn't any more general facility
for doing key management and access control, and I was wondering
if there were any useful papers on this kind of facility.

As I see it, there are a couple of seperate issues:

1) Persistent key storage; how does it look on-disk?  Obviously
we will want confidentiality, and probably have integrity.   But
what kind of algorithm do we use?  When designing key storage
for a given system, one can usually use that system to access
the persistent form.  This has the neat property that a break
in the storage security would imply that the given system itself
could have been broken, so no harm done; the "attack surface"
is not increased by the key store subsystem.

2) Non-persistent key store; there are data remanence issues
with DRAM and other supposedly non-persistent storage.  I
have heard a story about a homebrew computer that stored
the "clean shutdown" or "dirty" bit in the same memory location,
and after a reboot it would read this location to decide if it
needed to check the disks.  Apparently it stayed "dirty" so
long the value was burned-in.  Maybe not a big deal for
key store in a complex environment, but would be really
important in embedded devices with fairly static memory
layouts, e.g. VPN concentrators.  Solve by secret-sharing
between two locations, or by inverting every bit periodically.

3) Access control policy; who should get access to the keys?

4) OS support; should keys be stored as immutable quantities,
like a process's real UID value?  If so, can they be transferred,
and under what conditions?  Can they be inherited?

Any considerations that I'm missing?
--
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Any opinions on Kryptor...?

2006-09-08 Thread Leandro Meiners 

Dear list,

Has anybody heard about Kryptor? Any opinions?
(Link: http://www.rosiello.org/modules/smartsection/visit.php?fileid=1)

Regards,

Leandro Meiners.-
--
Leandro Federico Meiners

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

link fest on fingerprint biometrics

2006-09-08 Thread Travis H. 

Found at doxpara.com:

fingerprints: http://chris.fornax.net/biometrics.html
faceprints: 
http://www.site.uottawa.ca/~adler/publications/2003/adler-2003-fr-templates.pdf

More on fingerprints:
http://onin.com/fp/cyanoho.html

At home I have an excellent page on making fake fingerprints, but I
cannot find it
right now.  It used gelatin (like jello) and was successful at fooling a sensor.

I did find this, which reports success with gummi bears:
http://msn.pcworld.com/article/id,116573-page,5/article.html

This says play-doh works on Walmart and Target sensors:
http://digg.com/security/Play-Doh_Beats_Wal*Mart_s_and_Target_s_Fingerprint_Scanners?cshow=927041

Or more generally:
http://www.linuxelectrons.com/article.php/20051209175034721

More about fingerprints:
http://www.latent-prints.com/

If anyone can give me any fingerprint-related links, particularly
about spoofing/breaking
them, I would be grateful.
--
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Raw RSA

2006-09-08 Thread "Hal Finney" 
Alexander Klimov asks:
> If an attacker is given access to a raw RSA decryption oracle (the
> oracle calculates c^d mod n for any c) is it possible to extract the
> key (d)?

This is equivalent to asking whether factoring reduces to RSA inversion.
That is, given access to an RSA inversion oracle, can you factor the
modulus?  (Factoring the modulus is equivalent to finding d.)

Then see "Breaking RSA May Not Be Equivalent to Factoring" by Boneh and
Venkatesan, Eurocrypt 98.  Abstract (with my added emphasis):

"We provide evidence that breaking low-exponent RSA cannot be equivalent
to factoring integers. We show that an algebraic reduction from factoring
to breaking low-exponent RSA can be converted into an efficient factoring
algorithm. THUS, IN EFFECT AN ORACLE FOR BREAKING RSA DOES NOT HELP In
FACTORING INTEGERS. Our result suggests an explanation for the lack of
progress in proving that breaking RSA is equivalent to factoring. We
emphasize that our results do not expose any specific weakness in the
RSA System."

So the answer would appear to be no, an oracle for RSA does not help in
factoring and therefore will not reveal d.

See also http://citeseer.ist.psu.edu/bellare01onemorersainversion.html
"The One-More-RSA-Inversion Problems and the Security of Chaum's Blind
Signature Scheme" by Bellare et al for some discussion of this issue.

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: signing all outbound email

2006-09-08 Thread James A. Donald 

--
Paul Hoffman wrote:
> At 11:40 AM +0200 9/5/06, Massimiliano Pala wrote:
>> Jon Callas wrote:
>>>
>>> On 4 Sep 2006, at 4:13 AM, Travis H. wrote:
>>>
 Has anyone created hooks in MTAs so that they
 automagically [sign email]
>> [...]
>>> Go look at  for many more
>>> details.
>>
>> This approach is MTA-to-MTA...
>
> No, it's not. The receiving MTA *and/or* MUA can
> verify signatures. That is clearly covered in the
> protocol document.

I do not seem to be able to use DKIM to for spam
filtering.  I would like to whitelist all validly signed
DKIM from well known domains.

One way of doing this would be for the MTA to insist on
a valid signature when talking to certain well known
MTAs, and then my MUA could whitelist mail sent from
those well known MTAs

In short, I am not able to get any advantage out of
using this protocol, which means that there is no
advantage in sending me signed mail.


--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 htNnuqbJ9fv6n64IRfD1zA7lLKKr2izEKeU8gcTj
 4VIaWftcnkDyBJkkmq5thq8hruA/YIkpnczdJ3kzD

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Locating private keys in RAM?

2006-09-08 Thread je 


Check
http://www.matasano.com/log/178/recover-a-private-key-from-process-memory/

or if you want to find the algorithms

http://www.hexblog.com/2006/01/findcrypt.html

On Mon, 4 Sep 2006, Douglas F. Calvert wrote:


Hello,
I remember seeing a paper about identifying private keys in RAM. I
thought it was by Rivest but I can not locate it for the life of me.
Does anyone remember reading something like this? The basic operation
was to identify areas in RAM that had certain characteristics such as
random bits and identifiable key headers...
Any help would be greatly appreciated...


--
--dfc
[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: A lack of US cryptanalytic security before Midway?

2006-09-08 Thread Steven M. Bellovin 
On 7 Sep 2006 15:33:15 -, John Levine <[EMAIL PROTECTED]> wrote:

> >The conventional wisdom is that the successful US cryptanalytic efforts
> >against Japanese naval codes was a closely-held secret.
> 
> Has the conventional wisdom forgotten that it was reported in the
> Chicago Tribune in 1942?
> 
> See, for example, http://www.newseum.org/warstories/essay/secrecy.htm
> 
> Fortunately, the Navy Department had enough sense not to make a public
> stink, and the Japanese evidently didn't read the Chicago paper.
> 
The URL you cite does not support your claim.  It speaks of the successful
cryptanalysis of JN-25 as "one of the closest kept secrets of World War
II".  It also notes that the reporter learned of some data just from
seeing a piece of paper in a senior officer's quarters, rather than
knowning about the real source of the data, and that the Trib's headline --
"NAVY HAD WORD OF JAP PLAN TO STRIKE AT SEA" -- was not in fact justified
by what the reporter had seen and written. In other words, there was not a
factual leak of the real secret, though admittedly Japanese
counter-intelligence would likely have drawn the proper conclusion had they
seen the story.

I should note that if Kernan's account is correct, the danger to American
SIGINT efforts were far greater than were realized.  Three downed American
airmen were rescued by Japanese ships; they were then interrogated and
executed.  None of them (again, according to Kernan) had had proper
training on what they should or should not disclose.  If, indeed, the fact
of cryptanalysis was common knowledge, it was lucky indeed that the proper
questions weren't asked -- or if they were asked, they weren't answered,
even though at least one of them did give away more information than he
should have.


--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: A lack of US cryptanalytic security before Midway?

2006-09-08 Thread John Levine 
>The conventional wisdom is that the successful US cryptanalytic efforts
>against Japanese naval codes was a closely-held secret.

Has the conventional wisdom forgotten that it was reported in the
Chicago Tribune in 1942?

See, for example, http://www.newseum.org/warstories/essay/secrecy.htm

Fortunately, the Navy Department had enough sense not to make a public
stink, and the Japanese evidently didn't read the Chicago paper.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Raw RSA

2006-09-08 Thread Alexander Klimov 
On Thu, 7 Sep 2006, Leichter, Jerry wrote:
> | If an attacker is given access to a raw RSA decryption oracle (the
> | oracle calculates c^d mod n for any c) is it possible to extract the
> | key (d)?
> If I hand you my public key, I have in effect handed you an oracle that
> will compute c^d mod n for any c.  What you are asking is whether you
> can then extract my private key e - which is exactly what the security
> claims for RSA say you cannot do.  (Note that I chose to call my
> public key d and by private key e - but since the two keys are
> completely equivalent in RSA, that's just naming.)

I want to extract the exponent that is used by the oracle: this is the
difference between the chosen-plaintext attack (it does not require an
oracle, since it is a public key scheme) and the chosen-ciphertext
attack (CCA1).

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: DNS/DNSSEC as an inbound mail signature public key distribution mechanism (was: signing all outbound email)

2006-09-08 Thread Thierry Moreau 



Jon Callas wrote:



[... about DKIM ...] The signature travels  with the message and 
the signing key is in the network. As long as  you have both, you can 
verify the signatures.




"the signing key is in the network" --> Indeed. The public signature key 
is stored in the DNS.


DKIM might be the first widely deployed application to use the DNS as 
the preferred means of distributing public keys.


*Authenticated* public key distribution would need an upgrade of the DNS 
with DNSSEC deployment.


Perhaps it is time for discussion groups like this one to take a look at 
DNSSEC (RFC4033 / RFC4034 / RFC4035) and review its security principles, 
trust model, deployment challenges, HMI (Human Machine Interaction) 
aspects, etc.


Look at 
http://www.circleid.com/posts/dnssec_deployment_and_dns_security_extensions/ 
or query your favorite web search engine with "DNSSEC".


Good reading.

--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Raw RSA

2006-09-08 Thread Leichter, Jerry 
| Hi.
| 
| If an attacker is given access to a raw RSA decryption oracle (the
| oracle calculates c^d mod n for any c) is it possible to extract the
| key (d)?
If I hand you my public key, I have in effect handed you an oracle that
will compute c^d mod n for any c.  What you are asking is whether you
can then extract my private key e - which is exactly what the security
claims for RSA say you cannot do.  (Note that I chose to call my
public key d and by private key e - but since the two keys are
completely equivalent in RSA, that's just naming.)
 
| It is known, that given such an oracle, the attacker can ask for
| "decryption"  of all primes less than B, and then he will be able to
| sign PKCS-1 encoded messages if the representative number is B-smooth,
| but is there any way to actually recover d itself?
RSA is multiplicative, so, yes, this follows easily unless the encoding
used prevents it.
-- Jerry

| -- 
| Regards,
| ASK
| 
| -
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
| 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]