Re: The PKC-only application security model ...

2008-07-23 Thread Thierry Moreau 



Anne & Lynn Wheeler wrote about various flavors of certificateless 
public key operation in various standards, notably in the financial 
industry.


Thanks for reporting those.

No doubt that certificateless public key operation is neither new nor 
absence from today's scene.


The document I published on my web site today is focused on fielding 
certificateless public operations with the TLS protocol which does not 
support client public keys without certificates - hence the meaningless 
security certificate. Nothing fancy in this technique, just a small 
contribution with the hope to facilitate the use of client-side PKC.


- Thierry Moreau

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: The PKC-only application security model ...

2008-07-23 Thread Anne & Lynn Wheeler 

Thierry Moreau wrote:
A)The big picture refers to the "PKC-only application security 
scheme", in which client-server applications may be secured with 
client-side public key pairs, but *no trusted certification authority* 
is involved (server operators are expected to maintain a trusted 
database of their clients' public keys).
original PK-init (public key) draft for Kerberos was (only) 
certificateless public key operation ...
i.e. kerberos server operators maintaining trusted database of their 
clients' public keys (in
lieu of passwords) ... PKI/certificate mode of operation was eventually 
added to the specification.

lots of past posts about  certificateless public key kerberos
http://www.garlic.com/~lynn/subpubkey.html#kerberos

similar implementation was done for RADIUS
http://www.garlic.com/~lynn/subpubkey.html#radius

general posts about certificateless (sometimes "naked") public key
http://www.garlic.com/~lynn/subpubkey.html#certless

X9.59 is financial transaction standard also using certificateless 
public key operation

http://www.garlic.com/~lynn/x959.html#x959

part of the issue was that in the mid-90s, the x9a10 financial standard 
working group
had been given the requirement to preserve the integrity of the 
financial infrastructure
for all retail payments. One of the issues for x9.59 was that it had to 
be lightweight enough
to operate in existing infrastructures. Some of the certificate-oriented 
payment transaction
standards from the period resulted in factor of 100 times (two orders of 
magnitude) payload
(i.e. certificate payload overhead could be 100 times larger than basic 
payment transaction)
and processing (i.e. certificate processing overhead could be 100 times 
larger than basic

payment transaction) bloat
http://www.garlic.com/~lynn/subpubkey.html#bloat

general discussions of the "account authority public key" model (as 
contrast to

"certification authority public key" model)
http://www.garlic.com/~lynn/x959.html#aads

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

The PKC-only application security model ...

2008-07-23 Thread Thierry Moreau 

Dear all:

This is a two-fold announcement, big picture and specific document 
announcement. The whole thing is "for your information" as security experts.


A)	The big picture refers to the "PKC-only application security scheme", 
in which client-server applications may be secured with client-side 
public key pairs, but *no trusted certification authority* is involved 
(server operators are expected to maintain a trusted database of their 
clients' public keys).


B)	The specific document announcement refers to what is required to 
field the PKC-only application security scheme: explicit meaningless 
security certificates. The reference is "Explicit Meaningless X.509 
Security Certificates as a Specifications-Based Interoperability 
Mechanism", http://www.connotech.com/pkc-only-meaningless-certs.pdf


This post leaves it to your imagination and creativity about how a 
PKC-only security scheme may work in practical details, i.e. how the 
third party trust management may be replaced by first party trust 
management (first party = server operator as the relying party for 
client public keys). I have been doing some work in this area, but I 
have no results to report in a properly written document. Anyway, the 
PKC-only security scheme does not imply significant standardization for 
interoperability among independent service operators.


The document is open for discussion. It covers the minimal provisions 
for PKC-only deployment in the installed base of browsers supporting the 
TLS protocol.


Sometimes in the future, a very reduced version might be prepared as an 
Internet draft intended to the RFC editor publication route (RFC3932) 
with the experimental status (this is different from the individual RFC 
submission route in which the IESG is involved in the document 
publication process but no IETF working group is assigned an editorial 
role).


Good reading.

--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: how to check if your ISP's DNS servers are safe

2008-07-23 Thread John Denker 
On 07/23/2008 12:44 AM, Steven M. Bellovin wrote:
>> Niels Provos has a web page up with some javascript that automatically
>> checks if your DNS caching server has been properly patched or not.
>>
>> http://www.provos.org/index.php?/pages/dnstest.html
>>
>> It is worth telling people to try.
>>
> Those who prefer command lines can try 
> 
>   dig +short porttest.dns-oarc.net TXT

Thanks, that's helpful.

Note that the command-line version accepts the "@server" option,
which is useful if you have to deal with a mess of primaries, 
secondaries, forwarders, et cetera:

   dig @NS1 +short porttest.dns-oarc.net TXT
   dig @NS2 +short porttest.dns-oarc.net TXT
   dig @NS3 +short porttest.dns-oarc.net TXT

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: how to check if your ISP's DNS servers are safe

2008-07-23 Thread Steven M. Bellovin 
On Tue, 22 Jul 2008 10:21:14 -0400
"Perry E. Metzger" <[EMAIL PROTECTED]> wrote:

> 
> Niels Provos has a web page up with some javascript that automatically
> checks if your DNS caching server has been properly patched or not.
> 
> http://www.provos.org/index.php?/pages/dnstest.html
> 
> It is worth telling people to try.
> 
Those who prefer command lines can try 

dig +short porttest.dns-oarc.net TXT



--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Looking through a modulo operation

2008-07-23 Thread lists 

"Matt Ball"  wrote

> Here is a C implementation of __random32:
> 
> typedef unsigned long u32;
> struct rnd_state { u32 s1, s2, s3; };
> static u32 __random32(struct rnd_state *state)
> {
> #define TAUSWORTHE(s,a,b,c,d) ((s&c)<>b)
> 
> state->s1 = TAUSWORTHE(state->s1, 13, 19, 4294967294UL, 12);
> state->s2 = TAUSWORTHE(state->s2,  2, 25, 4294967288UL, 4);
> state->s3 = TAUSWORTHE(state->s3,  3, 11, 4294967280UL, 17);
> 
> return (state->s1 ^ state->s2 ^ state->s3);
> }

I see TAUSWORTHE (briefly tested with the above constants) isn't a
permutation of the 32-bit input state and is going to get very dull
when s is 0.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]