Potential Hazards of the Protect America Act

2008-01-25 Thread Perry E. Metzger

Matt Blaze blogs about a paper he, Steve Bellovin, Whit Diffie, Susan
Landau, Peter Neumann and Jennifer Rexford have written on the hazards
of surveillance technologies:

http://www.crypto.com/blog/wiretap_risks/

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lack of fraud reporting paths considered harmful.

2008-01-25 Thread Perry E. Metzger

[EMAIL PROTECTED] writes:
 His firm routinely discovers attempted credit card fraud. However,
 since there is no way for them to report attempted fraud to the credit
 card network (the protocol literally does not allow for it), all they
 can do is refuse the transaction -- they literally have no mechanism
 to let the issuing bank know that the card number was likely stolen.

 A former boss has become Head of Fraud Technology (I asked him who
 was Head of Anti-Fraud Technology) and he answers like this.

   I am not really a cards man but I would have said the good
   old telephone, a call to the acquirer, would be the way. The
   acquirer would then pass that on to the issuer. Granted the
   merchant may not know for certain that had happened, but he
   has done his duty at that point.

That's not practical. If you're a large online merchant, and your
automated systems are picking up lots of fraud, you want an automated
system for reporting it. Having a team of people on the phone 24x7
talking to your acquirer and reading them credit card numbers over the
phone, and then expecting the acquirer to do something with them when
they don't have an automated system either, is just not reasonable.


-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Dutch Transport Card Broken

2008-01-25 Thread ji
The per-card cost need not be such a big problem.  Singapore has a 
proximity-card-based system.  They use the same card both for the 
long-term cards and for the single-use cards.  There is a S$ 2 (IIRC) 
deposit on the card, which is refunded after the card is used.  Waste 
not want not!


/ji

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


more terrorist crypto hype

2008-01-25 Thread Perry E. Metzger

There has been more hype about Jihadist crypto software lately. For
example:

http://www.eetimes.com/rss/showArticle.jhtml?articleID=205918680

I'll note that the presumed users would probably be better off
with a well vetted program like GPG. I'll also note that there is
literally no way to prevent people from writing such software, since
they are non-US nationals living outside the US. (As much as we would
like US law to apply to all foreigners living abroad, that's not how
the world works.)

None the less, I'll predict that this news, which has been hyped in
several places of late, will be brought up by some as a reason why we
must restrict crypto exports, never mind that this solution would in
no way alter the availability of cryptographic software to terrorists,
any more than New York City gun control regulations would prevent
AK-47s from reaching fighters in Congo.

Perry
-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


BSF/DIMACS/DyDAn Workshop on Data Privacy

2008-01-25 Thread Linda Casals
*

BSF/DIMACS/DyDAn Workshop on Data Privacy

  February 4 - 7, 2008
  DIMACS/DyDAn Center, CoRE Building, Rutgers University

Organizers:
  Kobbi Nissim, Ben Gurion University, kobbi at cs.bgu.ac.il 
  Benny Pinkas, University of Haifa, benny at cs.haifa.ac.il 
  Rebecca Wright, Rutgers University, rebecca.wright at rutgers.edu 

Presented under the auspices of the DIMACS Special Focus on 
Communication Security and Information Privacy and 
the Center for Dynamic Data Analysis (DyDAn).



An ever-increasing amount of data is available in digital form, often
accessible via a network. Not surprisingly, this trend is accompanied
by an increase in public awareness of privacy issues and by
legislation of privacy laws. The interest in privacy, and the tension
between privacy and utility of data, is amplified by our growing
ability to collect and store large amounts of data, and our ability to
mine meaningful information from it. This workshop will view privacy
in a broad sense in order to facilitate interaction and discussion
between privacy-oriented researchers in different communities.

The study of privacy is inherently interdisciplinary, spanning a
range of applications and scenarios, such as analysis of census data,
detection and prevention of terrorist activity, and biomedical
research. There is a fundamental interplay between privacy and law,
security, economics, and the social sciences. This workshop will
foster interactions between researchers in these fields with those in
statistics and computer science, toward the goal of developing problem
formulations that can be translated into a technical mathematical
language that lends itself to a more rigorous study of privacy. The
workshop will contrast these formal definitions with more intuitive
notions of privacy from the social sciences, economics, philosophy and
law to determine the extent to which they capture the perceived
meaning of privacy in different settings.

Privacy-preserving technologies may soon become an integral part of
the basic infrastructure for the collection and dissemination of
official statistics, as well as for research in business, economics,
medical sciences, and social sciences. Functional solutions for
preserving privacy would therefore serve as a central part of the
infrastructure for those disciplines. This workshop will address a
variety of questions on algorithms for privacy-preserving analysis
such as:

  * To what extent can such techniques be applied to 
 statistical data?
  * What are the consequences to privacy and confidentiality 
 if such techniques are not used?
  * Are changes in statistical tools needed to make them 
 compatible with such techniques?
  * Can the techniques be modified to allow use of standard 
 statistical tools and practices? 

**
Program:

Monday, February 4, 2008

 8:00 -  8:50  Breakfast and Registration

 8:50 -  9:00  Welcome and Opening remarks
   Rebecca Wright, DIMACS Deputy Director

 9:00 - 10:00  Tutorial: Differential Privacy
   Adam Smith, Penn State University

10:00 - 10:30  PINQ 
   Frank McSherry

10:30 - 11:00  Break

11:00 - 12:00  Tutorial: Smooth Sensitivity and Sampling
   Sofya Raskhodnikova, Penn State University

12:00 - 12:30  Tutorial: Exponential Mechanism 
   Kunal Talwar

12:30 -  2:00  Lunch

 2:00 -  3:00  Tutorial: Statistical Methods 
   Alexandra Slavkovic

 3:00 -  3:30  Break

 3:30 -  4:30  Tutorial: Synthetic Data 
   John Abowd

Tuesday, February 5, 2008

 8:30 -  9:00  Breakfast and Registration

 9:00 - 10:30  Tutorial: Secure Multiparty Computation and 
   Privacy-Preserving Data Mining 
   Yehuda Lindell, Bar Ilan University

10:30 - 11:00  Break

11:00 - 11:35  The Difficulty of Preventing Disclosure
   Moni Naor

11:35 - 12:05  E Gov, Online Citizen Scrutiny and Participation -
   The Joint Challenges for Cryptologists and Policy Makers 
   Tal Zarsky, University of Haifa

12:05 - 12:30  Robust De-anonymization of Multi-dimensional Databases 
   Vitaly Shmatikov, The University of Texas at Austin 

12:30 -  2:00  Lunch

Statistics:
 2:00 -  2:25  Privacy: Theory Meets Practice on the Map
   John Abowd

 2:25 -  2:50  A Hybrid Perturbation/Swapping Approach for Masking Numerical 
Data
   Rathindra Sarathy, Oklahoma State University 

 2:50 -  3:20  Break

 3:20 -  3:45  Deterministic History-Independent Strategies for Storing 
   Information on Write-Once Memories
   Gil Segev, Weizmann Institute of Science

 3:45 -  4:10  Cell Suppressions Leak Information
   Shubha Nabar, Stanford University 

 4:10 -  4:35  A Learning Theory Perspective on Data 

Re: Dutch Transport Card Broken

2008-01-25 Thread Henryk Plötz
Moin,

Am Thu, 24 Jan 2008 20:58:38 -0800 schrieb Aram Perez:

 Not to defend the designers in any way or fashion, but I'd like to  
 ask, How much security can you put into a plastic card, the size of
 a credit card, that has to perform its function in a secure manner,
 all in under 2 seconds (in under 1 second in parts of Asia)? And it
 has to do this while receiving its power via the electromagnetic
 field being generated by the reader.

Hmm, how about Triple-DES for starters? :-) There are cards using 3DES
(called Mifare DESfire) available from the same manufacturer (NXP) as
the Mifare Classic cards with the proprietary algorithm that we looked
at. Apparently the main difference is that DESfire cards cost 1.50 EUR
per piece while Classic cards are at 0.50 EUR per piece. Other public
transport systems, such as Madrid, did the sensible thing and chose
DESfire:
http://www.nxp.com/news/identification/articles/otm81/madrid/

-- 
Henryk Plötz
Grüße aus Berlin
~~ Help Microsoft fight software piracy: Give Linux to a friend today! ~


pgpsmBWu8tOGO.pgp
Description: PGP signature


Re: Dutch Transport Card Broken

2008-01-25 Thread sbg
 How much security can you put into a plastic card, the size of a
 credit card, that has to perform its function in a secure manner, all
 in under 2 seconds (in under 1 second in parts of Asia)? And it has to
 do this while receiving its power via the electromagnetic field being
 generated by the reader.

The 24C3 presenters to their credit made this exact point. But mixing the
16-bit nonce with the card identifier was an optimization too far.  That
said, it's a hard problem.  Inside Picopass is one of many examples that
progress is possible.

IMHO as always.

Cheers, Scott


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Dutch Transport Card Broken

2008-01-25 Thread Aram Perez

Hi Folks,


Ed Felten has an interesting post on his blog about a Dutch smartcard
based transportation payment system that has been broken. Among other
foolishness, the designers used a custom cryptosystem and 48 bit keys.


Not to defend the designers in any way or fashion, but I'd like to  
ask, How much security can you put into a plastic card, the size of a  
credit card, that has to perform its function in a secure manner, all  
in under 2 seconds (in under 1 second in parts of Asia)? And it has to  
do this while receiving its power via the electromagnetic field being  
generated by the reader.


Regards,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Dutch Transport Card Broken

2008-01-25 Thread James A. Donald

Perry E. Metzger wrote:

Ed Felten has an interesting post on his blog about a Dutch smartcard
based transportation payment system that has been broken. Among other
foolishness, the designers used a custom cryptosystem and 48 bit keys.

http://www.freedom-to-tinker.com/?p=1250


The Dutch government paid two billion dollars for stupidity, for 
foolishness that almost anyone on this list could have told them was 
foolish.  Secret algorithm!



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Dutch Transport Card Broken

2008-01-25 Thread Anne Lynn Wheeler

Aram Perez wrote:
Not to defend the designers in any way or fashion, but I'd like to 
ask, How much security can you put into a plastic card, the size of a 
credit card, that has to perform its function in a secure manner, all 
in under 2 seconds (in under 1 second in parts of Asia)? And it has to 
do this while receiving its power via the electromagnetic field being 
generated by the reader.
we sort of saw that in the mid-90s when we were doing the x9.59 
financial standard

http://www.garlic.com/~lynn/x959.html#x959

and getting comments that it wasn't possible to have both low cost and 
high security at
the same time. we looked at it and made the semi-facetious statements 
that we
would take a $500 milspec part and aggresively cost reduce it by 2-3 
orders of magnitude

will improving the security. along the way we got tapped by some in the
transit industry to also be able to meet the (then) transit gate 
requirements

(well under 1 second and do it within iso 14443 power profile).

part of it was having to walk the whole end-to-end process ... all the 
way back

to chip design and fab manufacturing process ... little drift about walking
fab in a bunny suit
http://www.garlic.com/~lynn/2008b.html#13

we effectively did get it on close to the RFID chip (i.e. the one that they
are targeting for UPC) technology curve ... i.e. chip fabrication cost 
is roughly
constant per wafer ... wafer size and circuit size have been leading to 
higher
number of chips per wafer (significantly reducing cost/chip). As circuit 
size

shrank with a corresponding shrinkage in the size of chips (that didn't have
corresponding increase in number of circuits) there was a blip on the
cost/chip curve as the area of the cuts (to separate chips in the wafer)
exceeded the (decreasing) chip size.  Earlier this decade there was
a new cutting process that significantly reduced the cut area ... allowing
yield of (small) chips per wafer to continue to significantly increase
(allowing pushing close to four orders of magnitude reduction ... rather
than 3-4 orders of magnitude reduction).

aads chip strawman references
http://www.garlic.com/~lynn/x959.html#x959




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Dutch Transport Card Broken

2008-01-25 Thread Anne Lynn Wheeler

my impression has been that with lack of takeup of various kinds of security
solutions that were extensively marketed in the 90s ... that the current
situation has many of those same organizations heavily involved in behind
the scenes lobbying

saw some of that nearly a decade ago when we were brought in to
help wordsmith the cal. state electronic signature legislation which
led to also be brought in on federal electronic signature legislation
... some past posts
http://www.garlic.com/~lynn/subpubkey.html#signature

some other references ...

Hackers break into transport smart card
http://www.dutchnews.nl/news/archives/2008/01/german_hackers_break_transport.php
Transport smart card hacked again (update)
http://www.dutchnews.nl/news/archives/2008/01/transport_smart_card_hacked_ag.php

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Dutch Transport Card Broken

2008-01-25 Thread Perry E. Metzger

Aram Perez [EMAIL PROTECTED] writes:
 Ed Felten has an interesting post on his blog about a Dutch smartcard
 based transportation payment system that has been broken. Among other
 foolishness, the designers used a custom cryptosystem and 48 bit keys.

 Not to defend the designers in any way or fashion, but I'd like to
 ask, How much security can you put into a plastic card, the size of a
 credit card, that has to perform its function in a secure manner, all
 in under 2 seconds (in under 1 second in parts of Asia)?

Several other transit systems have payment cards that have proven
remarkably resilient to attack. For example, the NYC Metrocard
system has been attacked repeatedly without significant breaks (but it
does not rely on its cards being tamperproof -- it is an online system
using magstripes.)

The authors of the paper on the Dutch break claim that it would have
been possible to use far more secure means even given the basic
design, such as a non-proprietary crypto algorithm and longer keys. I
see no real reason to disbelieve this. In any case, if it was not
possible to do this with smartcards, existing, well proven mechanisms
that are in use in other transit systems could have been adopted. It
is not necessary to use an unimplementable architecture when
implementable and proven architectures exist.

Often we hear of a false need for engineering tradeoffs in such
circumstances. Engineering tradeoffs do indeed sometimes become
critical in security design. However, you should be very skeptical
when someone claims that they need to use a home grown crypto
algorithm or that they need to use a home grown protocol instead of
a well proven one. Generally these are not engineering tradeoffs but
reflections of ignorance on the part of the designers.

Perry
-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lack of fraud reporting paths considered harmful.

2008-01-25 Thread lists
Perry wrote:

 His firm routinely discovers attempted credit card fraud. However,
 since there is no way for them to report attempted fraud to the credit
 card network (the protocol literally does not allow for it), all they
 can do is refuse the transaction -- they literally have no mechanism
 to let the issuing bank know that the card number was likely stolen.

A former boss has become Head of Fraud Technology (I asked him who
was Head of Anti-Fraud Technology) and he answers like this.

  I am not really a cards man but I would have said the good
  old telephone, a call to the acquirer, would be the way. The
  acquirer would then pass that on to the issuer. Granted the
  merchant may not know for certain that had happened, but he
  has done his duty at that point.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]