Re: efficiency?? vs security with symmetric crypto? (Re: Tinc's response to Linux's answer to MS-PPTP)

2003-09-27 Thread Sandy Harris
Adam Back wrote:

What conceivable trade-offs could you have to make to get acceptable
performance out of symmetric crypto encrypted+authenticated tunnel?
All ciphers you should be using are like 50MB/sec on a 1Ghz machine!!
There's fairly detailed performance data for Linux FreeS/WAN IPsec
http://www.freeswan.org/freeswan_trees/freeswan-2.02/doc/performance.html
It's around 50 M bit/second on a GHz machine with 3DES. You can
roughly double that with AES.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Tinc's response to Linux's answer to MS-PPTP

2003-09-27 Thread Guus Sliepen
On Fri, Sep 26, 2003 at 06:26:16PM -0700, Joseph Ashwood wrote:

 I would have CC'd the author of the response page, but it fails to mention
 an author, in spite of the Comments are welcome statement at the
 beginning.

There is a Contact link left of it. You could've replied to me as
well.

  Truncated MAC
  tinc will continue to use only the first 32 bits by default.
 Simply put this is unacceptable from a security standpoint. The view taken
 is that the extra 128 bits represents a significant overhead in the
 communication. So I did the math, sending the extra 128 bits over a 52kbs
 would take 0.002 seconds, and over a T1 the time cost is an absolutely
 enormous 0.8 seconds.

It is not the delay that matters, it is the bandwidth that is reduced.
And by enlarging the packets, the chance that they will be fragmented is
greater, which is also bad for performance. Some people want less
overhead instead of more security, silly as that may sound to you.

 The other consideration is the potentially the
 computation time argument, but SHA-1 is used regardless, the computation
 time is identical. There is no justification in even a dialup environment
 for not using the full HMAC.

For those who can't even spare the computation time, tinc allows you to
disable HMAC completely.

  A message is sent which has the same length as the RSA key, and is
  completely filled . . .using real random data (OpenSSL's RAND_bytes()).
 
 I really wish people would actually read documentation *before* making
 stupid claims like this, in fact to quote the OpenSSL docs These functions
 implement a cryptographically secure pseudo-random number generator (PRNG).
  Any claim that OpenSSL implements a real random number generator are
 completely false.

Ok, I guess you can read that sentence in that way. But what you cut out
was:

with the output of a PRNG which is seeded

And I meant that PRNG which is seeded using ... with RAND_bytes(). And
by seeding it with real random data I mean seeding using /dev/random.

[...]
 What you're missing is that the connection iniator sets all the keys and can
 determine all the keys (assuming the uncontested simplified message flow is
 correct). Mallet can very easily perform a complete man-in-the-middle attack

Your assumption that the connection initiator sets all the keys in tinc
is wrong.

[...]
  planned for tinc 2.0.
 
 My guess is that you will once again use it in an insecure method, use
 either signed ephemeral keys, or introduce randomness form both sides,
 otherwise you will have the same problems from slightly different angles.

Finally, some constructive arguments. We are indeed considering the
things you mention. We might even switch to TLS for the TCP connections.

[...]
- Don't act as an oracle for an attacker.
  Apart from possibly being susceptible to a timing attack, we don't believe,
  and Peter Gutmann has not convinced us, that tinc can be used as any other
  kind of oracle.
 You provide all the chosen ciphertext information Mallet could want. You act
 as an oracle.

You can only provide so much ciphertext as an attacker before the
connection is closed. I do not see how this is different from, say,
SSL. What information can be obtained from our alledged oracle (apart
from being a timing oracle)?

  Furthermore, SSL and SSH are
  reliable stream based protocols, unsuitable for VPNs
 
 Someone doesn't pay much attention to what they write. Both SSL and SSH
 _ARE_ VPN protocols, that you don't recognise them as such reflects a great
 deal on lack of knowledge in the area of security.
 
  [VPNs] work best with unreliable datagrams
 U, do you realize how dumb that sounds?

I'm afraid we have totally different views of a VPN here. Anyway,
tunneling traffic over SSH or an SSL connection would give us the awful
performance of TCP-over-TCP, which we want to avoid.

  Apart from that, there is no reason why people shouldn't create new
  protocols, which might in time become just as strong or even stronger. Even
  great names as Ron Rivest didn't get it right the first time.
 
 Yeah but the great names admit they are wrong, and fix things. You have
 instead taken every possible moment to insist that tinc is good, something
 that even the barest educated layperson can see is simply and completely
 false.

When our response says Will be fixed in 2.0 multiple times, does that
sound like we don't think Peter Gutmann has valid points and that we won't
fix things?

 I think here Gutmann went a bit overboard in his recommendation, but
 regardless the idea that someone should replace SSH/SSL with something
 designed by an amateur without the knowledge necessary to make it correct is
 a bad idea. In fact I have several years of experience and I have a
 potential replacement protocol that I think may in some cases be better than
 SSL/SSH, even with my experience I have held off publishing it for about 4
 years now while I verify that it will in fact stand up to attack. How long
 was it 

Re: Reliance on Microsoft called risk to U.S. security

2003-09-27 Thread Victor . Duchovni
On Fri, 26 Sep 2003, Bill Frantz wrote:

 The real problem is that the viewer software, whether it is an editor, PDF
 viewer, or a computer language interpreter, runs with ALL the user's
 privileges.  If we ran these programs with a minimum of privilege, most of
 the problems would just go away.


And what privileges should the Perl interpreter run with when I click on a
.pl file? How would the graphical shell know what privileges to assign
to each file?

Also security is not closed under composition, two individually secure
components can combine to produce an insecure system. I think that no
such secure *non-trivial* least privilege system exists for a
graphical general purpose computer either in theory, or in practice.

On the other hand a *trivial* privilege system: View (zero privs) vs.
Run (full privs) is viable, and is one of the pre-requisites for a more
secure UI, along with the previously discussed trusted path issues,
non-spoofing of the security interface, ...

-- 
Victor Duchovni
IT Security,
Morgan Stanley

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Reliance on Microsoft called risk to U.S. security

2003-09-27 Thread Jeroen C . van Gelderen
On Saturday, Sep 27, 2003, at 11:12 US/Eastern, 
[EMAIL PROTECTED] wrote:

On Fri, 26 Sep 2003, Bill Frantz wrote:

The real problem is that the viewer software, whether it is an 
editor, PDF
viewer, or a computer language interpreter, runs with ALL the user's
privileges.  If we ran these programs with a minimum of privilege, 
most of
the problems would just go away.

And what privileges should the Perl interpreter run with when I click 
on a
.pl file? How would the graphical shell know what privileges to 
assign
to each file?
Could it not ask the user? My Apple regularly asks for decisions of 
this sort, and remembers the results. So do (popular firewall) products 
on the PC. Now, most of these questions are too technical in nature but 
point remains that asking question and remembering the answer is 
possible.

I continue to believe that few users would grant an email message 
access to both the Internet and the Address Book when they are asked 
those two questions, provided that the user had not been conditioned to 
clicking YES in order to get any work done at all.

There is no way around asking the user because he is the ultimate 
authority when it comes to making trust decisions. (Side-stepping the 
issues in a (corporate) environment where the owner of the machine is 
entitled to restrict its users in any way he sees fit. The point is 
that the software agent cannot make trust decisions.)

Also security is not closed under composition, two individually secure
components can combine to produce an insecure system. I think that no
such secure *non-trivial* least privilege system exists for a
graphical general purpose computer either in theory, or in practice.
Are you familiar with the KeyKOS and EROS operating systems and/or 
Stiegler's CapDesk, a secure desktop in Java? They are all based on the 
Principle Of Least Privilege (trough capabilities) and they manage to 
preserve security in the face of composition. Do you consider those 
systems to be trivial, or broken? What is the reason these systems 
cannot exist in theory or practice?

 http://www.combex.com/tech/edesk.html

 http://www.erights.org/talks/skynet/index.html
 http://www.cis.upenn.edu/~KeyKOS/
 http://www.eros-os.org/
On the other hand a *trivial* privilege system: View (zero privs) vs.
Run (full privs) is viable, and is one of the pre-requisites for a 
more
secure UI, along with the previously discussed trusted path issues,
non-spoofing of the security interface, ...
-J

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Tinc's response to Linux's answer to MS-PPTP

2003-09-27 Thread M Taylor
On Fri, Sep 26, 2003 at 06:26:16PM -0700, Joseph Ashwood wrote:
 
  Truncated MAC
  tinc will continue to use only the first 32 bits by default.
 Simply put this is unacceptable from a security standpoint. The view taken
 is that the extra 128 bits represents a significant overhead in the
 communication. So I did the math, sending the extra 128 bits over a 52kbs

It appears Guus Sliepen (and/or Ivo Timmermans) are worried about the
tinc protocol overhead per packet. This reduces the size of the data 
payload per packet, which could impact perforcemance due to IP
fragmentation. Because the IP packet length is often restricted due
to Ethernet frame size (1500 bytes), it can is more efficient to design
the protocol so each UDP datagram is a full IP packet (1500 bytes Ethernet
frame minus the 20 bytes for IP header, and 8 bytes for the UDP header) with a 
payload of 1472 bytes.

Perhaps a HMAC per chunk, rather than per the payload of a single UDP
datagram. I suspect per every 5 UDP datagrams, roughly ~7000 bytes of 
payload may work. This will increase latency.

  Authentication protocol

This should be redone from scratch, I would look at either using
Diffie Hellman Key Exchange combined with digital signatures or the updated
Needham Schroeder Public Key Protocol. Exchange two symmetric keys,
one used for bulk data encryption, the other used for the HMAC
authentication. 


  [VPNs] work best with unreliable datagrams
 U, do you realize how dumb that sounds?

I expect this is a reference to Why TCP Over TCP Is A Bad Idea
http://sites.inka.de/~bigred/devel/tcp-tcp.html

  Both SSL and SSH have had their security
  problems . . , as perfect as Peter Gutmann would let us believe.
 They may not be perfect but in neither case can Mallet do as much damage as
 easily, even the recent break in OpenSSH did not allow a compromise as big
 as even the smallest of the problems briefly explored in tinc.

Oh, and they fixed their flaws. SSHv1 is not recommended for use at all,
and most systems use SSHv2 now which is based upon a draft IETF standard. 
SSL went through SSLv1, SSLv2, SSLv3, TLSv1.0, and TLSv1.1 is a draft IETF
standard.

If Guus Sliepen and Ivo Timmermans are willing to seriously rethink their
high tolerance for unncessary weakness, I think tinc 2.0 could end up being
a secure piece of software. I hope Guus and Ivo circulate their version 2.0 
protocol before they do any coding, so that any remaining flaws can be easily 
fixed in the paper design without changing a single line of code, saving time 
and effort.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Reliance on Microsoft called risk to U.S. security

2003-09-27 Thread Victor . Duchovni
On Sat, 27 Sep 2003, Jeroen C.van Gelderen wrote:

 I continue to believe that few users would grant an email message
 access to both the Internet and the Address Book when they are asked
 those two questions, provided that the user had not been conditioned to
 clicking YES in order to get any work done at all.


You have not met my users! This is really rather naive. Users don't
understand pop dialogues, they raise their stress level, always clicking
yes makes the problem go away.

 There is no way around asking the user because he is the ultimate
 authority when it comes to making trust decisions. (Side-stepping the
 issues in a (corporate) environment where the owner of the machine is
 entitled to restrict its users in any way he sees fit. The point is
 that the software agent cannot make trust decisions.)


See above.

  Also security is not closed under composition, two individually secure
  components can combine to produce an insecure system. I think that no
  such secure *non-trivial* least privilege system exists for a
  graphical general purpose computer either in theory, or in practice.

 Are you familiar with the KeyKOS and EROS operating systems and/or
 Stiegler's CapDesk, a secure desktop in Java? They are all based on the
 Principle Of Least Privilege (trough capabilities) and they manage to
 preserve security in the face of composition. Do you consider those
 systems to be trivial, or broken? What is the reason these systems
 cannot exist in theory or practice?


What fraction of real users will be able to use these systems? Will
users really understand the composition properties of security policies?

-- 
Victor Duchovni
IT Security,
Morgan Stanley

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Geer: It was a surprise.

2003-09-27 Thread R. A. Hettinga
http://business.bostonherald.com/businessNews/business.bg?articleid=363format=text

Boston Herald



MARKET RESEARCH

Enter company symbol below:

Complete Market Summary
Critique of Microsoft eyed in firing: Ex-tech officer claims report cost
his job
By Jay Fitzgerald
Saturday, September 27, 2003

The ex-chief technology officer for AtStake Inc. in Cambridge said
yesterday he was forced out after co-authoring a critical report about
Microsoft Corp. - an AtStake client - and is weighing his legal options.

Dan Geer's study, made public Wednesday, warned Microsoft's dominance
of desktop computer operating systems poses a national security threat.
Microsoft opponents said what happened to Geer shows the giant software
company was once again throwing its weight around against critics.

Sean Sundwall, a Microsoft spokesman, said the Redmond, Wash., company
had nothing to do with Geer's departure. But he said AtStake ``contacted us
late Tuesday night expressing their disappointment in the report and saying
that Dan Geer's opinion did not reflect the position of (the company).''

Lona Therrien, the AtStake spokeswoman, said she didn't ``know
anything about'' AtStake contacting Microsoft on Tuesday.

 Geer said he was told Wednesday he no longer had a job at the
company. ``I was forced out,'' he said. ``It was a surprise.''

``I expected to have a long and never-ending career at the company,''
Geer said.

The exact reasons - and timing - of Geer's departure from AtStake was
the source of intense controversy yesterday. The report from Geer and six
other computer-security experts argued the complexity and dominance of
Microsoft's Windows operating system in federal agencies made the
government prone to cyber attack - a national security threat.

Though the authors said they weren't paid by anyone to produce the
report, it was distributed by the Computer and Communications Industry
Association, a harsh critic of Microsoft backed by rivals of the software
giant.

On Thursday, AtStake issued a brief statement saying Geer's views did
not reflect those of the company and that Geer had left its employ Tuesday
- a day before the report was released.

A spokeswoman for AtStake, a three-year-old computer security firm,
said she would not comment on ``personnel matters.''

Describing himself as a founding AtStake employee, Geer said he is in
contact with a lawyer and is ``disappointed'' with the way he lost his job.

Geer also blasted academic researchers whom he said fear Microsoft and
won't criticize it publicly.

He said academics often fear losing Microsoft research money.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


@stake Uproots Geer's Career After Anti-Microsoft Report

2003-09-27 Thread R. A. Hettinga
http://www.ecommercetimes.com/perl/story/31693.html


September 27, 2003

@stake Uproots Geer's Career After Anti-Microsoft Report
By Robyn Weisman
E-Commerce Times
September 26, 2003
Nothing Geer said was particularly radical, Will Rodger, director of
public policy at the CCIA, told the E-Commerce Times, noting that it has
been the consensus for some time that the main threat [to IT
infrastructures] is monoculture.

The chief technology officer of @stake, an IT security company with close
ties to Microsoft, was reportedly sacked by his company just after he
released a report critical of the Redmond, Washington-based software vendor.

Daniel Geer, also one of the founders of the company, is principal author
of the paper Cyberinsecurity: The Cost of Monopoly, which was first made
public at the Computers  Communications Industry Association's 30th annual
Washington Caucus on Wednesday.
The report asserted that Microsoft's monopoly of most of the world's
computer operating systems creates a monoculture that leaves IT
infrastructures critically vulnerable to attack. Therefore, it warned,
antitrust is a security issue as well as an economic one.

Microsoft's attempts to tightly integrate myriad applications with its
operating system have significantly contributed to excessive complexity and
vulnerability, Geer said. The deterioration of security compounds when
nearly all computers rely on a single operating system subject to the same
vulnerabilities the world over.
He added, Ironically, Microsoft's efforts to deny interoperability of
Windows with legitimate non-Microsoft applications have created an
environment in which Microsoft programs interoperate efficiently only with
Internet viruses.

Nothing Much from @stake

On Thursday, the day after the paper's release, @stake issued a brief
statement noting that, as of last Tuesday, Geer no longer is associated
with the company.

Although Dr. Geer announced that his CCIA-sponsored report was an
independent research study, participation in and release of the report was
not sanctioned by @stake, [and] the values and opinions of the report are
not in line with @stake's views, the company said. Any use of his title
or current affiliation with @stake should be corrected.
Will Rodger, director of public policy at the CCIA, told the E-Commerce
Times that although he does not know what happened beyond what news
publishers have reported, @stake's action bears all the hallmarks of
revenge and makes us all wonder.

Shooting the Messenger?
As Rodger put it: Here is the founder of one of the most prominent
security companies in the field, [who] is one of the most prominent
security specialists in the field, issuing a report that has been the
consensus for some time that the main threat [to IT infrastructures] is
monoculture.

Nothing Geer said was particularly radical, Rodger added. But what is
news is that for the first time a group of really renowned researchers have
gotten together to write a paper about dangers of monoculture [that tells]
policy makers that they have got to do something about it.

Crock of Garbage

Jim Hurley, vice president of security and privacy at Aberdeen Group , told
the E-Commerce Times that the theory behind Geer's paper puts forth a
biological model that says a monoculture is more susceptible to infectious
disease and mutations that can threaten the species as a whole.
However, Hurley said he does not accept this analogy.

This model is a crock of garbage for the simpletons in the world who don't
want to deal with underlying technological problems he said. It will
only serve to cause further confusion.

Watch the Access Policies

Instead, Hurley said, discretionary access control policies -- which
determine how security policy and security itself is implemented in
everything from operating systems to routers and switches -- are at the
root of the design flaws that make systems vulnerable to attack. According
to him, the fundamental security design in all of these products led to
problems in maintaining security.
However, Hurley did note that although he knows only what is contained in
published reports of Geer's firing, one can infer that @stake is telling
people it can be bought -- which does not cast the company in a good light.

Based on reports to date without substantive comments from @stake about
Geer leaving, it doesn't sound right, Hurley said.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Reliance on Microsoft called risk to U.S. security

2003-09-27 Thread Will Rodger
The report, written by many a crypto list member, is at:

http://www.ccianet.org/papers/cyberinsecurity.pdf

Will Rodger

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Reliance on Microsoft called risk to U.S. security

2003-09-27 Thread Jeroen C . van Gelderen
On Saturday, Sep 27, 2003, at 15:48 US/Eastern, 
[EMAIL PROTECTED] wrote:

On Sat, 27 Sep 2003, Jeroen C.van Gelderen wrote:

I continue to believe that few users would grant an email message
access to both the Internet and the Address Book when they are asked
those two questions, provided that the user had not been conditioned 
to
clicking YES in order to get any work done at all.

You have not met my users!
Indeed, but I'm here to learn :)

 This is really rather naive. Users don't
understand pop dialogues, they raise their stress level, always 
clicking
yes makes the problem go away.
True. But don't you think that this may be in part because the popup 
dialogues are shown way too often in the course of normal use? And 
because they ask questions that cannot be understood by Real Users? Is 
it naive to assume that Real Users are intelligent but that an 
ill-designed security architecture has *conditioned* them to always 
click YES, as you say because that is the only way for them to get any 
work done at all?

I have to imagine starting with a clean slate, with unconditioned users.

Now imagine that the Alice, a Real User, can usually do a full day's 
worth of work (Excel, Word, Browsing, Email) without seeing a security 
popup asking some weird question. Imagine this is the status quo. In 
this scenario, a security popup is cause for concern. After all, normal 
use doesn't result in popups so this is a clear indication that 
something is wrong. Why would she click YES?

Now additionally imagine that security popups ask Alice an intelligible 
question. Not FooBar is trying TCP to port 1223, that okay with you? 
but rather something like This website wants access to ALL YOUR 
PERSONAL FILES, that okay with you? Or: This email wants to access 
the Internet and your Address Book, that okay with you?

Because I'm an optimist I believe that Alice will read the dialog and 
err on the side of caution. Maybe that isn't realistic. So we teach 
Alice to always click NO. We can do so because unlike today, Alice's 
NO will not interfere with her ability to get work done.

Also security is not closed under composition, two individually 
secure
components can combine to produce an insecure system. I think that no
such secure *non-trivial* least privilege system exists for a
graphical general purpose computer either in theory, or in practice.
Are you familiar with the KeyKOS and EROS operating systems and/or
Stiegler's CapDesk, a secure desktop in Java? They are all based on 
the
Principle Of Least Privilege (trough capabilities) and they manage to
preserve security in the face of composition. Do you consider those
systems to be trivial, or broken? What is the reason these systems
cannot exist in theory or practice?
What fraction of real users will be able to use these systems? Will
users really understand the composition properties of security 
policies?
I agree that such composition must be intuitive or we cannot expect it 
to work. I think that CapDesk is a nice publicly available prototype of 
a workable capability desktop. It would be very interesting to see your 
assessment on whether a CapDesk approach would be workable for your 
users. And if it isn't, why not. I hope you can lend your experience.

Cheers,
-J
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]