Re: The future of security

2004-05-08 Thread Hadmut Danisch
On Mon, Apr 26, 2004 at 08:21:43PM +0100, Graeme Burnett wrote:
 
 Would anyone there have any good predictions on how
 cryptography is going to unfold in the next few years
 or so?  I have my own ideas, but I would love
 to see what others see in the crystal ball.



My guess is that it is unpredictable. 
As so many other things, it depends on so many coincidences, 
marketing, politics.

But what I do expect:

- I don't expect that there will be much progress in 
  maths and theory of cryptography. Very few inventions
  will make it out of the ivory tower, if any at all.

  Key lenghts will increase. We'll play RSA with 
  4096 or 8192 bit. They will find that Quantum Computers
  may be fast, but still bound to computation complexity.


- SSL/TLS will become even more of a de facto standard in 
  open source software and (new?) protocols. It will make 
  it's way into the standard libraries of programming languages
  (e.g. as it did for Ruby).

- I don't expect that we'll ever have a common PKI for 
  common people with a significant distribution. It's like 
  with today's HTTPS: The big ones have commercial certificates, 
  plain people use passwords and simple authentication mechanisms
  (like receiving a URL with a random number by e-mail).


- I guess the most important crypto applications will be:

- HTTPS of course

- portable storage equipped with symmetric ciphers 
  such as USB-Sticks and portable hard disks. 

- VPN routers

- Voice over IP

- DRM

- maybe in digital passports and credit cards

- simple auth tokens like RSA SecurID, Aladdin eToken
  will become more commonly used.  



- As a consequence, I guess that politicians will reopen the
  1997's discussion of prohibiting strong encryption. They already
  do. 


- Maybe we'll have less crypto security in future than we have
  today. 

  5-10 years ago I knew much more people using PGP than today. 

  Most modern mail user agents are capable of S/MIME, but it's hard
  to find someone making use of it. I'm a consultant for many
  companies, but not a single one of them uses it. Most modern 
  MTAs support TLS, but to my knowledge less than 3% of messages 
  are actually TLS encrypted in SMTP.

  It's strange, but law will become more important than cryptograpy. 




As a summary, I don't expect any innovations. Not more than within
the last 10 years.

But I'm pretty sure that security will be more and more important
and that's were I expect innovations and progress. Security doesn't
necessarily mean cryptography.


regards
Hadmut



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Brands' private credentials

2004-05-08 Thread Jason Holt

Here's what I remember from about a year ago about the current state of
private credentials.  That recollection comes with no warranties express or
implied.

Last I heard, Brands started a company called Credentica, which seems to only
have a placeholder page (although it does have an info@ address).

I also heard that his credential system was never implemented, but that might
be wrong now.  Anna Lysyanskaya and Jan Camenisch came up with a credential
system that I hear is based on Brands'. Anna's dissertation is online and
might give you some clues.  They might also have been working on an
implementation.

I came up with a much simpler system that has many similar properties to
Brands', and even does some things that his doesn't.  It's much less developed
than the other systems, but we did write a Java implementation and published a
paper at WPES last year about it.  I feel a little presumptuous mentioning it
in the context of the other systems, which have a much more esteemed set of
authors and are much more developed, but I'm also pretty confident in its
simplicity.

http://isrl.cs.byu.edu/HiddenCredentials.html
http://isrl.cs.byu.edu/pubs/wpes03.pdf

Note that most anonymous credential systems are encumbered by patents.  The
implementation for my system is based on the Franklin/Boneh IBE which they
recently patented, although there's another IBE system which may not be
encumbered and which should also work as a basis for Hidden Credentials.

-J


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RSA-576 Factored

2004-05-08 Thread R. A. Hettinga
http://mathworld.wolfram.com/news/2003-12-05/rsa/




MathWorld Headline News

RSA-576 Factored

By Eric W. Weisstein

 December 5, 2003--On December 3, the day after the announcement of the
discovery of the largest known prime by the Great Internet Mersenne Prime
Search on December 2 (MathWorld headline news, December 2, 2003), a team at
the German Federal Agency for Information Technology Security (BIS)
announced the factorization of the 174-digit number
 1881 9881292060 7963838697 2394616504 3980716356 3379417382 7007633564
2298885971 5234665485 3190606065 0474304531 7388011303 3967161996
9232120573 4031879550 6569962213 0516875930 7650257059

 known as RSA-576.

 RSA numbers are composite numbers having exactly two prime factors (i.e.,
so-called semiprimes) that have been listed in the Factoring Challenge of
RSA Security®.

 While composite numbers are defined as numbers that can be written as a
product of smaller numbers known as factors (for example, 6 = 2 x 3 is
composite with factors 2 and 3), prime numbers have no such decomposition
(for example, 7 does not have any factors other than 1 and itself). Prime
factors therefore represent a fundamental (and unique) decomposition of a
given positive integer. RSA numbers are special types of composite numbers
particularly chosen to be difficult to factor, and they are identified by
the number of digits they contain.

 While RSA-576 is a much smaller number than the 6,320,430-digit monster
Mersenne prime announced earlier this week, its factorization is
significant because of the curious property of numbers that proving or
disproving a number to be prime (primality testing) seems to be much
easier than actually identifying the factors of a number (prime
factorization). Thus, while it is trivial to multiply two large numbers p
and q together, it can be extremely difficult to determine the factors if
only their product pq is given. With some ingenuity, this property can be
used to create practical and efficient encryption systems for electronic
data.

 RSA Laboratories sponsors the RSA Factoring Challenge to encourage
research into computational number theory and the practical difficulty of
factoring large integers and also because it can be helpful for users of
the RSA encryption public-key cryptography algorithm for choosing suitable
key lengths for an appropriate level of security. A cash prize is awarded
to the first person to factor each challenge number.

 RSA numbers were originally spaced at intervals of 10 decimal digits
between one and five hundred digits, and prizes were awarded according to a
complicated formula. These original numbers were named according to the
number of decimal digits, so RSA-100 was a hundred-digit number. As
computers and algorithms became faster, the unfactored challenge numbers
were removed from the prize list and replaced with a set of numbers with
fixed cash prizes. At this point, the naming convention was also changed so
that the trailing number indicates the number of digits in the binary
representation of the number. Hence, RSA-576 has 576 binary digits, which
translates to 174 digits in decimal.

 RSA numbers received widespread attention when a 129-digit number known as
RSA-129 was used by R. Rivest, A. Shamir, and L. Adleman to publish one of
the first public-key messages together with a $100 reward for the message's
decryption (Gardner 1977). Despite widespread belief at the time that the
message encoded by RSA-129 would take millions of years to break, it was
factored in 1994 using a distributed computation that harnessed networked
computers spread around the globe performing a multiple polynomial
quadratic sieve (Leutwyler 1994). The result of all the concentrated number
crunching was decryption of the encoded message to yield the profound
plain-text message The magic words are squeamish ossifrage. (An ossifrage
is a rare predatory vulture found in the mountains of Europe.)

 Factorization of RSA-129 followed earlier factorizations of RSA-100,
RSA-110, and RSA-120. The challenge numbers RSA-130, RSA-140, RSA-155, and
RSA-160 were also subsequently factored between 1996 and April of this
year. (Amusingly, RSA-150 apparently remains unfactored following its
withdrawal from the RSA Challenge list.)

 On December 2, Jens Franke circulated an email announcing factorization of
the smallest prize number RSA-576. The factorization was accomplished using
a prime factorization algorithm known as the general number field sieve.
The two 87-digit factors found using this sieve are
 3980750 8642406493 7397125500 5503864911 9906436234 2526708406 3851895759
4638895726 1768583317
 x
 4727721 4610743530 2536223071 9730482246 3291469530 2097116459 8521711305
2071125636 3590397527

 and can easily be multiplied to verify that they do indeed give the
original number.

 Franke's note detailed the factorization process in which lattice
sieving was done by J. Franke and T. Kleinjung using hardware at the
Scientific Computing Institute 

[Neuclear-general] ANNOUNCE: Released version 0.7 of NeuClear Commons

2004-05-08 Thread R. A. Hettinga

--- begin forwarded text


From: Pelle Braendgaard [EMAIL PROTECTED]
Organization: VERAX Inc
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
User-Agent: KMail/1.6.2
Cc: [EMAIL PROTECTED]
Subject: [Neuclear-general] ANNOUNCE: Released version 0.7 of NeuClear Commons
Sender: [EMAIL PROTECTED]
List-Id: neuclear-general.lists.sourceforge.net
List-Post: mailto:[EMAIL PROTECTED]
List-Help: mailto:[EMAIL PROTECTED]
List-Subscribe:
https://lists.sourceforge.net/lists/listinfo/neuclear-general,
mailto:[EMAIL PROTECTED]
List-Archive:
http://sourceforge.net/mailarchive/forum.php?forum=neuclear-general
Date: Wed, 28 Apr 2004 12:30:11 -0500

Panama City, 28 April, 2004. We are happy to announce the 0.7 release of
NeuClear Commons.

Main goal of this release is to support the 0.9 release of NeuClear ID.
Download it today and join in the NeuClear revolution. Major new features
are:

* New Swing based Passphrase Agent
* DefaultSigner is now completely interactive.
* SQLSigner stores Public Private Key Pairs in SQL using Hibernate.
* Removed all old SQL support code.
* Added in memory caching to Public Key Resolver
* Added new interactive signing model with the BrowsableSigner interface
* New SetPublicKeyCallback method for returning the public key in interactive
applications

For more information see:
http://dev.neuclear.org/commons/

Full Release notes below:

Release Notes - NeuClear Commons - Version r_0_7

** Bug
* [COM-13] - Handle Invalid Passphrase in SwingAgent
* [COM-14] - Use different screen layout for normal passphrase in
SwingAgent
* [COM-25] - Remembered passphrase is forgotten if identity is changed
* [COM-27] - Loop when JCESigner is loaded with incorrect passphrase
* [COM-31] - Remembered passphrase doesnt enable sign button
* [COM-33] - Signed HTML generated by Identity and subclasses fail
verification


** New Feature
* [COM-4] - Create Completely Interactive Signing Method
* [COM-5] - Support for more advanced passphrase agent
* [COM-6] - Set PublicKey Callback Method
* [COM-10] - Create Improved GUI Agent
* [COM-11] - Add remember Passphrase to SwingAgent
* [COM-12] - Add Identity Generator to SwingAgent
* [COM-16] - add Password encrypted private key methods to CryptoTools
* [COM-17] - Create SQLSigner
* [COM-18] - Make DefaultSigner an intelligent wrapper for end user
signing front ends
* [COM-20] - Add Save Key Store Dialog to InteractiveAgent
* [COM-21] - Add Open Key Store Dialog to InteractiveAgent
* [COM-22] - Implement Save in SwingAgent


** Task
* [COM-15] - Update project.xml with latest dependencies
* [COM-32] - Drop all the sql packages as no longer needed

** Improvement
* [COM-9] - Add in memory caching to PublicKey Resolver
* [COM-19] - Create signing task queue on SwingAgent
* [COM-26] - Change to DefaultSigner's method of saving



-- 
http://talk.org + Live and direct from Panama
http://neuclear.org + Clear it both ways with NeuClear


---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Neuclear-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/neuclear-general

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Can Skype be wiretapped by the authorities?

2004-05-08 Thread Joseph Ashwood
- Original Message - 
From: Axel H Horns [EMAIL PROTECTED]
Subject: Can Skype be wiretapped by the authorities?


 Is something known about the details of the crypto protocol within
 Skype? How reliable is the encryption?

While Skype is generally rather protective of their protocol, there have
been leaks, in fact one elak that I am aware of was to me personally,
unfortunately I do not have the protocol any more it just wasn't worth
saving. With that said the protocol is horribly and completely worthless,
they brag about using 1536-2048 bit RSA, but what they dont' tell you is
that when I saw the protocol the key was directly encrypted without padding,
it's also worth noting that when I said key that wasn't a typo, there was
only one, although it was hashed to create two. There was a complete lack of
message authentication, a complete lack of key verification, a complete lack
of one-timeness to the transfers, basically a complete lack of security,
even their user verification was flawed to the point where it was completely
worthless. Assuming that they have not changed their protocol substantially
(likely considering no one would listen to the individual that leaked it to
me, and hence was given the breaks) the protocol is still horribly insecure,
and pointlessly complex. The ONLY functional security it has is that it is
peer2peer and as such it is harder to eavesdrop.
Joe

Trust Laboratories
Changing Software Development
http://www.trustlaboratories.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: How to WASTE and want not

2004-05-08 Thread iang
This page seems to describe the security:

http://waste.sourceforge.net/security.html

iang

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


message, but also test

2004-05-08 Thread R. A. Hettinga

--- begin forwarded text


Date: Thu, 29 Apr 2004 09:07:44 +
From: Ryan Lackey [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
User-Agent: Mutt/1.5.5.1+cvs20040105i
Subject: message, but also test
Sender: [EMAIL PROTECTED]

I have two questions:

1) Does anyone have actual performance measurements of ZKS from when
it was operational/at peak, in terms of bandwidth, MTU, latency, and
jitter?  Is there a good way to quantify just how far from
acceptable it was?

2) Does anyone know of any existing reviews of bandwidth cost in
multiple jurisdictions (say, per 1Mbps CIR international terrestrial),
as well as electricity (per-Kwh)?

I'm working on a research report which shows the 5-10 year costs for a
few specific businesses in as many different locations and
jurisdictions as possible, since otherwise it's almost impossible to
quantify how much better a jurisdiction is than any other.

I know bandwidth costs for all the markets I actually care about, but
I'd like to flesh this out to account for more individual countries.
The problem is the bandwidth numbers I have are public as well as very
aggressively negotiated, and there's usually a spread of 3-10x between
them, so I'd rather not have to go through that level of negotiation
for any additional data points.

(some people have been sending to [EMAIL PROTECTED]
vs. [EMAIL PROTECTED], which was causing a bunch of
cypherpunks mail to accumulate in the catchall spool for
metacolo.com.  I just added cypherpunks and cypherpunks-* aliases in
the metacolo domain as well, so it should work, of which this is a
test)

(I also subscribed the al-qaeda node, and will probably finish setting
up the spamfiltered version of the list, as well as passing the back
archives through the same archiving software as current archives, and
search-indexing them, next time I get bored)

-- 
Ryan Lackey [RL960-RIPE AS24812]   [EMAIL PROTECTED]   +1 202 258 9251
OpenPGP DH 4096: B8B8 3D95 F940 9760 C64B   DE90 07AD BE07 D2E0 301F
___
cypherpunks mailing list
[EMAIL PROTECTED]
http://cypherpunks.metacolo.com/mailman/listinfo/cypherpunks

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Is there a Brands certificate reference implementation?

2004-05-08 Thread Anton Stiglic

Stefan Brands started his own company,
http://www.credentica.com/

There isn't much on the web site yet, but if you click on the image you get
the info
email address.

The code that was developed for Brands credentials at ZKS was never
released.  There was also code written during the ESPRIT project called
CAFE.

A description of protocols for Brands credentials can be found here
http://crypto.cs.mcgill.ca/~stiglic/Papers/brands.pdf

A more elaborate reference is the technical paper that can be found here
http://www.credentica.com/technology/technology.html

--Anton

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-08 Thread geer

Would anyone there have any good predictions on how
cryptography is going to unfold in the next few years
or so?  I have my own ideas, but I would love
to see what others see in the crystal ball.


prediction: 

just as in the 1990s the commercial world caught up to
the mil world in uses of crypto, so, too, will it catch
up this decade in traffic analysis

--dan

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Security Architect Position at National Archives

2004-05-08 Thread Rich Salz
Forwarded with permission.  This may not be appropriate for the list, 
but it is one of the most interesting and useful crypto/security jobs 
I've seen in some time...

The position is at Archive II in College Park, right next to the 
University of MD, at the junction of I-95 and the beltway. The hours are 
flexible so avoiding the rush hour traffic is not a big deal.

The role is for a system architec/designer with strong cyber security 
experience. Somebody who can evaluate the security implication of 
various design proposal. In other words, I'm not looking just for 
somebody who can run a firewall or vulnerabiility check, or who can cite 
NIST security standard (although those skills woul dcome in handy too!).

We are hiring system integrator to build a large, distributed, 
multi-sites electronic archives. It's possibly the most interesting 
project in the civilian government, IMHO. You can find out more about it at
  http://www.archives.gov/electronic_records_archives/about_era/scope.html

The project is multi-year and is being bidded upon by large system 
integrators. So the candidate will get a chance to do interesting work, 
and watch how the big guys do it too.

Attched is the annoucement. It's a position I can bring directly in, 
without going through the OPM process.

Regards,
Dyung Le
[EMAIL PROTECTED]
Information Technology (IT) Specialist (INFORMATION SECURITY)
The National Archives and Records Administration (NARA) is seeking
one  (1) Information Technology (IT) Specialist (Information Security) as
part of the development team for NARAs Electronic Records Archives
(ERA) program. The Electronic Records Archives is a challenging program
with national importance, and aims to develop a comprehensive,
systematic, and dynamic mechanism for preserving virtually any kind of
electronic record, free from dependence on any specific hardware or
software. (http://www.archives.gov/electronic_records_archives/index.html)
--
Rich Salz, Chief Security Architect
DataPower Technology   http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


iTunes 4.5: 24 hours after I downloaded it... I've broken it

2004-05-08 Thread R. A. Hettinga
http://craz.net/programs/itunes/

crazney.net - iTunes stuff

Welcome to my iTunes stuff website, here you will find  various things
relating to iTunes hacking that I have written.

 Last updated:April 29, 2004

 iTunes 4.5: iTunes 4.5 uses a new authentication algorithm. However, not
even  24 hours after I downloaded it, and that includes a little sleep and
lots of uni time,  I've broken it. Hah. Anyhow, libopendaap 0.2.0 and
tunesbrowser 0.1.4 are now available.

 crazney brb have to shut chooks in.
 Fryboy I have just deconstructed the encryption protocol designed by
Apple's finest enginee..ah fuck the chicken has escaped

 Pages here:

*   libopendaap:  A library for connecting to iTunes shares and
streaming audio files.
*tunesbrowser:  An application, built on top of libopendaap in
GTK  for browsing and playing the songs in various  iTunes shares.
*authentication:  A page describing the authentication procedure
used  by the latest iTunes programs in order to lock out  third party
applications.
*iTunes Music Store authentication:  A page describing the
authentication packets used by  the iTMS. This complements Jason Rohrers
iTMS-4-ALL project.

Say no to the AUS-FTA!

Contact info:
 See the front page for contact details.

 Please let me know if you use and enjoy (or hate) this software!

 Apple and iTunes are registered trademarks of Apple Computer, Inc.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RFC 3766 Determining Strengths For Public Keys Used For Exchanging Symmetric Keys

2004-05-08 Thread Anne Lynn Wheeler
also summary entry at
http://www.garlic.com/~lynn/rfcidx12.htm#3766
clicking on .txt=nnn field in the summary retrieves the actual RFC
BCP 86
RFC 3766
Title:  Determining Strengths For Public Keys Used
For Exchanging Symmetric Keys
Author(s):  H. Orman, P. Hoffman
Status: Best Current Practice
Date:   April 2004
Mailbox:[EMAIL PROTECTED], [EMAIL PROTECTED]
Pages:  23
Characters: 55939
Updates/Obsoletes/SeeAlso:None
I-D Tag:draft-orman-public-key-lengths-08.txt
URL:ftp://ftp.rfc-editor.org/in-notes/rfc3766.txt
Implementors of systems that use public key cryptography to exchange
symmetric keys need to make the public keys resistant to some
predetermined level of attack.  That level of attack resistance is the
strength of the system, and the symmetric keys that are exchanged must
be at least as strong as the system strength requirements.  The three
quantities, system strength, symmetric key strength, and public key
strength, must be consistently matched for any network protocol usage.
While it is fairly easy to express the system strength requirements in
terms of a symmetric key length and to choose a cipher that has a key
length equal to or exceeding that requirement, it is harder to choose
a public key that has a cryptographic strength meeting a symmetric key
strength requirement.  This document explains how to determine the
length of an asymmetric key as a function of a symmetric key strength
requirement.  Some rules of thumb for estimating equivalent resistance
to large-scale attacks on various algorithms are given.  The document
also addresses how changing the sizes of the underlying large integers
(moduli, group sizes, exponents, and so on) changes the time to use
the algorithms for key exchange.

--
Anne  Lynn Wheelerhttp://www.garlic.com/~lynn/ 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Signs Point to Worm Attack on SSL Vulnerability

2004-05-08 Thread R. A. Hettinga
http://www.eweek.com/print_article/0,1761,a=125527,00.asp

EWeek


Signs Point to Worm Attack on SSL Vulnerability

April 27, 2004
 By   Dennis Fisher

Security experts on Tuesday said they are seeing evidence of what appears
to be a worm exploiting the recently announced vulnerability in the Windows
implementation of the Secure Sockets Layer (SSL) protocol.

 During the morning and early afternoon Tuesday, specialists at VeriSign
Inc.'s security operations center observed a large-scale exploitation of
the vulnerability. While there are a number of software tools available on
the Internet to attack the vulnerability, experts said the volume of
activity is too great for the attacks to be manual.

 ADVERTISEMENT

The attacks are too heavy and too regular to be anything but a worm. This
has to be a worm or a mass rooter, said Jerry Brady, chief security
officer of managed security services at VeriSign, based in Mountain View,
Calif. The activity is at much too high of a rate for it to be people
manually using the exploit.

 The vulnerability, for which Microsoft Corp. released a patch earlier this
month, is in an older Microsoft protocol called PCT (Protected
Communications Transport). Microsoft's SSL library contains a buffer
overrun flaw that enables attackers to run arbitrary code on vulnerable
machines by sending specially designed PCT handshake packets. PCT is
included in the SSL library, which is present in a number of products,
including IIS and Exchange Server.

VeriSign and other security services warned of this vulnerability last
week. Click here to read more about the previous alert and the specific
action of this exploit.

Brady said the majority of the company's managed services customers who
have Internet-facing IIS servers have been attacked already. He added that
the company is in the process of breaking down the attacks to see whether
they are installing back doors or Trojans on compromised machines.

 It's too soon to tell right now. We're still doing the forensics at this
point, Brady said.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-08 Thread Graeme Burnett
Many thanks to the list members who have contributed ideas to the above -
I'll share the results by previewing the paper in the next few weeks if I
may.

Having been a devotee of the financial crypto community for many years, a
thought has just occurred to me about the possible use of Systemics
Ricardian Contract idea as a practical implementation of a distributed
access control mechanism.

I came across Akanti http://www-itg.lbl.gov/Akenti/ - augmented x509 certs
used as access control tokens in a distributed environment. It seems that
this problem space is similar to the fincrypto domain.

Proprietary non-human readable binary/ascii formats have arguably lost
ground to human readable name/value pair formats (i.e. XML and before that
IATA), so it would seem a logical progression to extend Herr Grigg's
Ricardian ontology to include a DAC contract?

Cheers

G

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Fwd: [ISN] Mobile flaws expose executives to bugging

2004-05-08 Thread R. A. Hettinga
*Took* 'em long enough...

Cheers,
RAH

--- begin forwarded text


Date: Fri, 30 Apr 2004 02:30:16 -0500 (CDT)
From: InfoSec News [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [ISN] Mobile flaws expose executives to bugging
Reply-To: [EMAIL PROTECTED]
List-Id: InfoSec News isn.attrition.org
List-Unsubscribe: http://www.attrition.org/mailman/listinfo/isn,
mailto:[EMAIL PROTECTED]
List-Archive: http://www.attrition.org/pipermail/isn
List-Post: mailto:[EMAIL PROTECTED]
List-Help: mailto:[EMAIL PROTECTED]
List-Subscribe: http://www.attrition.org/mailman/listinfo/isn,
mailto:[EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

http://business.timesonline.co.uk/article/0,,8209-1092789,00.html

By Steve Boggan
April 30, 2004

EXECUTIVES at some of Britain's biggest companies are using mobile
phones that can be secretly tracked and bugged, despite a series of
Times investigations demonstrating gaping holes in handset security.

During tests at the offices of Shell, BP, HSBC and Goldman Sachs, The
Times identified 95 phones potentially vulnerable to a new form of
hacking known as bluesnarfing.

Under the process, which threatens mobile phones that use Bluetooth
wireless technology, hackers can download text messages, phone lists
and even remotely tamper with handsets to enable them to be used as
listening devices.

Last week The Times identified 46 phones that could have been
vulnerable to attack during a 12-minute test in the central lobby of
the Palace of Westminster.

During our latest experiment, we had the ability to access the phone
of a Shell employee supplying aviation fuel to aircraft companies and
bug the handsets of chauffeurs driving executives. At the offices of
Shell, a passive scan showed that 19 phones would have accepted an
unauthorised Bluetooth connection. None was made, to avoid
infringement of the Computer Misuse Act.

Of these, 13 were Nokias and five were Ericssons. The Nokia 6310 and
6310i, the most popular business phones in the UK, and the Ericsson
T610, one of the best-selling picture phones, have proved to be the
most insecure.

Outside, a group of chauffeurs were waiting in seven identical and
consecutively-numbered Volvos. An attack on any of their phones would
have allowed us to set up a divert to a handset of our choice. We
could then have instructed their phones to call us secretly, leaving a
channel open through which we could have heard executives’
conversations in the cars.

At BP’s office in St James’s Square, Westminster, we identified 24
potentially vulnerable phones while at Goldman Sachs in Fleet Street,
the figure was 35 phones.

We scanned in a smoking area outside the offices of HSBC in Canary
Wharf during a ten-minute period. Seventeen potentially vulnerable
phones were identified.

The latest cause for concern involving the Nokia 6310s and Sony
Ericsson T610s involves secret tracking. Commercial companies offer
phone tracking services to businesses and individuals who want to
locate sales forces quickly. An SMS message is sent to the relevant
mobile phone with an activation code. Once activated, the phone’s
location is shown on an internet website map.

Bluesnarfing allows the activation code to be diverted to an attacker,
so that an account is set up without the handset owner’s knowledge. He
or she could then be tracked, without their knowledge, 24 hours a day.

Nokia admits there are problems with its 6310s and 8910s but says it
is working on a solution that will be available to users from this
summer. Sony Ericsson says it has cured the text message and divert
problems in new phones but phone lists, calendars and pictures can
still be accessed. It promises a cure for that problem in the second
half of the year.

Shell and BP said they never commented on security; Goldman Sachs was
aware of the problem and had issued advice to staff; and HSBC said its
technical staff were looking into the problem.



_
ISN mailing list
Sponsored by: OSVDB.org

--- end forwarded text



-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Calif. Official Bans Some Voting Machines

2004-05-08 Thread R. A. Hettinga
http://news.yahoo.com/news?tmpl=storycid=519u=/ap/20040501/ap_on_re_us/electronic_votingprinter=1

Yahoo!

Yahoo! News   Sat, May 01, 2004


Calif. Official Bans Some Voting Machines

 Fri Apr 30, 8:56 PM ET
Add U.S. National - AP to My Yahoo!

By JIM WASSERMAN, Associated Press Writer

SACRAMENTO, Calif. -  The state's top elections official called for a
criminal investigation of Diebold Election Systems Inc. as he banned use of
the company's newest model touchscreen voting machine, citing concerns
about its security and reliability.




 Friday's ban will force up to 2 million voters in four counties, including
San Diego, to use paper ballots in November, marking their choices in ovals
read by optical scanners.

 Secretary of State Kevin Shelley asked the attorney general's office to
investigate allegations of fraud, saying Diebold had lied to state
officials. A spokesman for Attorney General Bill Lockyer said prosecutors
would review Shelley's claims.

 Diebold issued a statement saying it was confident in its systems and
planned to work with election officials in California and throughout the
nation to run a smooth election this fall.

 The ban immediately affects more than 14,000 AccuVote-TSx machines made by
Diebold, the leading touchscreen provider. Many were used for the first
time in the March primaries and suffered failures.

 In 10 other counties, Shelley decertified touchscreen machines but set 23
conditions under which they still could be used. That order involved 4,000
older machines from Diebold and 24,000 from its three rivals.

 The decision follows the recommendations of a state advisory panel, which
conducted hearings earlier this month.

 Made just six months before a presidential election, the decision reflects
growing concern about paperless electronic voting.

 A number of failures involving touchscreen machines in Georgia, Maryland
and California have spurred serious questioning of the technology. As
currently configured, the machines lack paper records, making recounts
impossible.

 I anticipate his decision will have an immediate and widespread impact,
said Kim Alexander, president of the California Voter Foundation and a
frequent critic of the machines. California is turning away from e-voting
equipment, and other states are sure to follow.

 Activists have been demanding paper printouts - required in California by
2006 - to guard against fraud, hacking and malfunction.

 Diebold has been a frequent target of such groups, though most California
county election officials say that problems have been overstated and that
voters like the touchscreen systems first installed four years ago.

 At least 50 million voters nationally were expected to use the ATM-like
machines from Diebold and other companies in November.

 California counties with 6.5 million registered voters have been at the
forefront of touchscreen voting, installing more than 40 percent of the
more than 100,000 machines believed to be in use nationally.

 A state investigation released this month said Diebold jeopardized the
outcome of the March election in California with computer glitches,
last-minute changes to its systems and installations of uncertified
software in its machines in 17 counties.

 It specifically cited San Diego County, where 573 of 1,611 polling places
failed to open on time because low battery power caused machines to
malfunction.

 Registrars in counties that made the switch to paperless voting said
Shelley's decision to return to paper ballots would result in chaos.

 There just isn't time to bring this system up before November, Kern
County Registrar Ann Barnett said. It's absurd.

 Diebold officials, in a 28-page report rebutting many of the accusations
about its performance, said the company had been singled out unfairly for
problems with electronic voting and maintained its machines are safe,
secure and demonstrated 100 percent accuracy in the March election.

 The company, a subsidiary of automatic teller machine maker Diebold, Inc.,
acknowledged it had alienated the secretary of state's office and
promised to redouble efforts to improve relations with counties and the
state.

 ___

 On the Net:

 California Secretary of State: http://www.ss.ca.gov

Diebold Election Systems: http://www.diebold.com/dieboldes/

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Wikipedia project: Crypto

2004-05-08 Thread Ivan Krstic
The good people at Wikipedia have started a cryptography subproject, an
attempt to build a comprehensive and detailed guide to cryptography in
the Wikipedia. The project page:
http://en.wikipedia.org/wiki/Wikipedia:WikiProject_Cryptography
features a list of open tasks and things that need cleanup or writing
about. For anyone who has a few minutes to spare, their contributions
would without a doubt be most appreciated.
Cheers,
Ivan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Top Italian Mafia Boss Dies in U.S. Prison

2004-05-08 Thread R. A. Hettinga
The life, and death, of Mr. Badalamenti is important to cryptography
people and cypherpunks for two reasons.

First, the so-called Pizza Connection case is one of the very few
times, if not the first, where actual wiretap data was good enough to
convict someone.

The other reason it is important is that it was the case in which
Louis Freeh made his bones as a prosecutor.

Combine the two, and you end up with an FBI director who was
singularly ill-disposed to the idea of telephonic cryptography. In
his advocacy of the NSA's then-failing Clipper chip project, he
superheated what was already a firestorm of rage everywhere liberty
is treasured.

Fortunately, financial -- and not political -- cryptography is the
only cryptography that matters. :-).

For all the attacks on the chip by political advocates civil
libertarian grounds, and, ultimately, its sheer technical
incompetence by members of the cryptography community, it was, in
fact, the absolute business *necessity* of SSL for credit card
transactions and secure access to business information that settled
the issue of ubiquitous strong cryptography once and for all.


The camel's nose isn't sticking the tent. The camel's nose is stuck
*out* of the tent, and the camel is inside, ready to spit in the eye
of anyone who wants to take his stash.


Physics causes finance. Finances causes politics.

It was ever thus.

It will ever be thus.

Cheers,
RAH

 ---


http://www.reuters.com/newsArticle.jhtml?type=domesticNewsstoryID=50
05854section=news

Reuters



Top Italian Mafia Boss Dies in U.S. Prison Fri Apr 30, 2004 06:29 PM
ET

By Ellen Wulfhorst

NEW YORK (Reuters) - Top Mafia boss Gaetano Badalamenti has died in a
U.S. federal prison where he was serving a sentence for international
drug smuggling, authorities said on Friday.

Badalamenti, 80, died of cardiac arrest at a federal medical center
in Devens, Massachusetts., on Thursday evening, said a spokesman for
the federal prison system.

Badalamenti, born in the village of Cinisi in Palermo in 1923, was
one of the key figures in the Sicilian Cosa Nostra in the 1970s.

Known as Don Tano, he was a close friend of Charles Lucky Luciano,
one of America's biggest mobsters in the 1970s, and part of the
so-called 'triumvirate' that ran the Sicilian Mafia. Others in the
triumvirate were Luciano Liggio and Stefano Bontade.

But the 1970s saw the rise of another clan which included Salvatore
'Toto' Riina, who went on to become the Sicilian Mafia's boss of
bosses, and Badalamenti was forced to flee to Brazil and then Spain.

He later went into business with organized crime figures in New York
who were using pizza parlors in a giant operation that smuggled more
than $1 billion worth of heroin from Sicily.

In 1987, Badalamenti was convicted and sentenced to 45 years in
prison for his role in what was called the Pizza Connection.

In 2002 in Italy, he was convicted and sentenced to life in prison in
absentia for the 1978 murder of a left-wing disc jockey who regularly
insulted the Mafia boss.

But last October in Italy, he and former prime minister Giulio
Andreotti were acquitted of involvement in the murder of journalist
Mino Pecorelli in 1979.

Badalamenti had been housed until Feb. 27 at a federal prison in
Fairton, New Jersey before he was moved to the medical facility in
failing health, authorities said.



-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


MatrixSSL Embedded SSL/TLS

2004-05-08 Thread J Harper
For those of you who are interested in the coding aspects of crypto, I'd
like to announce that our small footprint SSL/TLS library, MatrixSSL is
available for download at http://www.matrixssl.org

With a footprint under 50KB, MatrixSSL not only meets device requirements,
it also provides a protocol implementation that is easy to read and
understand.  Some unique benefits for the cryptography community are:

+ Clean, clear implementation makes bugs and security issues easier to spot
and fix
+ Focused, well documented implementation of SSL is a good teaching tool
+ Open Source ensures potential backdoors and security issues can be found
+ Compact implementation of a standard security protocol removes an excuse
for homegrown solutions

I'm interested in your feedback about MatrixSSL.  We are actively working to
make sure this a unique solution that solves some of the issues preventing
adoption of standard security protocols in Internet enabled devices.

J Harper
PeerSec Networks
http://www.peersec.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Tiny new agency ill-equipped for e-voting oversight

2004-05-08 Thread R. A. Hettinga
http://www.siliconvalley.com/mld/siliconvalley/8580743.htm?template=contentModules/printstory.jsp

The San Jose Mercury News

Posted on Mon, May. 03, 2004

Tiny new agency ill-equipped for e-voting oversight




SAN JOSE, Calif. (AP) - As alarm mounts over the integrity of the ATM-like
voting machines 50 million Americans will use in the November election, a
new federal agency has begun scrutinizing how to safeguard electronic
polling from fraud, hackers and faulty software.

But the tiny U.S. Election Assistance Commission says it is so woefully
underfunded that it can't be expected to forestall widespread voting
machine problems, which would cast doubt on the election's integrity.

The commission -- which on Wednesday conducts the first federal hearing on
the security and reliability of electronic voting -- laments its
predicament in a new report.

``We've found some deeply troubling concerns, and the country wants to know
the solution,'' said DeForest B. Soaries, Jr., a Republican and former New
Jersey secretary of state named by President Bush in December to lead the
agency.

The Washington, D.C. hearing will focus on the security risks of
touchscreen machines, which computer scientists say cannot be trusted
because they do not produce paper records, making proper recounts
impossible. Despite reassurances from the machines' makers, at least 20
states are considering legislation to require a paper trail.

After hearing from academics, elections officials and voting equipment
company executives, the Soaries commission will issue recommendations --
for example, that poll workers should keep a stack of paper ballots handy
in case machines fail to start. Machines in more than half the precincts in
California's San Diego County malfunctioned during the March 2 presidential
primary, and a lack of paper ballots may have disenfranchised hundreds of
voters.

Created nearly a year after a congressional deadline, the Soaries-led
agency took over the Federal Elections Commission's job of setting
standards for ensuring the voting process is sound.

But the EAC lacks the authority to enforce any such standards and the
agency's first annual report, released Friday, is apt to disappoint anyone
who had high expectations.

Created under the 2002 Help America Vote Act that began funneling $3.9
billion to states to upgrade voting systems after Florida's hanging chad
debacle, the agency's two Republican and two Democratic commissioners
weren't appointed until December. Their first public meeting was in March.
A bare-bones Web site only went live on Friday.

With only $1.2 million of its $10 million budget appropriated, the
commission has so far been able to hire seven full-time staffers, borrowing
some part-timers from other federal agencies.

The lack of funding has forced the EAC to abandon or delay much of its
intended mission. For example, it won't be able to develop a national
system for testing voting machines, according to the report.

Soaries intends to use his bully pulpit as chairman to highlight problems
to state and local elections officials. But he said in a telephone
interview that the EAC will need $2 million more this year and its full $10
million in 2005 to tackle its mission of restoring public faith in
electronic voting.

``If you look at the evolution of voting in America, only in last four
months has there been a federal agency whose exclusive focus is to deal
with voting. It's the foundation of our democratic structure on one hand,
but on the other we've really left it to the states to manage completely,''
Soaries said.

Most states have relied on guidance from the National Association of State
Election Directors, a volunteer organization of retired and active election
officials around the country. NASED, in turn, has certified three
little-known testing companies to verify the integrity of every machine and
every line of code in e-voting equipment nationwide, and it's up to
elections officials in each state to get the equipment tested.

NASED plans to transfer its certification authority to the National
Institute of Standards and Technology, which is supposed to update the
decade-old standards the labs use to make sure voting equipment is secure
and reliable.

But that also is on hold because NIST ``did not receive funding to support
the work,'' the commission report says.

``I wish the EAC luck, but oversight of these systems is illusory,'' said
Kim Alexander, president of the California Voter Foundation. ``As long as
federal voting system standards are voluntary, voters across the country
will not have the peace of mind they need to feel confident in their voting
systems.''

Currently certified by NASED to test all voting hardware for U.S. elections
is a Huntsville, Ala.-based division of Wyle Laboratories Inc. All software
is tested by two other entities -- a Huntsville, Ala., lab operated by
Greenwood Village, Colo.-based Ciber Inc., and Denver-based SysTest Labs
LLC.

The labs may take a year or 

Microsoft: 'Palladium' Is Still Alive and Kicking

2004-05-08 Thread R. A. Hettinga
http://www.microsoft-watch.com/article2/0,1995,1585354,00.asp




 Wednesday, May 05, 2004

 Microsoft: 'Palladium' Is Still Alive and Kicking
 By Mary Jo Foley
Updated: Redmond denies published report that it is axing its
Next-Generation Secure Computing Base and insists the technology still will
debut in Longhorn.


 SEATTLE - Microsoft spent much of Day 2 of its Windows Hardware
Engineering Conference (WinHEC) here refuting a published report claiming
the company has axed its Next Generation Secure Computing Base (NGSCB)
security technology.

 NGSCB is alive and kicking, said Mario Juarez, a product manager in
Microsoft's security and technology business unit.

 ADVERTISEMENT

 NGSCB - the hardware/software security system formerly code-named
Palladium - has been one of the most controversial components expected to
debut in the version of Windows that's due out in 2006+.

 Unlike last year's WinHEC, where NGSCB received top billing, this year,
it's just a blip on the radar screen. In fact, there are at only three
sessions on the WinHEC docket specifically about NGSCB. But Microsoft is
still talking up its NGSCB vision at this week's show.

 Microsoft is continuing to be vague about exactly how much of its NGSCB
code will ship as part of Longhorn. Company officials have gone on record
saying that customers would not be impacted by the technology until
Microsoft delivered Version 2 of the NGSCB platform. The company has not
provided a date for Version 2.

 In spite of these facts, the plan of record continues to be to deliver
Version 1 of its NGSCB technology as part of Longhorn, said Juarez.

 Juarez acknowledged that Microsoft is reworking its NGSCB technologies to
enable independent software vendors and customers with a way to allow their
existing applications to take advantage of NGSCB without having to rewrite
them. He said that customers to whom Microsoft has shown early versions of
NGSCB requested this change. He added that Microsoft will provide more
details on how it plans to do this some time later this year.

 Microsoft has explained NGSCB's inner workings this way: The two
foundations of NGSCB were designed to be the Trusted Platform Module on the
hardware side, and the Trusted Operating Root (or nexus) on the software
side. The nexus was to be the kernel of an isolated software stack that was
designed to run inside the standard Windows environment. The nexus was
slated to provide a set of APIs that would enable sealed storage and other
foundations for trusted-computing.

 But up until this week, Microsoft had said that only applications that
were designed from the ground-up to be nexus-aware would be able to take
advantage of these features.

 Juarez also admitted that the NGSCB team currently did not have a managed
code story. He said, We need to go back and figure out how that will look
and work.

Managed code is a key concept in Longhorn. It involves a new programming
model centered around a new managed application programming interface.
Microsoft is gunning to have many of Longhorn's own subsystems function as
managed applications and is advocating that third parties make their
Longhorn applications managed, as well.

 Juarez said Microsoft is not providing any of its NGSCB bits as part of
the new Longhorn pre-alpha release that it is distributing this week to
WinHEC attendees. But he denied that this means that the company is
exorcising NGSCB from the product. Instead, he said that the NGSCB team
decided that the driver developers at the show wouldn't be the right
targets for this code.


 We are not updating the development environment now. We are evaluating
whether there will be one in Longhorn, he said. The only question is what
it will look like.

 Microsoft did include in the pre-alpha version of  Longhorn software
developer kit that it distributed at the Professional Developers Conference
last fall both the NGSCB application programming interface (API) set, as
well as various NGSCB class-library files.

 We are making some predictable changes, Juarez continued. He said that
Microsoft has attempted to be very transparent about its NGSCB plans over
the past two years in order to allay industry fears about Microsoft's
security intentions.

 We've just been doing in public what is usually done in private, Juarez
said, in terms of detailing the NGSCB evolving its strategy and directions.

(Note: This story was updated. One of the four scheduled NGSCB sessions at
this year's show was cancelled, leaving only three on the docket. Also:
Juarez said he misspoke, re: whether there will be an NGSCB development
environment included as part of Version 1 of NGSCB. Microsoft is currently
evaluating whether or not to make the dev environment part of the release,
he said.)


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and 

Book Review: Malicious Cryptography- Exposing Cryptovirology

2004-05-08 Thread R. A. Hettinga
http://netsecurity.about.com/cs/encryptionbooks/gr/aaprmalcrypto.htm

About.com


Book Review: Malicious Cryptography
From Tony Bradley, CISSP,
Your Guide to Internet/Network Security.

Guide Rating -

The Bottom Line

Most people are familiar with malware- viruses, worms, Trojans, etc.- and
most people are familiar, at least with the concept, of cryptography.
However there are far fewer people that truly understand either of these
technologies, and even fewer still who understand how the two can be
combined to create the next generation of malicious code. Good reading, but
a certain level of understanding of malware and cryptography is needed in
order to follow the information in this book.
Pros
*   Cutting edge look at new threats on the malware horizon
*   Informative without being boring
*   Appendices provide basics of viruses and PKI

Cons
*   Solid understanding of cryptography and malware needed

Description
*   Opening chapter provides engaging fictional look at the potential
impact of malicious cryptography
*   Basics of viruses and PKI are provided in appendices, but this
book is not for beginners
*   Cutting edge information on how cryptography might impact malware
development

Guide Review - Book Review: Malicious Cryptography
 Almost everyone (or should that be literally everyone) who has touched a
computer keyboard is familiar with malware in some way. Not a day goes by
it seems without news of the latest Netsky or Bagle variant. Many people
remember the impact Codered, Nimda, SQL Slammer, MyDoom and other malware
threats have had on them or the Internet as a whole over the past few years.

 A much smaller subset of people is familiar with cryptography. Some users
may be aware that encryption is an option or they may have heard that they
should encrypt their data or protect their email communications with
encryption, but they don't understand cryptography. Those people probably
shouldn't bother trying to read this book.

 Those who do understand cryptography- who know what MD5, Blowfish, RSA or
3DES mean and how they work- should probably read this book. Being on an
intermediate level in cryptography myself I found some of the concepts and
details required me to do some extra digging and research to understand,
but I found the book to be informative and intriguing.

 The book seems to waiver in search of an audience- at times covering the
information at a higher level that many network and security administrators
can grasp and at other times delving into detail that only true
cryptographers will follow- but the authors combine information about
malware and cryptography in a way that experts from each can comprehend.

 Overall, this is a good book that I recommend- but not for beginners.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-08 Thread Ian Grigg
Graeme Burnett wrote:
Hello folks,
I am doing a presentation on the future of security,
which of course includes a component on cryptography.
That will be given at this conference on payments
systems and security: http://www.enhyper.com/paysec/
Would anyone there have any good predictions on how
cryptography is going to unfold in the next few years
or so?  I have my own ideas, but I would love
to see what others see in the crystal ball.

I would see these things, in no particular
order, and no huge thought process applied.
a.  a hype cycle in QC that will peak in a year
or two, then disappear as purchasers realise that
the boxes aren't any different to ones that are
half the price.
b.  much more use of opportunistic cryptography,
whereby crypto systems align their costs against
the risks being faced.  E.g., self-signed certs
and cert caching in SSL systems, caching and
application integration in other systems.
c.  much less emphasis on deductive no-risk
systems (PKIs like x.509 with SSL) due to the
poor security and market results of the CA
model.
d.  more systems being built with basic, simple
home-grown techniques, including ones that are
only mildly secure.  These would be built by
programmers, not cryptoplumbers.  They would
require refits of proper crypto as/if they migrate
into successful user bases.  In project terms,
this is the same as b. above - more use of
opportunistic tactics to secure stuff basically
and quickly.
e.  greater and more costs to browser users
from phishing [1] will eventually result in
mods to security model to protect users.  In
the meantime, lots of snakeoil security solutions
will be sold to banks.  The day Microsoft decides
to fix the browser security model, phishing will
reduce to a just another risk.
f.  arisal of mass crypto in the chat field,
and slow painful demise of email.  This is
because the chat protocols can be updated
within the power of small teams, including
adding simple crypto.  Email will continue to
defy the mass employment of crypto, although
if someone were to add a create self-signed
cert now button, things might improve.
g.  much interest in simple crypto in the p2p
field, especially file sharing, as the need
for protection and privacy increases due to
IP attacks.  All of the techniques will flow
across to other applications that need it less.
h.  almost all press will be in areas where
crypto is sure to make a difference.  Voting,
QC, startups with sexy crypto algorithms, etc.
i.  Cryptographers will continue to be pressed
into service as security architects, because it
sounds like the same thing.  Security architects
will continue to do most of their work with
little or no crypto.
j.  a cryptographic solution for spam and
viruses won't be found.  Nor for DRM.
iang
[1] one phisher took $75,000 from 400 victims:
http://www.financialcryptography.com/mt/archives/000129.html
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-08 Thread Graeme Burnett
Ian Grigg wrote:
Graeme Burnett wrote:
Hello folks,
I am doing a presentation on the future of security,
which of course includes a component on cryptography.
That will be given at this conference on payments
systems and security: http://www.enhyper.com/paysec/
Would anyone there have any good predictions on how
cryptography is going to unfold in the next few years
or so?  I have my own ideas, but I would love
to see what others see in the crystal ball.


i.  Cryptographers will continue to be pressed
into service as security architects, because it
sounds like the same thing.  Security architects
will continue to do most of their work with
little or no crypto.
Hmmm
I'm afraid I concur - my personal experience of being a security 
architect for
a major merchant bank was one of meeting regulatory requirement by post 
development due
diligence, or as my wife calls it nagging, making the role 
effectively that of  grumpy rubber stampers

G
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Quantum crypto gets a speed boost

2004-05-08 Thread R. A. Hettinga
http://optics.org/articles/news/10/5/2/1

Optics.org

Quantum crypto gets a speed boost

6 May 2004

NIST scientists transfer a quantum key made of single photons at a rate of
1Mbps.

A team of US scientists from the National Institute of Standards and
Technology (NIST) in Colorado and Acadia Optronics, Maryland, claims to
have built the world's fastest quantum cryptography system (Optics Express
12 9).

NIST test bed

Its 730 m free-space link, which uses a stream of single photons to
transfer a secret encryption key, offers a key transfer rate of 1Mbps --
about 100 times faster than previously demonstrations. NIST says that the
increase in speed could potentially make quantum cryptography practical for
applications such as streaming encrypted video or communications across
large networks.

 Quantum key distribution (QKD) has recently emerged as an attractive
technique to create completely secure communication links between banks and
military bases and the first commercial systems are now starting to appear.

Although the transmission distances have steadily improved over the past
few years, the current records are 150 km in fiber and 23 km in free space,
the transfer rate of the key has remained painfully slow, typically 1 kbps
or so.


Crypto components

The NIST-Acadia team has boosted this transfer rate to 1 Mbps by employing
a clock synchronization scheme typically found in high-speed optical
communications.

The innovation is to operate a classical (unsecure) link at 1.5 microns in
parallel with an 845 nm QKD link over a 730 m span between two NIST
buildings. The classical link, at a clock rate of 1.25 Gbps, is used to
synchronize the QKD receiver and tell it when to look for the key's photons.

 This synchronized detection helps distinguish the QKD photons generated by
a pair of 845 nm VCSELs from stray light such as photons from the Sun and
thus raise the key transmission rate.

 Although in theory it should be possible to achieve key transmission at up
to the clock-rate, the team has found that the 350 ps timing resolution of
its silicon avalanche photodetectors currently limits performance to
1 Mbps. The team says with better detectors the key rate could be raised
further.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


E-Voting Commission Gets Earful

2004-05-08 Thread R. A. Hettinga
http://www.wired.com/news/print/0,1294,63349,00.html

Wired News

E-Voting Commission Gets Earful 
By Michael Grebb?

Story location: http://www.wired.com/news/evote/0,2645,63349,00.html

02:00 AM May. 06, 2004 PT

WASHINGTON -- Passions ran high Wednesday at the first public hearing of
the Election Assistance Commission, where activists and manufacturers of
electronic voting machines clashed over whether new e-voting systems should
include a voter-verifiable paper trail that auditors could use to recount
votes if necessary.

 The newly formed commission, which is just beginning to oversee the
certification of voting systems and the standardization of elections across
the country, held its first meeting to examine the state of elections and
voting systems. The commissioners were collecting testimony from
special-interest groups, election officials, computer scientists and
voting-machine makers.


 But the commission's chairman said he didn't expect the bipartisan panel
would issue national standards requiring paper receipts when it makes
preliminary recommendations next week, followed by more detailed guidelines
next month.

 We will not decide on what machines people will buy, said the chairman,
Republican DeForest B. Soaries Jr., saying it wasn't the panel's role to
tell states what to do. We will say, if California wants to have a backup
paper system, what national standards it should follow.

 At least 20 states are considering legislation to require a paper record
of every vote cast after rushing to get ATM-like voting machines to replace
paper ballots in the wake of Florida's fiasco with hanging chads in the
2000 presidential election. About 50 million people, or 29 percent of
voters, are expected to vote electronically in November's election.

 Representatives from the machine makers tried to convince commissioners
that paperless e-voting systems are not only safe and accurate, but more so
than paper-based systems.

 Mark Radke, director of marketing at Diebold Election Systems, said
Diebold's touch-screen voting systems experienced zero security problems
during the November 2002 elections, pointing out that its voice guidance
audio feature allowed blind voters to vote in private for the very first
time. (With paper-only systems, blind voters historically have needed to
recite their ballot choices to a poll worker or friend, who would then mark
the ballot for them.)

 Radke also said Diebold's machines outperformed other systems during the
California recall elections in October. He claimed that under-counted votes
were the lowest on Diebold touch screens, at 0.73 percent, compared with
2.86 percent for optical-scan systems, 4.6 percent for other electronic
systems and 6.32 percent for paper-only systems.

 Alfie Charles, spokesman for Sequoia Voting Systems, said the
sensationalized concerns of paper-trail advocates aren't grounded in
reality.

 The evidence is pretty clear, he said. Electronic systems help prevent
disenfranchisement.

 Several panelists also pointed out that the pool of people able to hack
into an e-voting system is far smaller than those able to steal ballots,
stuff the ballot box or punch holes in voting cards to change or nullify
votes. Under that theory, electronic systems would increase security.

 We would reduce the number of people capable of committing fraud,
Charles said.

 But Avi Rubin, a Johns Hopkins University computer scientist who helped
author a report last July about security vulnerabilities in Diebold's
touch-screen voting system, warned that paperless systems could allow savvy
intruders to rig an election. He said corporations supporting a particular
presidential candidate who is friendly to their needs would have billions
at stake to make sure their candidate won.

 We've got very well-funded and bad-intentioned adversaries to worry
about, he said.

 Rubin said while paper trails are needed for the November election, in
the long, long term we should explore other cryptographic options and other
electronic techniques to someday run secure, paperless elections.

 At a press conference and rally outside the hearing, a crowd of supporters
cheered when California Secretary of State Kevin Shelley took the podium.

 On Friday, Shelley banned the use of one model of Diebold's voting
machines in four California counties, and decertified all touch-screen
systems unless counties that own them implement 23 security requirements.
At least one county is filing suit against Shelley for his actions, and
others may follow.

 Supervisors in Riverside County voted unanimously Tuesday to sue Shelley,
California's top election official, to remove the ban on their machines,
saying his ruling would harm disabled and visually impaired voters who have
been able to vote unassisted for the first time using touch-screen machines
that guide them through the ballot with audio directions.

 Shelley charged that Diebold aggressively marketed its TSx system to
voting officials in the four 

Re: The future of security

2004-05-08 Thread Anne Lynn Wheeler
On Thu, 2004-05-06 at 17:52, Ian Grigg wrote:
 c.  much less emphasis on deductive no-risk
 systems (PKIs like x.509 with SSL) due to the
 poor security and market results of the CA
 model.
 

at the nist pki rd workship (mentioned elsewhere in some other post
in this mailing list) there was discussion of 

1) using private key signing for things like signature (like in human
signature) agreement/authorization as opposed to straight
authentication. one of the issues is that if you ever use a private key
to digitally some random challenge/response data in a authentication
paradigm ... you might be at risk ever using the same private key for
signature purposes ... since it might be possible that some of the
random data you may have signed might not have been truely random after
all

2) naked public keys ... aka w/o certificates at all

3) and in some of the breaks the certificate use in payment
transactions. sort of two issues in payment transactions were/are a)
privacy and b) size bloat. in the mid-90s, the traditional x.509
identity certificate from the early 90s was drastically cut back to
relying-party-only, account number certificate because of privacy
issues with identity information. The work on certificate-based
financial transaction started with taking a 60-80 byte payment
transaction, instead of ISO8583, using ASN.1 encoding to blow it up to
200-300 bytes; added a 128-byte RSA signature (then adding in the ASN.1
encoding) and a relying-party-only certificate that typically ran 4k-12k
bytes; having starting from a 60byte normal transaction, the
certificate-based stuff would blow it up by factor of one hundred times
to 6k to 12k bytes. The certificate was totally redundant and
superfluous since the financial institution was the relying party and
already had all the information. In the X9.59 work it was observed that
it was possible to encode an ECDSA signature in an ISO8583 transaction
in 42 bytes ... so absolute minimum for authenticated payment
transaction would go from 60 bytes to a little over 100 bytes ... w/o
throwing in a bunch of extraneous, duplicated and/or superfluous data
that provided absolutely no added value (the payment transaction still
contained the same data, digital signature authentication was added ...
and all the payload carried in a certificate was totally redundant and
superfluous since the relying-party had a superset). It isn't exactly
that payment security requirements have to be proportional to the cost
of certificate security ... it was that certificate security increased
the payload costs by a factor of one hundred times and provided NO added
value.

some of my further observations about mixing authentication signing and
signature signing ... as well as nature of naked public keys ...
recently posted to thread in sci.crypt:
http://www.garlic.com/~lynn/2004e.html#20 Soft signatures

and the future of security ... somewhat orthogonal to cryptography ...
there was recently a letter from NSF to some former multician that was
posted to the alt.os.multics n.g. that started a thread on (not
necessarily crypto) system security (and multics never having been
broken). a couple posts in the thread
http://www.garlic.com/~lynn/2004e.html#27 NSF itnerest in Multics
security
http://www.garlic.com/~lynn/2004e.html#36 NSF itnerest in Multics
security


-- 
Anne  Lynn Wheeler | http://www.garlic.com/~lynn/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


acoustic cryptanalysis

2004-05-08 Thread Perry E. Metzger

Adi Shamir  Eran Tromer find you can literally listen in on your
computer doing RSA computations:

http://www.wisdom.weizmann.ac.il/~tromer/acoustic/

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Security Architect Position at National Archives

2004-05-08 Thread Don Davis
At 12:02 PM -0400 4/29/04, Rich Salz wrote:
 The role is for a system architec/designer with strong cyber 
 security experience. Somebody who can evaluate the security 
 implication of various design proposal. In other words, I'm not 
 looking just for somebody who can run a firewall or vulnerabiility 
 check, or who can cite NIST security standard (although those 
 skills woul dcome in handy too!).

i talked to them.  the downside is that they want this
security architect to be the security administrator,
once the system is built...

- don davis, boston





-

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]