Re: RIM to give in to GAK in India
Even if RIM does not have the device keys, in order to share encrypted data with applications on the RIM server, the device must share a session key with the server; must it not?. Isn't RIM (their software, actually) now in a position to decrypt content sent between Blackberry users? Or, does the Blackberry encryption protocol work like S/MIME? Arshad Noor StrongAuth, Inc. - Original Message - From: Derek Atkins [EMAIL PROTECTED] To: Perry E. Metzger [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Sent: Tuesday, May 27, 2008 8:54:12 AM (GMT-0800) America/Los_Angeles Subject: Re: RIM to give in to GAK in India Quoting Derek Atkins Wow, and April 1st was almost two months ago. This is just a bunch of FUD. If someone actually talked to RIM they would find out that it's technically impossible for them to do this because THEY DONT HAVE THE DEVICE KEYS. http://news.yahoo.com/s/afp/20080527/tc_afp/indiacanadacompanyrimblackberrytelecomsecurity - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The perils of security tools
On Wed, 28 May 2008 10:34, [EMAIL PROTECTED] said: Yes. Still, some people are using fopen/fread to access /dev/random, which does pre-fetching on most implementations I saw, so using open/read is preferred for using /dev/random. It is not an implementaion issue but a requirement of the C standard. To avoid buffering use setvbuf (fp, NULL, _IONBF, 0); right after the fopen. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Fwd: [P1619-3] Last reminder: Call for Speakers and Sponsors for the 2008 Key Management Summit Ends This Friday
FYI. - Forwarded Message - From: Matt Ball [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 28, 2008 1:37:18 PM (GMT-0800) America/Los_Angeles Subject: [P1619-3] Last reminder: Call for Speakers and Sponsors for the 2008 Key Management Summit Ends This Friday (Please forward this message as needed to other related groups) KMS 2008 has now filled-up all 8 vendor slots. However, we will still consider accepting additional sponsors if there is enough room on the agenda. Please send a message to [EMAIL PROTECTED] if you would like to be added to the list of alternate sponsors. The sponsor agreement form is now available on the 'Sponsors' page. If you are interested in speaking at KMS 2008, please submit an abstract (and preferably a speaker bio) to [EMAIL PROTECTED] by this Friday , May 30th . Slots are filling up fast! MSST has hotel and transportation information available as well. Hotel rooms are $219 per night, a significant discount from the usual $300+/night rates. Registration fees will be set in June and will likely be in the $300-$400 range for two days at KMS (food included), depending on final sponsorship contributions. Thanks! Matt Ball Chair, KMS 2008 On Mon, May 12, 2008 at 8:32 AM, Matt Ball wrote: Details: The IEEE Key Management Summit brings together the top companies that develop cryptographic key management for storage devices with the standards organizations that make interoperability possible. With recent legislation, such as California's SB 1386 or Sarbanes-Oxley, companies now have to publicly disclose when they lose unencrypted personal data. To meet this new need for encryption, many companies have developed solutions that encrypt data on hard disks and tape cartridges. The problem is that these data storage vendors need a solution for managing the cryptographic keys that protect the encrypted data. This summit aims to provide clarity to the key management by showing how existing products and standards organizations address the problem of interoperability and security. KMS 2008 is co-located with the IEEE Mass Storage and Systems Technologies conference in Baltimore, Maryland on September 23 -24, 2008. See http://www.keymanagementsummit.com/2008/ for more details. -- Thanks! Matt Ball, IEEE P1619.x SISWG Chair M.V. Ball Technical Consulting, Inc. Phone: 303-469-2469 , Cell: 303-717-2717 http://www.mvballtech.com http://www.linkedin.com/in/matthewvball - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: RIM to give in to GAK in India
Arshad Noor [EMAIL PROTECTED] writes: Even if RIM does not have the device keys, in order to share encrypted data with applications on the RIM server, the device must share a session key with the server; must it not?. Isn't RIM (their software, actually) now in a position to decrypt content sent between Blackberry users? Or, does the Blackberry encryption protocol work like S/MIME? The enterprise solution does work something like S/MIME. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Unpatented PAKE!
http://grouper.ieee.org/groups/1363/passwdPK/submissions/hao-ryan-2008.pdf At last. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: RIM to give in to GAK in India
On Thu, May 29, 2008 at 10:05:17AM -0400, Derek Atkins wrote: Arshad Noor [EMAIL PROTECTED] writes: Even if RIM does not have the device keys, in order to share encrypted data with applications on the RIM server, the device must share a session key with the server; must it not?. Isn't RIM (their software, actually) now in a position to decrypt content sent between Blackberry users? Or, does the Blackberry encryption protocol work like S/MIME? The enterprise solution does work something like S/MIME. The keys are symmetric 3DES, and encrypt message chunks (IIRC either 256 or 1K bytes) sent asynchronously to the enterprise messaging gateway. RIM does not have a secure session with the device. This is not like S/MIME except that as with S/MIME, this is not hop-by-hop encryption. -- Viktor. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Comcast DNS entries temporarily hijacked
Apparently some pranksters hijacked Comcast's DNS entries for a few hours: http://www.heise-online.co.uk/security/Comcast-domain-diverted-by-crackers--/news/110831 [Hat tip to Bill Squier for pointing the article out.] This is hardly the first time such a thing has happened. No great harm was done, but considerable harm could have been done. For example, one wonders what would happen if bank like Chase that foolishly trains their users to type passwords into non-https protected pages had their DNS hijacked for a while. (Indeed, given the fact that most users always ignore certificate warnings, even a pretty good bank that consistently used https would have serious trouble.) Perry -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Unpatented PAKE!
Ben Laurie [EMAIL PROTECTED] writes: http://grouper.ieee.org/groups/1363/passwdPK/submissions/hao-ryan-2008.pdf At last. See also: http://www.lightbluetouchpaper.org/2008/05/29/j-pake/ Looks quite interesting indeed. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
