Re: AES Modes
Jack Lloyd also passed along lots of good comments I'd like to forward (having gained permission) FTR. I've edited them for brevity and pertinence. Jack Lloyd wrote: If it's small messages, CCM would probably work pretty well. Personally I think CCM is really poorly designed (in terms of easy implementation/usage), but take a look. There is also EAX, which is IMO significantly nicer. There are a ton of others (most of the ones on the page you link to support encrypt+MAC), but it seems like EAX and CCM are the only two that are going anywhere (many of the others are patented and/or rather painful to implement). CCM and EAX are both going to be slower than AES+HMAC because they use AES in some variant of CBC-MAC. Some of the others have faster MACs, mostly ones based on universal hash functions, but the best of them (OCB in particular) have been patented. I'm obviously being naive here ... I had thought that the combined mode would be faster, as it would run through the data once only, and that AES seems to clip along faster than SHA1. Are you saying that as far as speed goes, I may as well do EAS (using CBC) and add a HMAC on the end? Or are you saying that only the patented ones manage to deliver the savings we all expect? Hmm, reading about OCB on Phil Rogaway's site does clarify this somewhat. http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm iang == To which jack replied: I'm obviously being naive here ... I had thought that the combined mode would be faster, as it would run through the data once only, and that AES seems to clip along faster than SHA1. AFAIK all of the modes that use only one block cipher invocation per block of input are patented. EAX+CCM both use two AES operations per block, and byte-for-byte SHA-1 is 2-5x faster than AES (at least in the implementations I've seen/used/written), so using AES+HMAC is probably going to be faster than AES/EAX or AES/CCM. The obvious exception being boxes with hardware AES chips and slow CPUs (eg, an ARM7 with an AES coprocessor), where AES will of course be much faster than SHA-1. Are you saying that as far as speed goes, I may as well do EAS (using CBC) and add a HMAC on the end? At least on general purpose CPUs, yes. Or are you saying that only the patented ones manage to deliver the savings we all expect? Hmm, reading about OCB on Phil Rogaway's site does clarify this somewhat. http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm Pretty much. Though I just remembered that CWC has not been patented by it's creators, but I wouldn't be at all surprised if it was covered by one of the others. Even CWC is probably slower than AES+HMAC is software, though apparently it's pretty fast in hardware. -Jack - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Cash, Credit -- or Prints?
Can anyone explain how sophisticated those fingerprint readers are? Are there readers out there that by themselves are secure devices and essentially are able to talk with their servers thru the PCs/workstations over a protocol such that any man-in-the-middle, like a driver, can not learn anything from the traffic? (...and all that for less than $40, of course...) If not, would a trojan then be able to capture your fingerprint's digital-fingerprint, and impersonate you from any other node on the network? -Frank. R.A. Hettinga wrote: http://online.wsj.com/article_print/0,,SB109744462285841431,00.html The Wall Street Journal October 11, 2004 Cash, Credit -- or Prints? Fingerprints May Replace Money, Passwords and Keys; One Downside: Gummi Fakes By WILLIAM M. BULKELEY Staff Reporter of THE WALL STREET JOURNAL October 11, 2004; Page B1 Fingerprints aren't just for criminals anymore. Increasingly, they are for customers. Fingerprint identification is being used to speed up checkouts at Piggly Wiggly supermarkets in South Carolina, and to open storage lockers at the Statue of Liberty. Fingerprints are also being used as password substitutes in cellphones and laptop computers, and in place of combinations to open up safes. But these aren't the fingerprints of yore, in which the person placed his hand on an ink pad, then on paper. Instead, the user sets his hand on a computerized device topped with a plate of glass, and an optical reader and special software and chips identify the ridges and valleys of the fingertips. Fingerprint technology seems to be reaching critical mass and is spreading faster than other widely promoted biometric identification methods, such as eyeball scanning, handprint-geometry reading and facial recognition. Interest in these and other new security systems was heightened by the September 2001 terror attacks. Fingerprints will be dominant for the foreseeable future, says Don McKeon, the product manager for biometric security at International Business Machines Corp. One reason fingerprint-security is spreading is that technological advances are bringing the cost down. Microsoft Corp. recently introduced a stand-alone fingerprint reader for $54, and a keyboard and a mouse with fingerprint readers. Last week, IBM said it would start selling laptop computers with fingerprint readers built in. These products reduce the need for personal-computer users to remember passwords. A customer uses a fingerprint reader to pay at a Piggly Wiggly store, cutting his checkout time. Earlier this year, American Power Conversion Corp., a Rhode Island company that makes backup computer batteries, started selling a fingerprint reader for PCs with a street price of $45 -- less than half the price of competitors at the time. American Power says it has sold tens of thousands of the devices since. Korea's LG Electronics Inc. has introduced a cellphone with a silicon chip at its base that requires the owner's finger to be swiped across its surface before the phone can be used. This summer, NTT DoCoMo Inc. started selling a similar phone reader that is being used on Japanese trains as an electronic wallet to pay fares or to activate withdrawals from on-board cash machines. Proponents have never had trouble explaining the benefits of fingerprints as payment-and-password alternatives: Each person has a unique set, and their use is established in the legal system as an authoritative means of identification. But some people are uneasy about registering their fingerprints because of the association with criminality and the potential that such a universal identifier linked to all personal information would reduce privacy. Moreover, numerous businesses and governments have tested fingerprint systems in the past only to rip them out when the hype failed to match reality. That's partly because the optical readers have had problems with certain people's fingers. Elderly people with dry skin, children who pressed down too hard, even women with smaller fingers -- including many Asians -- were often rejected as unreadable. Security experts also have successfully fooled some systems by making plaster molds of fingers and then creating fake fingers by filling the molds with Silly-Putty-type plasticizers or gelatin similar to that used in candy Gummi Bears. But advocates say the rate of false rejections of legitimate users has been greatly reduced by improved software. I'd say 99% of people can register their fingers, says Brad Hill, who installed fingerprint-controlled lockers at his souvenir store at the Statue of Liberty this summer when the National Park Service forbade tourists from entering the statue while carrying packages. Mr. Hill was worried that tourists would lose locker keys when security screeners forced them to empty their pockets. Some makers of readers also say their technology can solve the fake-finger problem by taking readings from below the surface skin layer. Or they suggest combining
Congress Close to Establishing Rules for Driver's Licenses
http://nytimes.com/2004/10/11/politics/11identity.html?pagewanted=printposition= The New York Times October 11, 2004 Congress Close to Establishing Rules for Driver's Licenses By MATTHEW L. WALD ASHINGTON, Oct. 10 - Following a recommendation of the Sept. 11 commission, the House and Senate are moving toward setting rules for the states that would standardize the documentation required to obtain a driver's license, and the data the license would have to contain. Critics say the plan would create a national identification card. But advocates say it would make it harder for terrorists to operate, as well as reduce the highway death toll by helping states identify applicants whose licenses had been revoked in other states. The Senate version of the intelligence bill includes an amendment, passed by unanimous consent on Oct. 1, that would let the secretary of homeland security decide what documents a state would have to require before issuing a driver's license, and would also specify the data that the license would have to include for it to meet federal standards. The secretary could require the license to include fingerprints or eye prints. The provision would allow the Homeland Security Department to require use of the license, or an equivalent card issued by motor vehicle bureaus to nondrivers for identification purposes, for access to planes, trains and other modes of transportation. The bill does not give the department the authority to force the states to meet the federal standards, but it would create enormous pressure on them to do so. After a transition period, the department could decide to accept only licenses issued under the rules as identification at airports. The House's version of the intelligence bill, passed Friday, would require the states to keep all driver's license information in a linked database, for quick access. It also calls for an integrated network of screening points that includes the nation's border security system, transportation system and critical infrastructure facilities that the secretary determines need to be protected against terrorist attack. The two versions will go to a House-Senate conference committee. Some civil liberties advocates say they are horrified by the proposal. I think it means we're going to end up with a police state, essentially, by allowing the secretary of homeland security to designate the sensitive areas and allowing this integrating screening system, said Marv Johnson, the legislative counsel for the American Civil Liberties Union. If the requirement to show the identification card can be applied to any mode of transportation, he said, that could eventually include subways or highways, and the result would be to require you to have some national ID card, essentially, in order to go from point A to point B. James C. Plummer Jr., a policy analyst at Consumer Alert, a nonprofit organization based here, said, You're looking at a system of internal passports, basically. But a Senate aide who was involved in drafting the bipartisan language of the amendment said that in choosing where to establish a checkpoint, the provision does not give the secretary of homeland security any new authority. The aide, who asked not to be identified because of his involvement in drafting the measure, said it would not create a national identification card but would standardize a form of identification routinely issued by states. Representative Candice S. Miller, the Michigan Republican who drafted the license section of the House measure, said, I don't think this is anything that should cause anyone concern. Of the 50 states, 48 are members of interstate compacts that exchange information on moving violations, so that a driver from, say, Maryland, who picks up a speeding ticket in Florida will accumulate points in his home state. But Michigan and Wisconsin are not members of a compact. Ms. Miller said one purpose of the provision she wrote was to fix that problem. A spokesman for the American Association of Motor Vehicle Administrations, which represents the state officials who issue driver's licenses, said linking the databases and strengthening control over who could get a license was long overdue. The American public should be outraged to know that departments of motor vehicles nationwide lack the capability to do the jobs we've asked them to do, said the spokesman, Jason King. In both houses, the legislation is geared to respond to numerous recommendations made by the Sept. 11 commission. For years before the terrorist attacks of Sept. 11, 2001, law enforcement officials, especially those concerned with identity theft, argued that the states should have more rigorous standards for issuing driver's licenses. But the commission pointed out that fraud in identification documents is no longer just a problem of theft. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/
Re: AES Modes
From: Ian Grigg [EMAIL PROTECTED] Sent: Oct 10, 2004 11:11 AM To: Metzdowd Crypto [EMAIL PROTECTED] Subject: AES Modes I'm looking for basic mode to encrypt blocks (using AES) of about 1k in length, +/- an order of magnitude. Looking at the above table (2nd link) there are oodles of proposed ones. It would be nice to have a mode that didn't also require a separate MAC operation - I get the impression that this is behind some of the proposals? I think CCM is just about perfect for this goal. The MAC isn't free, but it's integrated into the chaining mode. There are also some patented modes that provide a MAC for almost no extra computation(OCB, IACBC), and some proposed modes that combine an efficient, parallelizeable MAC with encryption in a secure way (CWC,GCM), though none of these are standards yet. iang --John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]