Re: Al Qaeda crypto reportedly fails the test

2004-08-10 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], John Denker writes:

Here's a challenge directly relevant to this group:  Can you
design a comsec system so that pressure against a code clerk
will not do unbounded damage?  What about pressure against a
comsec system designer?


That is, of course, one of the primary goals of perfect forward secrecy 
-- to ensure that old messages are not readable when an endpoint is 
compromised. 

More generally, let me refer people to Between Silk and Cyanide, the 
best description I know of the intersection between cryptosecurity and 
the real world.  To oversimplify, the resistance agents in occupied 
Europe were originally using a cipher whose key was derived from a 
poem.  THe poems were guessable; beyond that, converting the poem into
the actual key was a time-consuming, error-prone process.  The result 
was a lot of garbled messages which had to be retransmitted.  Apart 
from the cryptographic significance, the retransmissions gave the 
Gestapo's direction finders a better shot at finding the radio.

Leo Marks realized the problems.  The poems were used so that the 
agents didn't need to have written keying material -- we'll all agree 
that that's a good idea.  But it was misguided -- the Gestapo could, 
would, and did torture the key from people.  Beyond that, they tortured 
the duress signal -- the variant to the message to show that it was 
being sent under pressure -- and verified that the recorded traffic did 
not contain that signal.

Instead, Marks issued so-called worked-out keys -- pieces of silk 
with the actual encryption keys printed on them.  After using a key, it 
would be burned, thus achieving forward secrecy.  The duress code went 
with it, denying that check to the Gestapo, too.  And it didn't matter 
that much that the agent had the keying material -- silk could sewn 
into a coat lining or the like, or it would feel like a handkerchief, 
which protected the possessor against a casual pat-down.  If the 
Gestapo really suspected you, you were probably dead, anyway; the extra 
incriminating evidence was a minor problem.  Besides, Marks' scheme 
tremendously reduced the garbles, which reduced the need for dangerous 
retransmissions, thus protecting the agents even more.

Marks' was also one of the first to realize that the Germans had rolled 
up a resistance ring in the Netherlands, and were sending messages that 
purported to be from the agents.  His clue?  The messages were too 
perfect; the Gestapo had plenty of time to get the encryption correct.
They weren't doing it furtively, under stress in poor conditions...

In other words, he understood the threat model.  (I should point here 
to Kerckhoffs' 6th principle: in effect, make the system easy to use 
under the actual circumstances.  (In this case, it conflicts with his 
3rd principle, which says not to use written keys.  See 
http://www.petitcolas.net/fabien/kerckhoffs/index.html for the actual 
articles.)

--Steve Bellovin, http://www.research.att.com/~smb


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


NSA Overcomes Fiber-Optic and Encryption

2004-08-10 Thread R. A. Hettinga

--- begin forwarded text


Date: Mon, 09 Aug 2004 20:19:35 -0700
To: [EMAIL PROTECTED]
From: John Young [EMAIL PROTECTED]
Subject: NSA Overcomes Fiber-Optic and Encryption
Sender: [EMAIL PROTECTED]

Excerpt below from a Baltimore Sun article of August 8, 2004.
Some of it could be true, but.


http://cryptome.org/dirnsa-shift.htm

-

Director of NSA shifts to new path

By Scott Shane
Sun National Staff

August 8, 2004

...

Technology revolution

Given the dire assessments a few years ago, it is notable that Hayden
says the communications revolution has on the whole been a plus, not a
minus, for the NSA.

The NSA director declines to elaborate. But interviews with outside
experts suggest that the agency has managed to overcome the challenges
posed by fiber-optic cable and encryption.

My opinion is that at this point, those are little more than a speed
bump to NSA, says Steve Uhrig, president of SWS Security, a Harford
County firm that builds eavesdropping and counter-eavesdropping systems
for U.S. and foreign police agencies. They have a virtually unlimited
budget, and they can put amazing resources to work on a problem.

Several sources who regularly speak with NSA officials say they believe
Uhrig is right. Although they do not know the details, they say the
agency has almost certainly managed to tap fiber cables on a large-scale
basis, making access to the information inside less of a problem than its
overwhelming volume.

The NSA has also found a silver lining to the use of encrypted e-mail:
Even if a particular message cannot be read, the very use of encryption
can flag it for NSA's attention. By tracking the relatively few Internet
users in a certain country or region who take such security measures, NSA
analysts might be able to sketch a picture of a terrorist network.

Information 'in motion'

And by focusing their electronic tricks on messages as they are first
typed on a computer or when they are read on the other end - what
security experts call information at rest - NSA technical experts might
be able to bypass otherwise-unbreakable encryption used when the
information is in motion.

Meanwhile, the popularity of e-mail and particularly of cell phones has
worked to the NSA's advantage in the battle against terrorism.

The NSA's computers can track and sort huge volumes of e-mail far more
easily than they can manage telephone intercepts, because text is
consistently represented in digital code.

And cell phones - as handy for terrorist plotters as for everyone else -
provide not just an eavesdropping target but also a way to physically
track the user.

Uhrig, who has installed cellular intercept systems in several countries,
says that as cell phones have proliferated, the cells served by a tower
or other antenna have correspondingly grown smaller. A big hotel may
have a cell for every other floor. Every big office building is its own
cell, he says.

Easier tracking

By following a switched-on cell phone as it shifts from cell to cell,
you can watch the person move, Uhrig says. You can tell the direction
he's moving. If he's moving slow, he's walking. If he's moving fast, he's
in a car. The tracking is sometimes of much more interest than the
contents of a call.

-

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Microsoft .NET PRNG (fwd)

2004-08-10 Thread Anton Stiglic
There is some detail in the FIPS 140 security policy of Microsoft's
cryptographic provider, for Windows XP and Windows 2000.  See for example
http://csrc.nist.gov/cryptval/140-1/140sp/140sp238.pdf

where they say the RNG is based on FIPS 186 RNG using SHS.  The seed is
based on the collection of allot of data, enumerated in the security policy.

I would guess that what is written is true, less NIST would look very bad if
someone reversed engineered the code and showed that what they certified was
wrong.

So based on that it would seem that the PRNG in recent Microsoft
cryptographic providers is o.k.

--Anton

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Cryptography and the Open Source Security Debate

2004-08-10 Thread John Kelsey
 From: lrk [EMAIL PROTECTED]
 Sent: Aug 6, 2004 1:04 PM
 To: R. A. Hettinga [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: Cryptography and the Open Source Security Debate

...
 More dangerous is a key generator which deliberately produces keys which
 are easy to factor by someone knowing a secret. These should be found
 in open source but I suggest many reviewers could miss this and again the
 group think would probably cause most not to even look.

So, how many people on this list have actually looked at the PGP key generation code 
in any depth?  Open source makes it possible for people to look for security holes, 
but it sure doesn't guarantee that anyone will do so, especially anyone who's at all 
good at it.

--John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


How a Digital Signature Works

2004-08-10 Thread R. A. Hettinga
http://www.businessweek.com/print/technology/content/aug2004/tc20040810_3053_tc024.htm?tc

Business Week


 AUGUST 10, 2004

  NEWS ANALYSIS :TECH
 By Stephen H. Wildstrom





How a Digital Signature Works

Microsoft's new Service Pack makes life tough for programs lacking the
proper electronic credentials. Here's why
 A technology called public key cryptography makes it possible for you to
make sure that the publisher of any piece of software that claims to be
from Microsoft (MSFT ) or any other publisher really came from there. It
has the added benefit of insuring that the contents weren't maliciously
altered or damaged in transmission. Here's how it works:

 The publisher first has to obtain a digital certificate from a recognized
certificate authority or CA (VeriSign (VRSN ) is the largest and best
known CA in the U.S.). The publisher receives a private and a public key,
each of which is a long number of about 300 digits. These are used to
create a digital signature for each program (see BW Online, 8/10/04,
Windows of Vulnerability No More?).

 When the software is ready to be posted for download, the publisher runs
it through a mathematical process called a one-way hash which reduces it to
a long number called the message digest. The message digest is then
encrypted using the publisher's private key, and the result, which looks
like a string of gibberish when displayed, is appended to the program when
it's downloaded.

HASH SLINGING.  The trick of public key encryption -- the best known
approach is called RSA for the initials of its inventors -- is that one key
can be used to scramble the data while a different, mathematically related,
key is used to unscramble it. When you download a digitally signed program,
the first thing your computer does is check the Web site's digital
certificate. It then queries the CA that issues the certificate to make
sure it's still valid and to obtain the public key.

 When the download is complete, your computer uses the public key to
decrypt the message digest. It also runs the same one-way hash procedure on
the downloaded software. If everything is as it should be, the decrypted
message digest and the one just created should be identical. If they differ
by a single bit, something is wrong and the downloaded software will be
rejected.

 For the curious, here's the message digest of the five paragraphs above
(as plain text), created using the MD5 algorithm from RSA Data Security
Inc: c21196eb8e026d47a67883d746c72c8d.



 Wildstrom is Technology  You columnist for BusinessWeek. Follow his Flash
Product Reviews, only at BusinessWeek Online


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: How a Digital Signature Works

2004-08-10 Thread Matt Crawford
  NEWS ANALYSIS :TECH
 By Stephen H. Wildstrom
How a Digital Signature Works
Is this a count the errors contest?  I count six.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Microsoft .NET PRNG (fwd)

2004-08-10 Thread Ed Gerck
The PRNG should be the least concern when using MSFT's cryptographic
provider. The MSFT report 140sp238.pdf says:
RSAENH stores keys in the file system, but relies upon Microsoft
Windows XP for the encryption of the keys prior to storage.
Not only RSAENH writes keys to a lower-security file system... it also does
not provide the encryption security to protect those keys. Because RSAENH
trusts Windows XP to provide that critical link in the security, RSAENH cannot
be trusted to provide the security. In addition, there is a third problem in
securing the keys, namely the security gap between RSAENH and Windows XP.
The most troubling aspect, however, is that RSAENH makes it easy to provide
a covert channel for key access. FIPS 140-1 Level 1 compliant.
Cheers,
Ed Gerck
Anton Stiglic wrote:
There is some detail in the FIPS 140 security policy of Microsoft's
cryptographic provider, for Windows XP and Windows 2000.  See for example
http://csrc.nist.gov/cryptval/140-1/140sp/140sp238.pdf
where they say the RNG is based on FIPS 186 RNG using SHS.  The seed is
based on the collection of allot of data, enumerated in the security policy.
I would guess that what is written is true, less NIST would look very bad if
someone reversed engineered the code and showed that what they certified was
wrong.
So based on that it would seem that the PRNG in recent Microsoft
cryptographic providers is o.k.
--Anton
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]