Re: Uncrackable beams of light

2003-09-11 Thread h1kari
At toorcon this year there will be a talk on quantum cryptography along  
with a demonstration of some experimental quantum crypto hardware on  
loan from a company in switzerland. Also, there's going to be a really  
good keynote talk by Bruce Schneier of Counterpane and quite a few  
others that look pretty promising (Robert X. Cringely, Cory Doctorow,  
Seth Hardy, etc..). Check out http://www.toorcon.org for more details  
;-).

-h1kari

On Tuesday, Sep 9, 2003, at 19:09 US/Pacific, R. A. Hettinga wrote:

http://www.economist.com/science/tq/ 
PrinterFriendly.cfm?Story_ID=2020013

The Economist





MONITOR

Uncrackable beams of light
Sep 4th 2003
From The Economist print edition


Quantum cryptographyhailed by theoreticians as the ultimate of  
uncrackable
codesis finally going commercial

IN THE 1992 film 14Sneakers12, the ostensible research topic of one  
of
the main characters was something called 14setec astronomy12. This  
was an
anagram of the words 14too many secrets12. The research was supposed  
to
be about developing a method for decoding all existing encryption  
codes.
Well, if that were ever the case, it certainly isn't any morethanks  
to a
start-up in Somerville, Massachusetts, called Magi Q.

Magi Qis in the final stages of testing a system for quantum  
cryptography,
which it plans to release commercially within the next few months.
Encryption engineers have long waxed lyrical about quantum  
cryptography,
but this is among the very first commercial implementations. The  
advantage
of quantum cryptography schemes is that the code they generate are  
simply
noteven in theorybreakable.

The scheme devised by Magi Q, called Navajo, does not use quantum  
effects
to transmit the secret data. Instead, it is the keys used to encrypt  
the
data that rely on quantum theory. If these keys are changed frequently  
(up
to 1,000 times a second in Navajo's case), the risk that an  
eavesdropper
without the key would be able to decrypt the data can be proved
mathematically to be zero. Of course, given the key, the task would  
become
a trivial one.

Navajo transmits the changing key sequence over a secure fibre-optic  
link
as a stream of polarised photons (indivisible particles of light).  
Because
the polarisation reflects the amount of electro-magnetic radiation  
allowed
to radiate at an angle to a light beam's direction, it can be  
considered to
be a measure of the angular dependence of the light.

Should an eavesdropper tap into the secure fibre-optic line, he would
disrupt this stream of polarised photons by the very act of observing
themand the tampering could be instantly detected. By changing the key
frequently, Navajo could turn an off-the-shelf encryption scheme such  
as
AES (Advanced Encryption System) into something that was essentially
uncrackable.

As in all good encryption schemes, Navajo employs an element of  
redundancy.
The sender has two random-number generators. The first is used to  
generate
a random stream of zeros and onespart of which will form the key. The
second random-number generator chooses which 14polarisation basis12  
the
sender will use to transmit a given bit of the key. The sender uses two
different polarisation bases, which are at right-angles to one another.
Only by measuring in the correct polarisation basis can a receiver see
which bit was sentotherwise the result is meaningless.

For each bit, the receiver arbitrarily chooses which polarisation  
basis to
use. The sender and receiver then talk over an open channel and find  
out
which bits they measured using the same basis. These bits (about half  
of
the total) then constitute the key. If someone has been eavesdropping,  
some
of these bits will have been disrupted. In that case the receiver will  
be
unable to decode the message, and will thus conclude that someone is
listening in.

This much is standard quantum cryptography. What is harder is building  
the
hardware that can do it quickly and cheaply enough to be commercially
viable. Magi Qis in a race with a Swiss company called ID Quantique to  
be
the first to do so, and currently appears to be in the lead.

Of course, if the quantum signal could be transmitted wirelessly, it  
would
liberate users from the cost and constraints of a fibre-optic line. Bob
Gelfond, Magi Q's founder and chief executive, is coy about the
possibility. He admits that his firm is working on the idea, but is not
saying anything at the moment.

For the time being, Navajo requires a dedicated fibre-optic link, which
only large corporations or governments are likely to have. And it  
currently
works only at distances of up to 50 kilometres. Any longer than that  
and
random interference degrades the stream of photons and makes them  
unusable.
But within these constraints, Navajo is fairly cheap. Magi Qplans to  
sell
it for $50,000 a set.

Given the glut of unused optical fibre buried beneath the streets of  
the
world, Magi Qis optimistic about Navajo's prospects. Andrew 

Re: Code breakers crack GSM cellphone encryption/GNU Radio

2003-09-11 Thread Barry Wels
Actually, patenting the method isn't nearly as silly as it sounds.
Produced in quantity, a device to break GSM using this attack is not going 
to cost much more than a cellphone (without subsidies). Patenting the 
attack prevents the production of the radio shack (tm) gsm scanner, so 
that it at least requires serious attackers, not idle retirees or jealous 
teenagers.

 Not if they can type GNURadio into Google.

Eric Blossom of GNU Radio visited Europe one month ago.
Some radio enthusiasts in the Netherlands where interested in the
GNU radio project. So I asked Eric if it was ok to make a video for them.

The resulting two video clips are online (in MPG / VCD quality).

GNU-radio_intro.mpg and
GNU-radio _Q_and_A.mpg

A zip containing these two video files can be found on :

http://diorella.boppelans.net/gnu-radio.zip (108 Mb)

Enjoy, and feel free to mirror / distribute them ...

With regards,

Barry Wels.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: fyi: bear/enforcer open-source TCPA project

2003-09-11 Thread Rich Salz
 You propose to put a key into a physical device and give it
 to the public, and expect that they will never recover
 the key from it?  Seems unwise.

You think the public can crack FIPS devices?  This is mass-market, not
govt-level attackers.

Second, if the key's in hardware you *know* it's been stolen.  You don't
know that for software.
/r$
--
Rich Salz  Chief Security Architect
DataPower Technology   http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: fyi: bear/enforcer open-source TCPA project

2003-09-11 Thread Peter Gutmann
Rich Salz [EMAIL PROTECTED] writes:

Second, if the key's in hardware you *know* it's been stolen.  You don't know
that for software.

Only for some definitions of stolen.  A key held in a smart card that does
absolutely everything the untrusted PC it's connected to tells it to is only
marginally more secure than a key held in software on said PC, even though you
can only steal one of the two without physical access.  To put it another way,
a lot of the time you don't need to actually steal a key to cause damage - it
doesn't matter whether a fraudulent withdrawal is signed on my PC with a
stolen key or on your PC with a smart card controlled by a trojan horse, all
that matters is that the transaction is signed somewhere.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: fyi: bear/enforcer open-source TCPA project

2003-09-11 Thread Scott Guthery
There are roughly 1B GSM/3GPP/3GPP2 
SIMs in daily use and the number of 
keys extracted from them is diminishingly 
small.

-Original Message-
From: bear [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 11, 2003 3:43 AM
To: Sean Smith
Cc: [EMAIL PROTECTED]
Subject: Re: fyi: bear/enforcer open-source TCPA project 




On Wed, 10 Sep 2003, Sean Smith wrote:


 So this doesn't
 work unless you put a speed limit on CPU's, and that's ridiculous.

Go read about the 4758.  CPU speed won't help unless
you can crack 2048-bit RSA, or figure out a way around
the physical security, or find a flaw in the application.

You propose to put a key into a physical device and give it
to the public, and expect that they will never recover
the key from it?  Seems unwise.

Bear

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: fyi: bear/enforcer open-source TCPA project

2003-09-11 Thread Damian Gerow
Thus spake Rich Salz ([EMAIL PROTECTED]) [11/09/03 08:51]:
  You propose to put a key into a physical device and give it
  to the public, and expect that they will never recover
  the key from it?  Seems unwise.
 
 You think the public can crack FIPS devices?  This is mass-market, not
 govt-level attackers.

And 'the public' doesn't include people like government level attackers?
People like cryptography experts?  People who like to play with things like
this?

'The public' only includes the sheeple, and nobody else?

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


is secure hardware worth it? (Was: Re: fyi: bear/enforcer open-source TCPA project)

2003-09-11 Thread Sean Smith

Just to clarify... 

I'm NOT saying that any particular piece of secure hardware can never be
broken.   Steve Weingart (the hw security guy for the 4758) used to insist that
there was no such thing as tamper-proof. On the HW level, all you can do is
talk about what defenses you tried, what attacks you anticipated, and what
tests you tried.

What I am saying is that using secure coprocessors---defined loosely, to
encompass this entire family of tokens---can be a useful tool.  Whether one
should use this tool in any given context depends on the context. Are there
better alternatives that don't require the assumption of physical security?
How much flexibility and efficiency do you sacrifice if you go with one of
these alternatives? How dedicated is the adversary?  What happens if a few
boxes get opened?  How much money do you want pay for a device?

Some cases in point: it's not too hard to find folks who've chosen
a fairly weak point on the physical security/cost tradeoff, but still
somehow manage to make a profit.  

Of course his all still leaves unaddressed the fun research questions of how to
build effective coprocessors, and how to design and build applications that
successfully exploit this security foundation.  (Which is some of what I've
been looking into the last few years.)


--Sean

-- 
Sean W. Smith, Ph.D. [EMAIL PROTECTED]   
http://www.cs.dartmouth.edu/~sws/   (has ssl link to pgp key)
Department of Computer Science, Dartmouth College, Hanover NH USA




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: fyi: bear/enforcer open-source TCPA project

2003-09-11 Thread Rich Salz
And 'the public' doesn't include people like government level attackers?
People like cryptography experts?  People who like to play with things like
this?
No it doesn't.  *It's not in the threat model.*

	/r$

--
Rich Salz, Chief Security Architect
DataPower Technology   http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


A precis of the new attacks against GSM encryption

2003-09-11 Thread R. A. Hettinga
http://lists.netsys.com/pipermail/full-disclosure/2003-September/009856.html

[Full-Disclosure] A precis of the new attacks against GSM encryption (fwd) 
Lukasz Luzar [EMAIL PROTECTED] 
Thu, 11 Sep 2003 10:21:33 +0200 (CEST) 

Previous message: [Full-Disclosure] PTms03039.zip 
Next message: [Full-Disclosure] [SECURITY] [DSA 379-1] New sane-backends packages fix 
several vulnerabilities 
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] 
An interesting summary about recent attacks against GSM.

-- 
Lukasz Luzar http://Developers.of.PL/ Crede quod habes, et habes

[[ http://galeria.luzar.pl/ ]]

/* paran01a 1s a v1rtu3 */

-- Forwarded message --
Date: Thu, 11 Sep 2003 09:13:02 +1000
From: Greg Rose  [EMAIL PROTECTED] 
To: [EMAIL PROTECTED] 
Subject: A precis of the new attacks against GSM encryption

I wrote up a longer version of this for Qualcomm's internal use, but
thought this summary might be helpful to others.

regards,
Greg.

A precis of the new attacks on GSM encryption
=
Greg Rose, QUALCOMM Australia, 2003-09-10.

There's very little information in the various press releases about these
attacks, but at the same time probably too much information in the actual
paper. So I'm writing this to attempt a readable explanation of the attacks.

First, the paper itself: by Elad Barkan, Eli Biham and Nathan Keller of
Technion in Haifa, Israel, Instant Ciphertext-Only Cryptanalysis of GSM
Encrypted
Communications appeared at Crypto 2003 in Santa Barbara about three weeks
ago. It was another week or two before the press noticed it. The paper
finally became available on the Web yesterday (2003-09-09) at
 http://cryptome.org/gsm-crack-bbk.pdf  . Barkan is the principal author.


Background about GSM encryption
---

The GSM voice calls are encrypted using a family of algorithms collectively
called A5. A5/0 is no encryption. A5/1 is the standard encryption
algorithm, while A5/2 is the export (weakened) algorithm. A5/3 is a new
algorithm based on the UMTS/WCDMA algorithm Kasumi. While one of the
attacks below manages to walk around A5/3, there is no attack against it
directly.

GPRS encryption is done with a different family of algorithms: GEA0 (none),
GEA1 (export), GEA2 (normal strength) and GEA3 (new, and effectively the
same as A5/3). Note that the GEA1 and GEA2 algorithms do not have any
relationship to the A5/1 and A5/2 algorithms, and they are not publicly
known. There are no problems with any of these in the open literature.

All of these algorithms use a 64-bit key derived from a common mechanism:
the mobile receives a random challenge, then the SIM card (a smartcard used
to keep the subscriber's master key secret) calculates an authentication
signature and an encryption key. The key calculated does *not* depend on
what algorithm it is destined to be used with.

The encryption is done using a stream cipher, that is, the encryption
algorithm takes the secret key and a frame number, and generates a
pseudo-random stream of bits (keystream) that are XORed with the input to
encrypt it, or are XORed with the received bits to decrypt them. Thus, the
bits are effectively encrypted independently of one another.

The encryption is done *after* coding for error correction. The coding
introduces known linear relationships between the bits to be encrypted; so
even though the attacker might not know the values of particular input
bits, they know that certain groups of them XOR to 0. So, taking the same
groups of encrypted bits and XORing them reveals the corresponding XOR of
the keystream bits. This is the fundamental problem that allows the attacks
to work without any knowledge at all of what is being encrypted, which is
what they mean by ciphertext only. This is a very new result.


The attacks:


There are effectively three different attacks discussed in the paper.

The fundamental attack is against A5/2. By doing a one-time precomputation
and storing the results on a decent-sized disk, you can now intercept 4
frames of A5/2 encrypted voice, which yields enough known linear
relationships in the keystream to look up the key. The attack is almost
instantaneous, and requires only milliseconds of encrypted voice. This is a
passive attack, requiring only eavesdropping, and no-one can tell that it
has been done. Once the key has been recovered, it can be used to decrypt
the actual frames in both directions.

The second attack uses the fact that the first attack is so fast to
interfere with the GSM protocol. This is an active attack, meaning the
attacker has to be able to interfere with the communication. (More detail
about the active attacks below.) In practice, this means they would need
something pretending to be a base station, but such attacks have happened
in the past. Commercially available test equipment can do it, and really
it's not much more than two cellphones back-to-back. Basically, even though
the 

[Lucrative-L] ponderance of the day

2003-09-11 Thread R. A. Hettinga

--- begin forwarded text


Status:  U
From: Patrick [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [Lucrative-L] ponderance of the day
Date: Thu, 11 Sep 2003 20:22:17 -0600
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]


Question: What kind of filter do you use in your Java pot?

Answer:   A Bloom filter.


Lucrative is in SourceForge, awaiting use by anyone clever enough to seize
it. In the meantime, I am putting a lot of effort into finding permanent
employment, so updates are coming quite slowly. Anyone who wants quicker
action on Lucrative--the source is out there.


Lucratively,

Patrick


The Lucrative Project: http://lucrative.thirdhost.com
..
To subscribe or unsubscribe from this discussion list,
write to [EMAIL PROTECTED]
with just the word unsubscribe in the message body
(or, of course, subscribe)

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]