Re: Do You Need a Digital ID?

2005-03-25 Thread Anne Lynn Wheeler
minor addenda ... ref: http://www.garlic.com/~lynn/aadsm19.htm#1 Do You Need a Digital ID? http://www.garlic.com/~lynn/aadsm19.htm#2 Do You Need a Digital ID? there are 2nd order implementations of public/private key authentication business process where keeping the private key private might

Re: Do You Need a Digital ID?

2005-03-25 Thread Anne Lynn Wheeler
now, i've said that all of these comments are within the 3 factor authentication paradigm ... if you back up a couple paragraphs in the original postings ... you will find the comments: given 3-factor authentication: * something you have * something you know * something you are aka the

Re: Do You Need a Digital ID?

2005-03-25 Thread Jerrold Leichter
| now, i've said that all of these comments are within the 3 factor | authentication paradigm ... if you back up a couple paragraphs in the | original postings ... you will find the comments: | | given 3-factor authentication: | | * something you have | * something you know | * something you

Re: Do You Need a Digital ID?

2005-03-25 Thread Matt Crawford
Now that the taxing bodies (US states) have learned not to print the SSN on the mailing label, Illinois has gone further and requires a state-assigned PIN to file or access your tax information over the internet. They helpfully provide you the PIN ... on the mailing label.

Re: Do You Need a Digital ID?

2005-03-25 Thread Anne Lynn Wheeler
Jerrold Leichter wrote: I don't think the 3-factor authentication framework is nearly as well-defined as people make it out to be. Here is what I've always taken to be the core distinctions among the three prongs: Something you know Can be copied. If copied

Re: Propping up SHA-1 (or MD5)

2005-03-25 Thread Michael Silk
If it's just HMAC with K = h(m) then it's currently (or just recently) been discussed on cfrg: http://www.irtf.org/cfrg/, starting here: http://www1.ietf.org/mail-archive/web/cfrg/current/msg00708.html. -- Michael On Mon, 21 Mar 2005 11:56:44 +, Ben Laurie [EMAIL PROTECTED] wrote: It was

Re: how to phase in new hash algorithms?

2005-03-25 Thread Dan Kaminsky
Steven M. Bellovin wrote: We all understand the need to move to better hash algorithms than SHA1. At a minimum, people should be switching to SHA256/384/512; arguably, Whirlpool is the right way to go. The problem is how to get there from here. I've been rather continually pinging people,

Re: Security is the bits you disable before you ship

2005-03-25 Thread Jonathan Thornburg
On Wed, 16 Mar 2005, Russell Nelson wrote: I've seen Dan Bernstein (and you don't get much more careful or paranoid about security than Dan) write code like this: static char line[999]; len = 0; len += fmt_ulong(line + len,rp); len += fmt_str(line + len, , ); len += fmt_ulong(line + len,lp);

Propping up SHA-1 (or MD5)

2005-03-25 Thread David Wagner
Ben Laurie writes: It was suggested at the SAAG meeting at the Minneapolis IETF that a way to deal with weakness in hash functions was to create a new hash function from the old like so: H'(x)=Random || H(Random || x) Yes. Suppose we use this for signing. The crucial part is to have the

Time for a second thought about SDLH

2005-03-25 Thread ralf
On Sun, 20 Mar 2005, Steven M. Bellovin wrote: Dominated? No, of course not. But a hash function based on discrete log will be slow enough that no one will use it. This is simply not true, because we are _not always_ going to sign megabytes, and SDLH is more than fast enough for sensibly

Re: how to phase in new hash algorithms?

2005-03-25 Thread Peter Gutmann
Steven M. Bellovin [EMAIL PROTECTED] writes: We all understand the need to move to better hash algorithms than SHA1. At a minimum, people should be switching to SHA256/384/512; arguably, Whirlpool is the right way to go. The problem is how to get there from here. So -- what should we as a

Re: Propping up SHA-1 (or MD5)

2005-03-25 Thread Ben Laurie
Dan Kaminsky wrote: Ben, x can equal either test vector released by Wang, and H(x) will be identical. With H(x) identical, the rest of the HMAC stays identical too. This does not appear to be correct - in my construction, i.e. without padding, then the fact that x and x' differ means that

FSTC-FS/ISAC Survey on Use of Encryption

2005-03-25 Thread R.A. Hettinga
--- begin forwarded text From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: FSTC-FS/ISAC Survey on Use of Encryption Date: Tue, 22 Mar 2005 05:16:10 -0600 Colleagues, FSTC and FS/ISAC have teamed together to conduct a survey on the use of encryption in the

DOT neg rulemaking re ID standardization (call for membership of advisory committee)

2005-03-25 Thread John Gilmore
[Here's where an unconstitutional National ID will get created by the back door. Do we have anybody in this community who cares? I can't participate, because I can't travel to Washington for meetings, because I don't have the proper ID documents. I note that they did not think to include a

Re: [saag] Propping up SHA-1 (or MD5)

2005-03-25 Thread Ben Laurie
Nicolas Williams wrote: On Mon, Mar 21, 2005 at 11:56:44AM +, Ben Laurie wrote: It was suggested at the SAAG meeting at the Minneapolis IETF that a way to deal with weakness in hash functions was to create a new hash function from the old like so: H'(x)=Random || H(Random || x) Eric

Re: [saag] Re: Propping up SHA-1 (or MD5)

2005-03-25 Thread Ben Laurie
Ken Raeburn wrote: On Mar 22, 2005, at 11:51, Ben Laurie wrote: This can be fixed quite easily: H'(x)=H(H(x || H(x)) || H(x)) Doesn't this take us back to the original problem, by factoring in x only at the start of hash computations, so H'(x') will generate the same H(x') and the same internal

Re: [saag] Propping up SHA-1 (or MD5)

2005-03-25 Thread Ben Laurie
Nicolas Williams wrote: On Tue, Mar 22, 2005 at 05:31:44PM +, Ben Laurie wrote: Nicolas Williams wrote: Now that we know that the attack is a differential cryptanalysis where the attacker has to control the first pair of blocks of the original message anything that makes it hard for the

Re: Encryption plugins for gaim

2005-03-25 Thread Michael P. Soulier
On 14/03/05 Adam Fields said: Given what may or may not be recent ToS changes to the AIM service, I've recently been looking into encryption plugins for gaim. If you use jabber, note that the Psi client supports 2-person PGP encrypted conversations. I sometimes find it useful.

What is to be said about pre-image resistance?

2005-03-25 Thread Ian G
Collision resistance of message digests is effected by the birthday paradox, but that does not effect pre-image resistance. (correct?) So can we suggest that for pre-image resistance, the strength of the SHA-1 algorithm may have been reduced from 160 to 149? Or can we make some statement like

Re: NSA warned Bush it needed to monitor networks

2005-03-25 Thread John Kelsey
... Obviously any bureaucrat with the authority to categorize something as secret will more or less automatically so stamp any information that passes through his hands, to inflate his importance, and thus his job security and prospects for promotion. I think a bigger issue here is a sort of

Re: Do You Need a Digital ID?

2005-03-25 Thread Anne Lynn Wheeler
Jerrold Leichter wrote: That's fine for *describing* the system, and useful for analyzing its usability or acceptability. But it's not the whole story. 3-factor authentication paradigm obviously doesn't take into account whether the authentication material is treated as a secret or a

Re: Do You Need a Digital ID?

2005-03-25 Thread Anne Lynn Wheeler
Anne Lynn Wheeler wrote: 3-factor authentication paradigm obviously also doesn't cover whether the authentication is direct fact-to-face or that the relying party is infering authentication taking place by the existance of other kinds of evidence. for instance, a relying party validating a

RE: Propping up SHA-1 (or MD5)

2005-03-25 Thread Charlie Kaufman
All hash functions I'm aware of consist of an inner compression function that hashes a fixed size block of data into a smaller fixed size block and an outer composition function that applies the inner function iteratively to the variable length data to be hashed. Essentially you're proposing a

Re: Propping up SHA-1 (or MD5)

2005-03-25 Thread Ben Laurie
Charlie Kaufman wrote: All hash functions I'm aware of consist of an inner compression function that hashes a fixed size block of data into a smaller fixed size block and an outer composition function that applies the inner function iteratively to the variable length data to be hashed. Essentially

REMINDER: CFP - ESORICS 2005: Deadline extension (April 1)

2005-03-25 Thread R.A. Hettinga
--- begin forwarded text From: Claudio Agostino Ardagna [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thu, 24 Mar 2005 12:24:21 +0100 Subject: [p2p-hackers] REMINDER: CFP - ESORICS 2005: Deadline extension (April 1) Reply-To: Peer-to-peer development. [EMAIL PROTECTED] Sender: [EMAIL

DIMACS Workshop on Theft in E-Commerce: Content, Identity, and Service

2005-03-25 Thread Linda Casals
* DIMACS Workshop on Theft in E-Commerce: Content, Identity, and Service April 14 - 15, 2005 DIMACS Center, Rutgers University, Piscataway, NJ Organizers: Drew Dean, SRI International, [EMAIL PROTECTED]

Re: [saag] Re: Propping up SHA-1 (or MD5)

2005-03-25 Thread Ben Laurie
Blumenthal, Uri wrote: Ernie Brickell suggested the following construct: H'(x) = H( H(x) || H(0 || x) ) Like him, I see no reason in going (H(x) || H(0||x) || ... || H(n||x)). Sorry, I got my parentheses wrong. I meant... H'(x)=H(H(x || H(0 || x)) || H(0 || x)) or: H'(x)=H(H(x || H(0 || x)) ||

RE: Propping up SHA-1 (or MD5)

2005-03-25 Thread Charlie Kaufman
Whether these various tricks help depends on the technical details of the attacks found. I hope that the bit twiddling crypto types who are finding the attacks are going to propose something to fix them. There are probably cheaper fixes than the 2x or 3x performance loss of your algorithm down in

Petname Tool version 0.5

2005-03-25 Thread Bill Frantz
Tyler Close has written an anti-phishing tool for the Firefox browser called the Petname tool. It works with SSL sites, including those with self-signed certificates, and is available at http://www.waterken.com/user/PetnameTool/. Mark Stiegler has written an overview of petname systems,

Banks and Online Retailers Lose Customers to the Fear of ID Theft

2005-03-25 Thread R.A. Hettinga
http://online.wsj.com/article_print/0,,SB63038793988394,00.html The Wall Street Journal March 24, 2005 PERSONAL JOURNAL Banks and Online Retailers Lose Customers to the Fear of ID Theft By KATHY CHU DOW JONES NEWSWIRES March 24, 2005; Page D2 Banks and online retailers are losing

Off-list request

2005-03-25 Thread Lance James
I don't know if it's inappropriate to ask on this list, but regarding http://www.securescience.net/ciphers/csc2/ Can I get off-list quotes regarding a formal professional review and possible assistance in the steps taken to establish this cipher into the review process. Thank you. -- Best

and constrained subordinate CA costs? (Re: SSL Cert prices ($10 to $1500, you choose!))

2005-03-25 Thread Adam Back
The URL John forwarded gives survey of prices for regular certs and subdomain wildcard certs/super certs (ie *.mydomain.com all considered valid with respect to a single cert). Does anyone have info on the cost of sub-ordinate CA cert with a name space constraint (limited to issue certs on

RE: Propping up SHA-1 (or MD5)

2005-03-25 Thread Pablo Abad
Ben, I believe the fatal flaw here is not the crypto, but losing the ability to hash a stream without keeping all of it. Both the hashes and HMAC have this sometimes-vital property. This can be fixed quite easily: H'(x)=H(H(x || H(x)) || H(x)) I think this construction doesn't provide any

Re: Secure Science issues preview of their upcoming block cipher

2005-03-25 Thread Adam Shostack
Really? How does one go about proving the security of a block cipher? My understanding is that you, and others, perform attacks against it, and see how it holds up. Many of the very best minds out there attacked AES, so for your new CS2 cipher to be provably just as secure as AES-128, all those

Re: Secure Science issues preview of their upcoming block cipher

2005-03-25 Thread Lance James
Adam Shostack wrote: Really? How does one go about proving the security of a block cipher? My understanding is that you, and others, perform attacks against it, and see how it holds up. Many of the very best minds out there attacked AES, so for your new CS2 cipher to be provably just as secure

Information Incognito

2005-03-25 Thread R.A. Hettinga
http://online.wsj.com/article_print/0,,SB45546123985866,00.html The Wall Street Journal March 22, 2005 MEDIA MARKETING Information Incognito In War on Terror, U.S. Tries To Make Public Data Secret; The Almanac Under Wraps? By ROBERT BLOCK Staff Reporter of THE WALL STREET JOURNAL

Re: Secure Science issues preview of their upcoming block cipher

2005-03-25 Thread Jerrold Leichter
| Really? How does one go about proving the security of a block cipher? They don't claim that: This cipher is ... provably just as secure as AES-128. I can come up with a cipher provably just as secure as AES-128 very quickly (Actually, based on the paper a while back on many

What is to be said about pre-image resistance?

2005-03-25 Thread David Wagner
Ian G writes: Collision resistance of message digests is effected by the birthday paradox, but that does not effect pre-image resistance. (correct?) So can we suggest that for pre-image resistance, the strength of the SHA-1 algorithm may have been reduced from 160 to 149? Well, I'm not sure

Secure Science issues preview of their upcoming block cipher

2005-03-25 Thread David Wagner
Jerrold Leichter writes: They don't claim that: This cipher is ... provably just as secure as AES-128. I can come up with a cipher provably just as secure as AES-128 very quickly Actually, I think Adam is totally right. Have you looked at their scheme?

Re: Secure Science issues preview of their upcoming block cipher

2005-03-25 Thread Jerrold Leichter
| Jerrold Leichter writes: | They don't claim that: | | This cipher is ... provably just as secure as AES-128. | | I can come up with a cipher provably just as secure as AES-128 very quickly | | Actually, I think Adam is totally right. | | Have you looked at their scheme? |

Re: Secure Science issues preview of their upcoming block cipher

2005-03-25 Thread Ralf-Philipp Weinmann
Jerrold Leichter wrote: I can come up with a cipher provably just as secure as AES-128 very quickly (Actually, based on the paper a while back on many alternative ways to formulate AES - it had a catchy title something like How Many Ways Can You Spell AES?, except that I can't find one like

Re: and constrained subordinate CA costs?

2005-03-25 Thread Florian Weimer
* Adam Back: Does anyone have info on the cost of sub-ordinate CA cert with a name space constraint (limited to issue certs on domains which are sub-domains of a your choice... ie only valid to issue certs on sub-domains of foo.com). Is there a technical option to enforce such a policy on

Re: What is to be said about pre-image resistance?

2005-03-25 Thread Dan Kaminsky
Ian, The Wang attack does nothing (yet) for second preimages. The best attack I know of against them refers is in Kelsey and Schneier's *Second Preimages on n-bit Hash Functions for Much Less than 2^n Work.* It's at: http://eprint.iacr.org/2004/304 Once you cut through the