Re: Crack in Computer Security Code Raises Red Flag

2005-03-20 Thread J.A. Terranson


On Tue, 15 Mar 2005, The Wall Street Journal Wrote:

 SHA-1 is a federal standard promulgated by the National
 Institute of Standards and Technology and used by the government and
 private sector for handling sensitive information. It is thought to be the
 most widely used hash function, and it is regarded as the state of the art.
  ^^
NEXT!

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF

Quadriplegics think before they write stupid pointless
shit...because they have to type everything with their noses.

http://www.tshirthell.com/


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NSA names ECC as the exclusive technology for key agreement and digital signature standards for the U.S. government

2005-03-20 Thread Ben Laurie
Ian G wrote:
NSA names ECC as the exclusive technology for key agreement and digital
signature standards for the U.S. government
Certicom's ECC-based solutions enable government contractors to add 
security
that meets NSA guidelines
I should note that OpenSSL also supports ECC.
--
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Encryption plugins for gaim

2005-03-20 Thread Adam Fields
On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote:
 Why not help us make Jabber/XMPP more secure, rather than overloading
 AIM? With AIM/MSN/Yahoo your account will always exist at the will of

Unfortunately, I already have a large network of people who use AIM,
and they all each have large networks of people who use AIM. Many of
them still use the AIM client. Getting them to switch to gaim is
feasible. Getting them to switch to Jabber is not. However, getting
them to switch to gaim first, and then ultimately Jabber might be an
option. Frankly, the former is more important to me in the short
term.

 AOL, whereas with XMPP you can run your own server etc. Unfortunately

Does can == have to? From what I remember of trying to run Jabber
a few years ago, it did.

 the original Jabber developers did not build encryption in from the
 beginning and the existing methods have not been implemented widely
 (OpenPGP over Jabber) or are not very Jabberish (RFC 3923), so we need
 to improve what we have. Contributions welcome. See here for pointers:
 
 http://www.saint-andre.com/blog/2005-03.html#2005-03-15T11:23

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Encryption plugins for gaim

2005-03-20 Thread Adam Fields
On Tue, Mar 15, 2005 at 02:47:35PM -0500, Ian Goldberg wrote:
  this is actually a very good solution for
  me. The only thing I don't like about it is that it stores the private
  key on your machine. I understand why that is, but it also means that
  if you switch machines with the same login (home/work), you have to
  reverify the fingerprint out of band (assuming you care enough to do
  that in the first place).
 
 You can also just copy your otr.private_key file around.  See, for
 example, http://chris.milbert.com/AIM_Encryption/

It would be helpful if you could specify the location of the private
key file, so then it could be on a thumb drive or something similar.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Do You Need a Digital ID?

2005-03-20 Thread Anne Lynn Wheeler
R.A. Hettinga wrote:
http://www.pcworld.com/resource/printable/article/0,aid,120008,00.asp
 
i've been asked to flush out my merged security taxonomy and glossary
http://www.garlic.com/~lynn/index.html#glosnote
to  highlight the distinction between identity theft and account theft. 
 typically identity theft is that enuf information is obtained to 
fraudulently be able to open new accounts in the victim's name (among 
other things) while account theft is that the thief has enuf information 
to perform fraudulent transactions against an existing account of the 
victim.

account theft tends to be attacks on poor authentication procedures by 
account institutions and/or use of social engineering or phishing to 
obtain the victim's account authentication information (which shares a 
lot in common with straight identity theft).

a common exploit is the use of skimming/sniffing of static 
authentication verification data that enables creating counterfeit 
tokens/cards that enables fraudulent transactions.

given 3-factor authentication:
* something you have
* something you know
* something you are
there can be a great deal of confusion whether a token/card represents 
something you have or not. If a token/card contains valid 
authentication information and if that token/card is lost/stolen and a 
new account has to be created  then it is likely the token/card 
represents something you have authentication.

however, some infrastructure just utilize a token/card to provide the 
equilvalent of userid (say an account number which isn't required to be 
secret) and the actual authentication is in the form of a password/PIN 
... i.e. something you know authentication. just because a token/card 
is involved along with a PIN/password doesn't automatically imply that 
two-factor authentication is involved.

if a re-issued a new token/card (to replace a lost/stolen token/card) is 
identical to the lost/stolen token/card ... then it is likely that there 
is no something you have authentication involved (even tho a 
token/card is involved in the process) ... and therefor the 
infrastructure is just single factor authentication.

at the basics, a digital signature is an indirect indication of 
something you have authentication  aka the existance of a digital 
signature implies that the originator accessed and utilized a private 
key in the generation of the digital signature. a digital signature by 
itself says nothing about the integrity of that something you have 
authentication ... since the digital signature doesn't carry any 
indication of the integrity measures used to secure and access the 
associated private key.

there is some temptation to claim that the a lot of the problems with 
establishment of digital signature technology is that the basic trust 
building blocks haven't been established. numerous institutions have 
spent a lot of time focusing on the trust infrastructures associated 
with certification authority operation and digital certificates  
which have nothing directly to do with any form of 3 factor authentication.

the basic building block is that a financial (or other) institutions 
have ongoing relationships represented by established accounts and that 
the entities associated with those accounts have established 
authentication material. In the case of digital signatures, that would 
be public keys. To the degree that a relying party institution 
(financial or other) can trust what is represented by a digital 
signature is the integrity level of the environment that protects the 
access and use of the associated private key  w/o additional 
knowledge, the relying party only knows that some entity accessed and 
utilized a specific private key ... as in a simple, single factor, 
something you have authentication.

A digital signature by itself has no indication of the security and 
integrity level associated with the private key protection, access and 
use ... and/or if there is anything more than simple, single factor, 
something you have authentication.

Furthermore, in the great majority of the transactions involving 
established relationships, there is no need for digital certificates to 
establish identication information  straight-forward authentication 
tends to be sufficient.

misc. past 3-factor authentication posts
http://www.garlic.com/~lynn/subpubkey.html#3factor


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Encryption plugins for gaim

2005-03-20 Thread Peter Saint-Andre
On Tue, Mar 15, 2005 at 02:14:48PM -0500, Ian Goldberg wrote:

 OTR works over Jabber today.  Granted, it's not very Jabberish (as far
 as I understand the term; I don't know the Jabber protocol very well):
 it just replaces the text of the message with ciphertext.  [gaim, at
 least, doesn't seem to have a way to construct a more Jabberish
 message, as far as I could tell.]
 
 I'd be more than happy to help Jabber-ify the OTR protocol.  The reason
 we designed OTR was exactly that the GPG-over-IM solutions have
 semantics that don't match those of a private conversation: you have
 long-term encryption keys, as well as digital signatures on messages.
 You don't *want* Bob to be able to prove to Charlie that Alice said what
 she did.  [Yet you want Bob to be himself assured of Alice's
 authorship.]  And a compromise of Bob's computer tomorrow should not
 expose today's messages.
 
 OTR also adds a couple of extra features (malleable encryption,
 publishing of the MAC keys, a toolkit for forging transcripts) to help
 Alice claim that someone's putting words in her mouth.

Obviously I need to read up more on OTR, but thanks for the offer of
assistance -- I'll reply further when my level of ignorance is not quite
so high as it is now.

/psa


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: PK - OTP?

2005-03-20 Thread Amir Herzberg
Matt Crawford wrote:
My educated-layman's opinion is that the following is not feasible, but 
I'd be happy to be shown wrong ...

Given a closed public-key device such as a typical smart card with its 
limited set of operations (chiefly sign), is it possible to implement 
a challenge/response function such that

* Both the challenge and the response are short enough for an average 
user to be willing to type them when needed.

* The challenge can be generated, and the response verified using the 
cardholder's public key and a reasonable amount of computation.
What's wrong with sending the device encryption of a random number 
(using the public key of the device), and the device sending back the 
number as proof of possession of the corresponding secret key?

Best, Amir Herzberg
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Encryption plugins for gaim

2005-03-20 Thread Jim Cheesman
Ian G wrote:
Adam Fields wrote:
Given what may or may not be recent ToS changes to the AIM service,
I've recently been looking into encryption plugins for gaim.
Specifically, I note gaim-otr, authored by Ian G, who's on this list.

Just a quick note of clarification, there is a collision
in the name Ian G.  4 letters does not a message digest
make.

Perhaps if you were to prepend a random serial number to your name this 
problem would be alleviated?

Best wishes,
Jim Cheesman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Reuters -- British Firm Breaks Ground in Surveillance Science

2005-03-20 Thread David Chessler
http://www.reuters.com/newsArticle.jhtml?type=topNewsstoryID=7892255
http://www.reuters.com/printerFriendlyPopup.jhtml?type=topNewsstoryID=7892255

British Firm Breaks Ground in Surveillance Science
Mon Mar 14, 2005 08:08 AM ET
By Mark Trevelyan, Security Correspondent
MALVERN, England (Reuters) - The suicide bomber clips a shrapnel-filled 
belt around his waist and buttons up his jacket to conceal it.

As he turns back and forth in front of a semi-circular white panel, about 
the size of a shower cubicle, a computer monitor shows the metal-packed 
cylinders standing out clearly in white against his body.

This is no real security alarm: it's a demonstration at the British 
technology group QinetiQ of a scanning device that sees under people's 
clothes to spot not just metal but other potential threats like ceramic 
knives or hidden drugs.

The electromagnetic technology, known as Millimeter Wave (MMW), is just one 
aspect of a potential revolution in security screening being pioneered at 
QinetiQ, formerly part of the research arm of the British defense ministry.

Actually, detecting a suicide bomber in the lobby of an airport is not a 
great thing to happen, Simon Stringer, new managing director of QinetiQ's 
security business, says with British understatement.

It's slightly better than having him do it in the departure lounge or 
perhaps on the plane, but you're still doing to have to deal with a 
significant problem.

That's why, he says, the trend for the future will be to move the scanners 
outside the terminal building and operate them in stand-off mode -- 
checking people from a distance before they even set foot inside.

The advantage is obvious: to spot potential attackers without alerting them 
to the fact, and gain precious seconds for security forces to prevent an 
attack.

ARE YOU SWEATING TOO MUCH?
Another prospect in store for air travelers is hyperspectral sensing that 
will check for chemicals called pheromones, secreted by the human body, 
which may indicate agitation or stress.

People under stress tend to exude slightly different pheromones, and you 
can pick this up ... There are sensing techniques we're working on, 
Stringer said.

The stress may have an innocent cause, such as fear of flying, but could 
also betray the nervousness of a potential attacker. The point is to alert 
security staff to something unusual that may need further investigation.

As with MMW, the technology could function at a distance and without the 
need for people to wait in line. By conducting such checks while people are 
approaching the airport and moving through it, authorities could avoid 
bottlenecks and queues.

SUSPICIOUS MOVEMENTS
As the passenger proceeds through the terminal, the next layer of 
surveillance could be carried out through cognitive software which 
monitors his or her movements and sounds a silent alarm if it picks up an 
unusual pattern.

Someone who's been back in and out of the same place three times or keeps 
bumping into the same people might be something that's worthy of further 
investigation ... I think that's really the sort of capabilities we're 
going to be looking at, Stringer said in an interview.

While many of these technologies are still under development, others have 
already been rolled out to clients by QinetiQ, which made group operating 
profit of 28 million pounds ($53.9 million) in the six months to last 
September.

Millimeter wave, for example, has been tested at airports and, in a 
different application, is being used by British immigration authorities and 
Channel Tunnel operator Eurotunnel to detect illegal immigrants trying to 
enter the country as stowaways in the back of trucks.

Stringer says the potential market for MMW runs into the hundreds of 
millions of dollars and goes well beyond the transport sector.

We're spending quite a lot of time talking to multinationals who want to 
establish perimeter security systems around plant, installations and 
buildings, he said.

QinetiQ -- owned 30 percent by private equity group Carlyle and 56 percent 
by the British government -- expects rapid growth for its security business 
as it gears up for a stock market launch.

BIG BROTHER?
But how will ordinary people embrace the prospect of surveillance 
technology that sees through their clothes, checks how much they're 
sweating and tracks their airport wanderings between the tax-free shops and 
the toilets?

Stringer acknowledges that some might see this as George Orwell's Big 
Brother come true. There are always going to be issues of privacy here and 
they're not to be belittled, they're important.

But he says smarter technology will actually make the checks less intrusive 
than those now in standard practice, such as being searched head to foot 
after setting off a metal detector alarm.

Personally I find that more irritating than the idea of someone just 
scanning me as I walk through, he said.

You're under surveillance in airports anyway. What you're 

Re: $90 for high assurance _versus_ $349 for low assurance

2005-03-20 Thread Ng Pheng Siong
On Tue, Mar 15, 2005 at 11:04:59AM -0500, Victor Duchovni wrote:
 On Wed, Mar 16, 2005 at 02:23:49AM +1300, Peter Gutmann wrote:
  Certainly with UIXC it's not worth anything.
 
 What is UIXC?

lemme guess: universal  indiscriminate cross certification

oh wait, peter did define it: implicit not indiscriminate

-- 
Ng Pheng Siong [EMAIL PROTECTED] 

http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: $90 for high assurance _versus_ $349 for low assurance

2005-03-20 Thread Amir Herzberg
John, thanks for this fascinating report!
Conclusion? `Not all CAs/certs are created equal`... therefore we should 
NOT automatically trust the contents of every certificate whose CA 
appears in the `root CA` list of the browser. Instead, browsers should 
allow users to select which CAs they trust sufficiently to identify 
sites, and to _know_ which CA is identifying the (protected) site they use.

This is easy to do, and of course you can add this to your 
Mozilla/FireFox browser by installing our TrustBar (from 
http://TrustBar.mozdev.org).

Best, Amir Herzberg
John Levine wrote:
Does anyone have a view on what low and high means in this
context?  Indeed, what does assurance mean?

Just last week I was trying to figure out what the difference was
between a StarterSSL certificate for $35 (lists at $49 but you might
as well sign up for the no-commitment reseller price) and a QuickSSL
cert for $169.  If you look at the bits in the cert, they're nearly
identical, both signed by Geotrust's root.
As far as the verification they do, QuickSSL sends an e-mail to the
domain's contact address (WHOIS or one of the standard domain
addresses like webmaster), and if someone clicks through the URL, it's
verified.  StarterSSL even though it costs less has a previous
telephone step where you give them a phone number, they call you, and
you have to punch in a code they show you and then record your name.
Score so far: QuickSSL 0.001, StarterSSL 0.0015.
Both have various documents available with impressive certifications
from well-paid accountants, none of which mean anything I can tell.
Under some circumstances they might pay back some amount to someone
defrauded by a spoofed cert, but if anyone's figured out how to take
advantage of this, I'd be amazed.
Comodo, who sell an inferior variety of cert with a chained signature
(inferior because less software supports it, not because it's any less
secure) is slightly more demanding, although I stumped then with
abuse.net which isn't incorporated, isn't a DBA, and isn't anything
else other than me.  I invented some abuse.net stationery and faxed
them a letter assuring that I was in fact me, which satisfied them.
Back when I had a cert from Thawte, they wanted DUNS numbers which I
didn't have, not being incorporated nor doing enough business to get a
business credit rating, so they were satisfied with a fax of my county
business license, a document which, if I didn't have one, costs $25 to
get a real one, or maybe 15 minutes in Photoshop to make a fake one
good enough to fool a fax machine.  

I gather that the fancier certs do more intrusive checking, but I
never heard of any that did anything that might make any actual
difference, like getting business documents and then checking with the
purported issuer to see if they were real or, perish forbid, visiting
the nominal location of the business to see if anything is there.
So the short answer to what's the difference between a ten dollar cert
and a $350 cert is:   $340.
Next question?
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for 
Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
I shook hands with Senators Dole and Inouye, said Tom, disarmingly.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Encryption plugins for gaim

2005-03-20 Thread Bill Stewart
At 10:19 PM 3/13/2005, Adam Fields wrote:
Given what may or may not be recent ToS changes to the AIM service,
I've recently been looking into encryption plugins for gaim.
AOL says that the ToS bits are only for things like chatrooms;
user-to-user AIM traffic doesn't even go through their servers.
That doesn't mean they can't eavesdrop on it if they want to,
or that they don't have mechanisms for automating MITM,
so you may very well want to use encryption,
but at least in the normal case your traffic is relatively private.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: PK - OTP?

2005-03-20 Thread Matt Crawford
My educated-layman's opinion is that the following is not feasible, 
but I'd be happy to be shown wrong ...
Given a closed public-key device such as a typical smart card with 
its limited set of operations (chiefly sign), is it possible to 
implement a challenge/response function such that
* Both the challenge and the response are short enough for an average 
user to be willing to type them when needed.
* The challenge can be generated, and the response verified using the 
cardholder's public key and a reasonable amount of computation.
What's wrong with sending the device encryption of a random number 
(using the public key of the device), and the device sending back the 
number as proof of possession of the corresponding secret key?
Would it not be the case that the challenge would be as long as the 
key, and hence to long to reasonably expect a user to type into a 
keypad?

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Security is the bits you disable before you ship

2005-03-20 Thread Russell Nelson
Steven M. Bellovin writes:
  That's not new, either.  I believe it was Tony Hoare who likened this 
  to sailors doing shore drills with life preservers, but leaving them 
  home when they went to sea.  I think he said that in the 1970s; he said 
  this in his Turing Award lecture:
  
   The first principle was security...  A consequence of this
   principle is that every occurrence of every subscript of
   every subscripted variable was on every occasion checked
   at run time...  I note with fear and horror that even in
   1980, language designers and users have not learned this
   lesson.

This is true, however, I've seen Dan Bernstein (and you don't get much
more careful or paranoid about security than Dan) write code like
this:

static char line[999];

  len = 0;
  len += fmt_ulong(line + len,rp);
  len += fmt_str(line + len, , );
  len += fmt_ulong(line + len,lp);
  len += fmt_str(line + len,\r\n);
 

Of course, the number of characters that fmt_ulong will insert is
limited by the number of bits in an unsigned long, and both strings
are of constant length.

-- 
--My blog is at blog.russnelson.com | The laws of physics cannot
Crynwr sells support for free software  | PGPok | be legislated.  Neither can
521 Pleasant Valley Rd. | +1 315-323-1241 cell  | the laws of countries.
Potsdam, NY 13676-3213  | +1 212-202-2318 VOIP  | 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


how to phase in new hash algorithms?

2005-03-20 Thread Steven M. Bellovin
We all understand the need to move to better hash algorithms than SHA1. 
At a minimum, people should be switching to SHA256/384/512; arguably, 
Whirlpool is the right way to go.  The problem is how to get there from 
here.

OpenSSL 0.9.7 doesn't even include anything stronger than SHA1.  As a 
practical matter, this means that no one can use anything stronger in 
certificates, especially root certificates.  Worse yet, people can't 
use anything stronger for public consumption for at least five years 
after a stronger hash algorith is available -- we have to wait until
most older software has died off, since most machines are never
upgraded.  This means that appearance of the code in client machines is 
on the critical path.  I've heard that OpenSSL 0.9.8 will include 
stronger hashes, but there's no work in progress to backport the code 
to 0.9.7.  

So -- what should we as a community be doing now?  There's no emergency 
on SHA1, but we do need to start, and soon.

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Westlaw agrees to restrict access to Social Security numbers

2005-03-20 Thread R.A. Hettinga
http://www.siliconvalley.com/mld/siliconvalley/news/editorial/11162869.htm?template=contentModules/printstory.jsp

The San Jose Mercury News

Posted on Thu, Mar. 17, 2005

Westlaw agrees to restrict access to Social Security numbers


WASHINGTON (AP) - A legal research company said Thursday it will greatly
restrict customer access to Social Security numbers in response to
complaints from Congress that its previous policy of limited sales of the
numbers invited identity theft.

Westlaw, a Minnesota-based legal research firm, said private companies and
many government offices no longer will be able to obtain such information
from the company.

``The events of the past months illustrate the importance of tougher
controls, and we're pleased to be a part of a broader and ongoing effort
that supports both individual privacy and homeland security concerns,''
said Peter Warwick, CEO of Thomson West, which operates the online Westlaw
service.

The company's practices came under fire from lawmakers after another data
company, ChoicePoint, announced some 145,000 customers had been exposed to
identity theft.

Westlaw, which is owned by The Thomson Corp., has not suffered a similar
breach, but Sen. Charles Schumer, D-N.Y., called on the company to tighten
restrictions on the information available to customers in the wake of the
ChoicePoint problem.

Under the new policy, about 85 percent of Westlaw customers who previously
had access to the Social Security number search will no longer have such
access.

All private companies, and many government offices, including the U.S.
Senate, will no longer have access to Social Security numbers through
Westlaw. Access will remain for some law enforcement agencies.

Congress has stepped up pressure on data companies that collect huge
amounts of private information.

On Tuesday, ChoicePoint Inc. CEO Derek Smith appeared before a House Energy
and Commerce Committee panel to publicly apologize to customers whose
information may have been obtained surreptitiously.

Appearing beside him was LexisNexis CEO Kurt Sanford, whose company also
had a breach involving information on about 32,000 people. LexisNexis is
owned by Reed Elsevier PLC.

The two executives said they would support some proposals to toughen laws
governing consumer privacy.

They did not support a more sweeping prohibition on the sale of Social
Security numbers, arguing such sales may be necessary for law enforcement
or debt collection.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Cyber cops foil £220m Sumitomo bank raid

2005-03-20 Thread R.A. Hettinga
http://www.theregister.co.uk/2005/03/17/sumitomo_cyber-heist_foiled/print.html

The Register


 Biting the hand that feeds IT

The Register » Security » Network Security »

 Original URL:
http://www.theregister.co.uk/2005/03/17/sumitomo_cyber-heist_foiled/

Cyber cops foil £220m Sumitomo bank raid
By John Leyden (john.leyden at theregister.co.uk)
Published Thursday 17th March 2005 11:51 GMT

A hi-tech bid to steal £220m ($423m) from the London offices of the
Japanese bank Sumitomo Mitsui has been foiled by police. A gang of cyber
crooks compromised Sumitomo's computer systems in October 2004 prior to an
unsuccessful attempt to transfer money to a series of 10 accounts overseas,
the FT reports.

Yeron Bolondi, 32, was arrested by Israeli police on Wednesday after an
attempt to transfer £13.9m to a bank account in the country. He has been
charged with money laundering and deception. The plan was thwarted before
any cash was transferred, the BBC reports
(http://news.bbc.co.uk/1/hi/uk/4356661.stm).

Takashi Morita, head of communications at Sumitomo in Tokyo, told
(http://news.independent.co.uk/uk/crime/story.jsp?story=620980) the Press
Association that the bank had not suffered any losses as a result of the
attempted heist. We have undertaken various measures in terms of security
and we have not suffered any financial damage, he said. Details of how the
bank's systems were compromised remain sketchy though several reports
implicate the use of key logging software as part of the plot.

A spokeswoman for the National High-Tech Crime Unit declined to comment on
its ongoing investigation into the attempted robbery of Sumitomo.

A spokesman for the bank in London declined to say anything, other than the
attempted raid was a complete failure.
-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NSA warned Bush it needed to monitor networks

2005-03-20 Thread Steven M. Bellovin
A few days ago, I posted this:

WASHINGTON (AP) -- The National Security Agency warned President
Bush in 2001 that monitoring U.S. adversaries would require a
``permanent presence'' on networks that also carry Americans'
messages that are protected from government eavesdropping.

...


``Make no mistake, NSA can and will perform its missions consistent
with the Fourth Amendment and all applicable laws,'' the document
says.


Today, I happened to learn the URL for the document itself:
http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB24/nsa25.pdf .  There's 
little that strikes me as sensitive in it, other than the (redacted) 
budget numbers.  What's someplace between amusing and appalling is some 
of the other things that NSA had considered sensitive.  For example, 
consider this paragraph, from page 5:

The National Security Agency has a proud tradition of serving the
nation.  NSA has been credited with preventing or significantly
shortening military conflicts, thereby saving lives of U.S.
military and civilian personnel.  NSA gives the nation a decisive
edge in policy interactions with other nations, in countering
terrorism, and in helping stem the flow of narcotics into our
country.  NSA has been the premier information agency of the
industrial age, and through ongoing modernization and cutting edge
research, will continue to be the premiere knowledge agency of the
information age.

That paragraph, believe it or not, was classified Secret.  For what
it's worth, the official definition of Secret, from Executive Order
12958 (http://www.dss.mil/seclib/eo12958.htm), is:

 Secret shall be applied to information, the unauthorized
 disclosure of which reasonably could be expected to cause serious
 damage to the national security that the original classification
 authority is able to identify or describe.

What in that paragraph could cause serious damage?  The notion that
NSA gives the U.S. government an edge in policy interactions, i.e.,
it may spy on foreign governments?  I'm shocked, shocked to hear that.

Then there are the paragraphs on pages 16 and 17 that describe
NSA's legislative lobbying on crypto legislation.  Those were marked
FUOO -- For Official Use Only.  DD Form 254 says

The For Official Use Only (FOUO) marking is assigned to
information at the time of its creation in a DoD User
Agency. It is not authorized as a substitute for a security
classification marking but it is used on official government
information that may be withheld from the public under
exemptions 2 through 9 of the Freedom of Information Act.

Why is that information eligible to be withheld?  Because it tells
the public that NSA is interested in legislation about crypto and
exports?

I could go on, but the topic of overclassification is well-worn.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Off-the-Record Messaging

2005-03-20 Thread R.A. Hettinga
http://www.cypherpunks.ca/otr/

Off-the-Record Messaging

News - Downloads - Mailing Lists - Documentation - Frequently Asked
Questions - Press

Off-the-Record (OTR) Messaging allows you to have private conversations
over instant messaging by providing:
 Encryption
No one else can read your instant messages.
 Authentication
You are assured the correspondent is who you think it is.
 Deniability
The messages you send do not have digital signatures that are  checkable by
a third party. Anyone can forge messages after a  conversation to make them
look like they came from you. However,  during a conversation, your
correspondent is assured the messages  he sees are authentic and unmodified.
 Perfect forward secrecy
If you lose control of your private keys, no previous conversation  is
compromised.

 News
24 Feb 2005
otrproxy-0.2.0 released. Changes from 0.1.x:
*There's now a GUI! See the README for more details.
 23 Feb 2005
gaim-otr 2.0.1 released. Changes from 2.0.0:
*Removed people without fingerprints from the Known Fingerprints
list.
*The column heads in the Known Fingerprints list cause sorting 
to
happen in the expected way.
 22 Feb 2005
Nikita made a 0.1.2 version of otrproxy for OSX. Changes from 0.1.1:
*AIM screen names should be compared case- and space- 
insensitively.
 16 Feb 2005
Version 2.0.1 of libotr released. Changes from 2.0.0:
*Don't send encrypted messages to a buddy who has disconnected
his private connection with us.
*Don't show the user the the last message was resent notice if
the message has never actually been sent before.
*Fix a crash bug that happened when messages were retransmitted
under certain circumstances.

 More News...

Downloads

OTR library and toolkit

This is the portable OTR Messaging Library, as well as the toolkit to help
you forge messages. You need this library in order to use the other OTR
software on this page. [Note that some binary packages, particularly
Windows, do not have a separate library package, but just include the
library and toolkit in the packages below.] The current version is 2.0.1.

 README
Source code (2.0.1)
 Compressed tarball (sig)
 Fedora Core 3 SRPM
[Note that if you're compiling from source on win32, you may need to make
this patch to libgcrypt-1.2.1.]
 Linux/x86 (2.0.1)
 Debian testing/unstable
Debian testing/unstable dev package
Fedora Core 3 RPM
Fedora Core 3 dev RPM
Linux/x86_64 (2.0.1)
 Fedora Core 3 RPM
Fedora Core 3 dev RPM

OTR plugin for gaim

This is a plugin for gaim 1.x which implements Off-the-Record Messaging
over any IM network gaim supports. The current version is 2.0.1. You may
need the above library packages.

 README
Source code (2.0.1)
 Compressed tarball (sig)
 Fedora Core 3 SRPM
Linux/x86 (2.0.1)
 Debian testing/unstable (Debian stable does not have the required 1.x
version of gaim)
 Fedora Core 3 RPM
Linux/x86_64 (2.0.1)
 Fedora Core 3 RPM
Windows (2.0.1)
 Win32 installer (sig)

 OTR localhost AIM proxy

This is a localhost proxy you can use with almost any AIM client in order
to participate in Off-the-Record conversations. The current version is
0.2.0, which means it's still a long way from done. Read the README file
carefully. Some things it's still missing:
*Username/password authentication to the proxy
*Having the proxy be able to use outgoing proxies itself
*Support for protocols other than AIM/ICQ
*Configurability of the proxy types and ports it uses
 But it should work for most people. Please send feedback to the otr-users
mailing list, or to the dev team. You may need the above library packages.

 README
Source code (0.2.0)
 Compressed tarball (sig)
 Fedora Core 3 SRPM
Linux/x86 (0.2.0)
 Debian testing/unstable
Fedora Core 3 RPM
Windows (0.2.0)
 Win32 installer (sig)
 OSX (0.2.0)
 OSX package

Mailing Lists

If you use OTR software, you should join at least the otr-announce mailing
list, and possibly otr-users (for users of OTR software) or otr-dev (for
developers of OTR software) as well.

 Documentation

Here are some documents and papers describing OTR. The WPES presentation is
quite useful to get started.
*Protocol description
*   The WPES 2004 version of our paper
*   Our WPES presentation (Powerpoint)
*   Our WPES presentation (PDF)

Frequently Asked Questions
What implementations of Off-the-Record Messaging are there?
Right now, there's the plugin for gaim, which is supported on Linux and
Windows. There's also the OTR proxy, which is supported on Linux, Windows,
and OSX. The OTR functionality is separated into the Off-the-Record
Messaging Library (libotr), which is an LGPL-licensed library that can be
used to (hopefully) easily produce OTR plugins for other IM software, or
for other applications entirely.
 What is the license for the OTR software?
The Off-the-Record Messaging 

Non-repudiation

2005-03-20 Thread Jerrold Leichter
With all the discussion we've seen on this topic, I'm surprised no one has 
mentioned Non-Repudiation in Electronic Commerce, by Jianying Zhou.

I haven't read this book, but Rob Slade gave it a good review in a year-old 
RISKS that I happened to stumble across.  Any comments from list members?

-- Jerry
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Encryption plugins for gaim

2005-03-20 Thread Adam Shostack
On Tue, Mar 15, 2005 at 09:33:51PM +0100, Jim Cheesman wrote:
| Ian G wrote:
| 
| Adam Fields wrote:
| 
| Given what may or may not be recent ToS changes to the AIM service,
| I've recently been looking into encryption plugins for gaim.
| Specifically, I note gaim-otr, authored by Ian G, who's on this list.
| 
| 
| Just a quick note of clarification, there is a collision
| in the name Ian G.  4 letters does not a message digest
| make.
| 
| 
| Perhaps if you were to prepend a random serial number to your name this 
| problem would be alleviated?

They'd both randomly choose pi.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NSA warned Bush it needed to monitor networks

2005-03-20 Thread James A. Donald
--
On 18 Mar 2005 at 22:52, Steven M. Bellovin wrote:
 That paragraph, believe it or not, was classified Secret.
 For what it's worth, the official definition of Secret,
 from Executive Order 12958
 (http://www.dss.mil/seclib/eo12958.htm), is:

   Secret shall be applied to information, the unauthorized 
   disclosure of which reasonably could be expected to cause
   serious damage to the national security that the original
   classification authority is able to identify or describe.

Obviously any bureaucrat with the authority to categorize
something as secret will more or less automatically so stamp
any information that passes through his hands, to inflate his
importance, and thus his job security and prospects for
promotion.  Similarly, he will spend any money he has authority
to spend, thus the never ending conflict between congress and
the SSSI bureacracy, who if they had their way would put every
single american, plus the dead and the pets, on SSSI

This results in top secret information being treated as not
very secret at all, as documented by Richard Feynman, which in
turn results in ever higher secrecy classifications, more top
than top, a process of classification inflation and debasement. 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 R4I4vh9JdcWBUfeQFXQ+i/TlFSVcljg/Og6KRDDj
 4qwXmonSAX1xgyPdaB5TsB80yC66PjeWY5mzIpBuo


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: how to phase in new hash algorithms?

2005-03-20 Thread Ian G
Steven M. Bellovin wrote:
So -- what should we as a community be doing now?  There's no emergency 
on SHA1, but we do need to start, and soon.
The wider question is how to get moving on new hash
algorithms.  That's a bit tricky.
Normally we'd look to see NIST or the NESSIE guys
lead a competition.  But NESSIE just finished a
comp, and may not have the appetite for another.
NIST likewise just came out with SHA256 et al, and
they seem to have a full work load as it is trying
to get DSS-2 out.
How about the IACR?  Would they be up to leading
a competition?  I don't know them at all myself,
but if the Shandong results are heard at IACR
conferences, then maybe it's time to take on a
larger role.
Most of the effort could be volunteer, and it would
also be easy enough to schedule everything aligned
with the conference circuit.
Just a thought.  Anyone know anyone at the IACR?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Encryption plugins for gaim

2005-03-20 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Peter Saint-Andre writes:
On Tue, Mar 15, 2005 at 02:02:31PM -0500, Adam Fields wrote:
 On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote:
  Why not help us make Jabber/XMPP more secure, rather than overloading
  AIM? With AIM/MSN/Yahoo your account will always exist at the will of
 
 Unfortunately, I already have a large network of people who use AIM,
 and they all each have large networks of people who use AIM. Many of
 them still use the AIM client. Getting them to switch to gaim is
 feasible. Getting them to switch to Jabber is not. However, getting
 them to switch to gaim first, and then ultimately Jabber might be an
 option. Frankly, the former is more important to me in the short
 term.

Yep, the same old story. :-)

  AOL, whereas with XMPP you can run your own server etc. Unfortunately
 
 Does can == have to? From what I remember of trying to run Jabber
 a few years ago, it did.

No, we have 200k registered users on the jabber.org server and some
servers have even more. You can run your own server, though, and accept
connections only from other servers you trust, etc.


Let me second the recommendation for jabber (though I wish the code 
quality of some of the components were better).  The protocol itself 
supports TLS for client-to-server encryption; you can also have AIM (or 
other IM) gateways on that server.  In many situations (i.e., 
wireless), it protects the most vulnerable link from eavesdropping.  
While clearly not as good as end-to-end encryption, it's far better 
than nothing, especially in high-threat environments such as the 
IETF...  (Of course, I only know of one open source client -- psi -- 
that checks the server certificate.)  In theory, server-to-server 
communications can also be TLS-protected, though I don't know if any 
platforms support that.

On top of any other encryption, many implementations support PGP 
encryption between correspondents.  I don't know of any support for 
e2e-encrypted chat rooms.

I haven't played with OTR, nor am I convinced of the threat model.  
That said, what you really need to watch out for is the transcript 
files on your own machine...

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Schneier: SHA-1 has been broken - Time for a second thought about SDLH ?

2005-03-20 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Ralf Senderek w
rites:


And that is why I ask to give the Shamir Discrete Logarithm Hash Funktion a se
cond 
thought. At leeast we have a proof of collision resistance under the assumptio
n
that factoring is infeasible for the modulus used.

And that it more than we ever had regarding the MD4 series.

BTW, choosing the next generation hash function should - as I think - not be 
dominated by terms of performance. (i.e done in the olde fashion)


Dominated?  No, of course not.  But a hash function based on discrete 
log will be slow enough that no one will use it.  

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]