Re: Reliance on Microsoft called risk to U.S. security

2003-10-01 Thread Peter Gutmann
Bill Frantz [EMAIL PROTECTED] writes: The real problem is that the viewer software, whether it is an editor, PDF viewer, or a computer language interpreter, runs with ALL the user's privileges. If we ran these programs with a minimum of privilege, most of the problems would just go away. This

Re: Monoculture

2003-10-01 Thread Don Davis
EKR writes: I'm trying to figure out why you want to invent a new authentication protocol rather than just going back to the literature ... there's another rationale my clients often give for wanting a new security system, instead of the off- the-shelf standbys: IPSec, SSL, Kerberos, and the

Re: Monoculture

2003-10-01 Thread Eric Rescorla
Don Davis [EMAIL PROTECTED] writes: EKR writes: I'm trying to figure out why you want to invent a new authentication protocol rather than just going back to the literature ... there's another rationale my clients often give for wanting a new security system, instead of the off-

RE: Monoculture

2003-10-01 Thread Jill Ramonsky
I could do an implementation of SSL. Speaking as a programmer with an interest in crypto, I'm fairly sure I could produce a cleanly implemented and simple-to-use version. I confess I didn't realise there was a need. You see, it's not that it doesn't seem to excite [me] - it's just that, well,

Re: Monoculture

2003-10-01 Thread Bill Sommerfeld
Who on this list just wrote a report on the dangers of Monoculture? An implementation monoculture is more dangerous than a protocol monoculture.. Most exploitable security problems arise from implementation errors, rather than from inherent flaws in the protocol being implemented. And broad

Re: Monoculture

2003-10-01 Thread John Saylor
hi ( 03.09.30 20:39 -0700 ) [EMAIL PROTECTED]: And, given the recent set of widely publicized flaws in openssl and openssh, I think that concern about monoculture in cryptography software is pretty damn well founded. except for the fact that these holes get fixed as opposed to the other flaws

Re: Monoculture

2003-10-01 Thread John S. Denker
On 10/01/2003 11:22 AM, Don Davis wrote: there's another rationale my clients often give for wanting a new security system, instead of the off- the-shelf standbys: IPSec, SSL, Kerberos, and the XML security specs are seen as too heavyweight for some applications. the developer doesn't want

Re: New authentication protocol, was Re: Tinc's response to Linux's answer to MS-PPTP

2003-10-01 Thread Derek Atkins
Guus Sliepen [EMAIL PROTECTED] writes: Compared with the entire TLS protocol it is much simpler, compared with just the handshake protocol it is about as simple and probably just as efficient, but as I said earlier, I want to get rid of the client/server distinction. You can't get rid of the

Re: Monoculture

2003-10-01 Thread Ian Grigg
Matt Blaze wrote: I imagine the Plumbers Electricians Union must have used similar arguments to enclose the business to themselves, and keep out unlicensed newcomers. No longer acceptable indeed. Too much competition boys? Rich, Oh come on. Are you willfully misinterpreting what I

Re: Monoculture

2003-10-01 Thread Dave Howe
Jill Ramonsky wrote: Is it possible for Bob to instruct his browser to (a) refuse to trust anything signed by Eve, and (b) to trust Alice's certificate (which she handed to him personally)? (And if so, how?) I am very much hoping that you can answer both (a) and (b) with a yes, ok then yes :)

Re: Monoculture

2003-10-01 Thread Barney Wolff
On Wed, Oct 01, 2003 at 04:48:33PM +0100, Jill Ramonsky wrote: But I would like to ask you to clarify something about SSL which has been bugging me. Allow me to present a scenario. Suppose: (1) Alice runs a web server. (2) Bob has a web client. (3) Alice and Bob know each other personally,

Re: Monoculture

2003-10-01 Thread Ian Grigg
Don Davis wrote: EKR writes: I'm trying to figure out why you want to invent a new authentication protocol rather than just going back to the literature ... note that customers aren't usually dissatisfied with the crypto protocols per se; they just want the protocol's implementation to

Re: Monoculture

2003-10-01 Thread Don Davis
eric wrote: The way I see it, there are basically four options: (1) Use OpenSSL (or whatever) as-is. (2) Strip down your toolkit but keep using SSL. (3) Write your own toolkit that implements a stripped down subset of SSL (e.g. self-signed certs or anonymous DH). (4) Design your own

Re: Monoculture

2003-10-01 Thread Eric Murray
On Wed, Oct 01, 2003 at 04:48:33PM +0100, Jill Ramonsky wrote: I could do an implementation of SSL. Speaking as a programmer with an interest in crypto, I'm fairly sure I could produce a cleanly implemented and simple-to-use version. Yep. It's a bit of work, and more work to ensure that

Re: Monoculture

2003-10-01 Thread Perry E. Metzger
Ian Grigg [EMAIL PROTECTED] writes: This is where maybe the guild and the outside world part ways. The guild would like the application builder to learn the field. They would like him to read up on all the literature, the analysies. To emulate the successes and avoid the pitfalls of

Re: Monoculture

2003-10-01 Thread Ian Grigg
Perry E. Metzger wrote: ... Dumb cryptography kills people. What's your threat model? Or, that's your threat model? Applying the above threat model as written up in The Codebreakers to, for example, SSL and its original credit card nreeds would seem to be a mismatch. On the face of it,

Re: Monoculture

2003-10-01 Thread Guus Sliepen
On Wed, Oct 01, 2003 at 02:34:23PM -0400, Ian Grigg wrote: Don Davis wrote: note that customers aren't usually dissatisfied with the crypto protocols per se; they just want the protocol's implementation to meet their needs exactly, without extra baggage of flexibility, configuration

Re: Monoculture

2003-10-01 Thread Perry E. Metzger
Ian Grigg [EMAIL PROTECTED] writes: Perry E. Metzger wrote: ... Dumb cryptography kills people. What's your threat model? Or, that's your threat model? Applying the above threat model as written up in The Codebreakers to, for example, SSL and its original credit card nreeds would

Re: Monoculture

2003-10-01 Thread M Taylor
On Wed, Oct 01, 2003 at 02:24:00PM -0400, Ian Grigg wrote: Matt Blaze wrote: I imagine the Plumbers Electricians Union must have used similar arguments to enclose the business to themselves, and keep out unlicensed newcomers. No longer acceptable indeed. Too much competition boys?

Re: Reliance on Microsoft called risk to U.S. security

2003-10-01 Thread bear
On Wed, 1 Oct 2003, Peter Gutmann wrote: This doens't really work. Consider the simple case where you run Outlook with 'nobody' privs rather than the current user privs. You need to be able to send and receive mail, so a worm that mails itself to others won't be slowed down much. In addition

Re: Monoculture

2003-10-01 Thread Perry E. Metzger
Guus Sliepen [EMAIL PROTECTED] writes: You clearly formulated what we are doing! We want to keep our crypto as simple and to the point as necessary for tinc. We also want to understand it ourselves. There is nothing wrong with either goal. Implementing our own authentication protocol helps

Re: Monoculture

2003-10-01 Thread bear
On Wed, 1 Oct 2003, John S. Denker wrote: According to 'ps', an all-up ssh system is less than 3 megabytes (sshd, ssh-agent, and the ssh client). At current memory prices, your clients would save less than $1.50 per system even if their custom software could reduce this bulk to zero. That's

Re: Monoculture

2003-10-01 Thread Thor Lancelot Simon
On Wed, Oct 01, 2003 at 10:20:53PM +0200, Guus Sliepen wrote: You clearly formulated what we are doing! We want to keep our crypto as simple and to the point as necessary for tinc. We also want to understand it ourselves. Implementing our own authentication protocol helps us do all that.

VeriSign tapped to secure Internet voting

2003-10-01 Thread R. A. Hettinga
http://msnbc-cnet.com.com/2102-1029_3-5083772.html?tag=3Dni_print VeriSign tapped to secure Internet voting=20 By Robert Lemos=20 Staff Writer, CNET News.com=20 http://news.com.com/2100-1029-5083772.html=20 VeriSign announced Monday that it will provide key components of a system d= esigned to

Re: Monoculture

2003-10-01 Thread Perry E. Metzger
Ronald L. Rivest [EMAIL PROTECTED] writes: What is aperture minimization? That's a new term for me... Never heard of it before. Google has never seen it either... (Perhaps others on the list would be curious as well...) I'm sure you have heard of it, just under other names. The term

Re: how simple is SSL? (Re: Monoculture)

2003-10-01 Thread Eric Rescorla
Adam Back [EMAIL PROTECTED] writes: On Wed, Oct 01, 2003 at 08:53:39AM -0700, Eric Rescorla wrote: there's another rationale my clients often give for wanting a new security system [existing protcools] too heavyweight for some applications. I hear this a lot, but I think that Perry

Re: Monoculture

2003-10-01 Thread Eric Rescorla
Don Davis [EMAIL PROTECTED] writes: eric wrote: The way I see it, there are basically four options: (1) Use OpenSSL (or whatever) as-is. (2) Strip down your toolkit but keep using SSL. (3) Write your own toolkit that implements a stripped down subset of SSL (e.g. self-signed

Re: VeriSign tapped to secure Internet voting

2003-10-01 Thread Roy M. Silvernail
On Wednesday 01 October 2003 17:33, R. A. Hettinga forwarded: VeriSign tapped to secure Internet voting The solution we are building will enable absentee voters to exercise their right to vote, said George Schu, a vice president at VeriSign. The sanctity of the vote can't be compromised nor

anonymous DH MITM

2003-10-01 Thread M Taylor
Stupid question I'm sure, but does TLS's anonymous DH protect against man-in-the-middle attacks? If so, how? I cannot figure out how it would, and it would seem TLS would be wide open to abuse without MITM protection so I cannot imagine it would be acceptable practice without some form of

Re: anonymous DH MITM

2003-10-01 Thread Eric Rescorla
M Taylor [EMAIL PROTECTED] writes: Stupid question I'm sure, but does TLS's anonymous DH protect against man-in-the-middle attacks? If so, how? I cannot figure out how it would, and it would seem TLS would be wide open to abuse without MITM protection so I cannot imagine it would be

Re: anonymous DH MITM

2003-10-01 Thread Tim Dierks
At 07:06 PM 10/1/2003, M Taylor wrote: Stupid question I'm sure, but does TLS's anonymous DH protect against man-in-the-middle attacks? If so, how? I cannot figure out how it would, and it would seem TLS would be wide open to abuse without MITM protection so I cannot imagine it would be acceptable

Re: anonymous DH MITM

2003-10-01 Thread Ian Grigg
M Taylor wrote: Stupid question I'm sure, but does TLS's anonymous DH protect against man-in-the-middle attacks? If so, how? I cannot figure out how it would, Ah, there's the rub. ADH does not protect against MITM, as far as I am aware. and it would seem TLS would be wide open to abuse

Re: VeriSign tapped to secure Internet voting

2003-10-01 Thread Ian Grigg
Roy M. Silvernail wrote: On Wednesday 01 October 2003 17:33, R. A. Hettinga forwarded: VeriSign tapped to secure Internet voting The solution we are building will enable absentee voters to exercise their right to vote, said George Schu, a vice president at VeriSign. The sanctity of

Re: anonymous DH MITM

2003-10-01 Thread Eric Murray
On Thu, Oct 02, 2003 at 12:06:40AM +0100, M Taylor wrote: Stupid question I'm sure, but does TLS's anonymous DH protect against man-in-the-middle attacks? No, it doesn't. If so, how? I cannot figure out how it would, and it would seem TLS would be wide open to abuse without MITM protection

Re: VeriSign tapped to secure Internet voting

2003-10-01 Thread Roy M. Silvernail
On Wednesday 01 October 2003 19:53, Ian Grigg wrote: Roy M. Silvernail wrote: On Wednesday 01 October 2003 17:33, R. A. Hettinga forwarded: VeriSign tapped to secure Internet voting The solution we are building will enable absentee voters to exercise their right to vote, said George

Re: Monoculture

2003-10-01 Thread Peter Gutmann
John S. Denker [EMAIL PROTECTED] writes: According to 'ps', an all-up ssh system is less than 3 megabytes (sshd, ssh- agent, and the ssh client). At current memory prices, your clients would save less than $1.50 per system even if their custom software could reduce this bulk to zero. Let me

Re: anonymous DH MITM

2003-10-01 Thread Peter Gutmann
Tim Dierks [EMAIL PROTECTED] writes: It does not, and most SSL/TLS implementations/installations do not support anonymous DH in order to avoid this attack. Uhh, I think that implementations don't support DH because the de facto standard is RSA, not because of any concern about MITM (see below).

Re: Monoculture

2003-10-01 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Perry E. Metzger writes: Unfortunately, those parts are rather dangerous to omit. 0) If you omit the message authenticator, you will now be subject to a range of fine and well documented cut and paste attacks. With some ciphers, especially stream ciphers,

Re: anonymous DH MITM

2003-10-01 Thread Tim Dierks
At 10:37 PM 10/1/2003, Peter Gutmann wrote: Tim Dierks [EMAIL PROTECTED] writes: It does not, and most SSL/TLS implementations/installations do not support anonymous DH in order to avoid this attack. Uhh, I think that implementations don't support DH because the de facto standard is RSA, not