Re: RSA gets a reprieve?

2005-07-05 Thread Florian Weimer
* Michael Heyman:

 www.newscientist.com/channel/info-tech/mg18625054.000

 ATTEMPTS to build quantum computers could run up 
 against a fundamental limit on how long useful 
 information can persist inside them.

My local source of quantum computing knowledge says that the
conclusions of the paper are somewhat questionable.  The authors
examine a specific kind of measurement model; it's not immediately
obvious if their results apply to all measurements, as they claim.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: /dev/random is probably not

2005-07-05 Thread Florian Weimer
* Jason Holt:

 You may be correct, but readers should also know that, at least in Linux:

 /usr/src/linux/drivers/char/random.c:
   * All of these routines try to estimate how many bits of randomness a
   * particular randomness source.  They do this by keeping track of the
   * first and second order deltas of the event timings.

I somewhat doubt that moving the mouse around slowly resulting in
about 800 entropy bits per second is an accurate estimate.  But I have
to admit that I haven't run statistical tests on the unmixed data,
which would be necessary to back up my claim that this figure is
grossly exaggerated.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: /dev/random is probably not

2005-07-05 Thread Charles M. Hannum
On Sunday 03 July 2005 05:21, Don Davis wrote:
  From: Charles M. Hannum [EMAIL PROTECTED]
  Date: Fri, 1 Jul 2005 17:08:50 +
 
  While I have found no fault with the original analysis,
  ...I have found three major problems with the way it
  is implemented in current systems.

 hi, mr. hannum -

 i'm sorry, but none of your three problems is substantial.

  a) Most modern IDE drives... ship with write-behind
 caching enabled.

 i've addressed this caching question quite a bit
 over the years.  for an early mention of the issue,
 please see:
   http://www.cs.berkeley.edu/~daw/rnd/disk-randomness
 anyway, to deal with caching controllers, any disk rng
 needs to discard sub-millisecond access-times, or at
 least needs not to count such fast accesses as contributing
 any entropy to the RNG's entropy-pool.  otherwise, the
 rng will tend to overestimate how much entropy is in
 the entropy pool, and dev/random will tend to become
 no more secure than /dev/urandom.

Remember that I specifically stated that I'm talking about problems with 
real-world implementations, not your original analysis.  Unfortunately, a few 
implementations (FreeBSD's implementation of Yarrow and NetBSD's rnd come 
to mind immediately) do not appear to implement the behavior you describe -- 
they simply always count disk I/O as contributing some entropy (using the 
minimum of the first-, second- and third-order differentials, which is likely 
to be non-0, but small and predictable, due to other timing variance).

  b) At least one implementation uses *all* disk type
 devices...

 yes, that would be broken., though it's not a total
 security loss, as long as the machine has at least one
 hard drive.  this memory-disk question too was raised
 and answered, long ago.

Again, this problem exists in real-world implementations.

  By timing how long this higher-level operation (read(),
  or possibly even a remote request via HTTP, SMTP, etc.)
  takes, we can apply an adjustment factor and determine
  with a reasonable probability how long the actual disk
  I/O took.

 this remote-timing approach won't work in any useful way.

 you'd need to get the same timing accuracy as the
 /dev/random driver gets;

No, you just need to be able to estimate it with a high probability.  I don't 
see any reason this is not possible, given that response times are directly 
proportional to the interrupt timing.  This may be especially bad in 
implementations such as OpenBSD and NetBSD which limit the precision of the 
time samples to 1 microsecond.

Also, I don't buy for a picosecond that you have to gather all timings in 
order to predict the output.  As we know from countless other attacks, 
anything that gives you some bits will reduce the search space and therefore 
weaken the system, even if it does not directly give you the result.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: /dev/random is probably not

2005-07-05 Thread Dan Kaminsky
So the funny thing about, say, SHA-1, is if you give it less than 160
bits of data, you end up expanding into 160 bits of data, but if you
give it more than 160 bits of data, you end up contracting into 160 bits
of data.  This works of course for any input data, entropic or not. 
Hash saturation?  Is not every modern hash saturated with as much
entropy it can assume came from the input data (i.e. all input bits have
a 50% likelihood of changing all output bits)?

Incidentally, that's a more than mild assumptoin that it's pure noise
coming off the sound card.  It's not, necessarily, not even at the high
frequencies.  Consider for a moment the Sound Blaster Live's E10K chip,
internally hard-clocked to 48khz.  This chip uses a fairly simple
algorithm to upsample or downsample all audio streams to 48,000 samples
per second.  It's well known that scaling algorithms exhibit noticable
properties -- this fact has been used to detect photoshopped works, for
instance.  Take a look how noise centered around 15khz gets represented
in a 48khz averaged domain.  Would your system detect this fault?

Of course not.  No extant system can yet detect the difference between a
quantum entropy generator and an AES or 3DES stream.  (RC4's another
story.)  You can't externally calculate entropy levels; you can only assume.

--Dan


John Denker wrote:

 On 07/01/05 13:08, Charles M. Hannum wrote:

 Most implementations of /dev/random (or so-called entropy gathering
 daemons) rely on disk I/O timings as a primary source of randomness.


  ... I believe it is readily apparent that such exploits could be
 written.


 So don't do it that way.

 Vastly better methods are available:
   http://www.av8n.com/turbid/

 ABSTRACT: We discuss the principles of a High-Entropy Symbol Generator
 (also called a Random Number Generator) that is suitable for a wide
 range of applications, including cryptography and other high-stakes
 adversarial applications. It harvests entropy from physical processes,
 and uses that entropy efficiently. The hash saturation principle is used
 to distill the data, resulting in virtually 100% entropy density. This
 is calculated, *not* statistically estimated, and is provably correct
 under mild assumptions. In contrast to a Pseudo-Random Number Generator,
 it has no internal state to worry about, and does not depend on
 unprovable assumptions about ``one-way functions''. We also describe a
 low-cost high-performance implementation, using the computer's audio I/O
 system.

 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to
 [EMAIL PROTECTED]



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Feature or Flaw?

2005-07-05 Thread Lance James

Hi all,

I wanted to introduce something that has probably been known for some 
time now, but has never been really addressed due to possible 
conflicting views of how SSL certificates should work, and where the 
CA's should (or should not) fit in. As we all know, the recent attention 
to the phishing threat vector has spawned some interesting views of how 
we look at certain responses that a web browser might appropriate in 
regards to certain conditions set by the server. Some of these include 
the recent javascript dialog box vulnerability, since there are 
requests that a javascript dialog box should display it's origin, etc... 
(see 
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test). 
In light of that, I thought it might be relevant to address a question 
that's been on my mind, and figure that the cryptography list may be the 
best place to find the answer. (the answer is 42, just kidding).


I've set up a site that requires a bit of imagination since I don't wish 
to expose any financial institutions (bankone is just a random example 
that I chose) that may be vulnerable to cross-user attacks, but I can 
tell you that this discovery of impact was done within an audit that 
explicitly demonstrated a problem. Also, I use a thawte signed 
certificate, so some mozilla browsers do not seem to regard it as a 
valid CA, please ignore that if you get a warning, as it is only a 
distraction of the real problem (aka, if it were a verisign cert it 
would not warn).


https://slam.securescience.com/threats/mixed.html

This site is set so that there is a frame of https://www.bankone.com 
inside my https://slam.securescience.com/threats/mixed.html site. The 
imaginative part is that you may have to reverse the rolls to understand 
the impact of this (https://www.bankone.com with 
https://slam.securescience.com frame - done via cross-user attacks 
trivially). At the bottom you will see the securescience.com 
certificate, but no indication of the bankone certificate. You will also 
not get any warnings due to the fact that the bankone certificate is 
validly signed by a CA. With the Cross-User threat vector, a phisher can 
easily use a validly signed Cert to perform a site takeover with no 
warning that an outside (the domain) certificate exists within the site. 
The lock does show that it's secure, and there are no indications that 
this site should not be trusted according to the rules that are 
dispersed to the mainstream public. Unfortunately, this Mixed attack 
in a cross-user scenario could be encrypting/decrypting the login page 
with the attacker cert and no one is the wiser without heavy inspection 
of the source code.


Feature, or flaw?

--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


ECRYPT Workshop on RFID and Light-Weight Crypto

2005-07-05 Thread Elisabeth Oswald

** CALL FOR PARTICIPATION **




ECRYPT Workshop on RFID and Light-Weight Crypto

July 14-15, 2005
IAIK, Graz University of Technology , Austria

Organizers:
Vincent Rijmen, Graz University of Technology
Elisabeth Oswald, Graz University of Technology



The use of state-of-the-art cryptographic methods on
RFID tags opens a new range of applications for these
tags and for cryptography.

The aims of the workshop are to increase the awareness
for cryptographic methods and solutions among RFID
developers, and for the requirements of this heavily
constrained environment among cryptographers.

The scope includes, but is not limited to, the following
topics:
* Applications for RFID tags
* Cryptographic algorithms for constrained environments
* Cryptographic protocols adapted to RFID applications
* Low-power implementations

There are contributed and invite talks. Gildas Avoine,
Dieter Gollmann,  Ari Juels and Johannes Wolkerstorfer
are confirmed as invited speakers.

For more information about the workshop program, location
and the  registration procedure, please look at:

http://www.iaik.tugraz.at/research/krypto/events/index.php


The workshop is sponsored by ECRYPT - The European Network
of Excellence in Cryptology, Siemens and Philips.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Amir Herzberg

Lance James wrote:
...
  https://slam.securescience.com/threats/mixed.html


This site is set so that there is a frame of https://www.bankone.com 
inside my https://slam.securescience.com/threats/mixed.html site. The 
imaginative part is that you may have to reverse the rolls to understand 
the impact of this (https://www.bankone.com with 
https://slam.securescience.com frame - done via cross-user attacks


Ok, I can do the `mental exercise` and understand the attack. But I'm 
not sure what is new here. Yes, if a web-site allows such XSS, then even 
SSL won't help it - it could end up sending the _wrong_ page, protected 
by SSL... And in this case I don't even think we can blame browser UI; 
the browser actually got this `bad` page from the server...


Maybe I miss something?

BTW, there is a new list focsed on such issues, at 
http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud

--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI: 
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Florian Weimer
* Lance James:

 Feature, or flaw?

Couldn't you just copy (or proxy all content) and get the same effect
without using frames at all?

Maybe I'm just missing something.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: /dev/random is probably not

2005-07-05 Thread John Kelsey
From: Charles M. Hannum [EMAIL PROTECTED]
Sent: Jul 3, 2005 7:42 AM
To: Don Davis [EMAIL PROTECTED]
Cc: cryptography@metzdowd.com
Subject: Re: /dev/random is probably not

...
Also, I don't buy for a picosecond that you have to gather
all timings in order to predict the output.  As we know
from countless other attacks, anything that gives you some
bits will reduce the search space and therefore weaken the
system, even if it does not directly give you the result.

I think you're landing on the genuinely hard problem here.
Designing a PRNG intelligently is an exercise in design and
cryptanalysis, so long as you get to assume that you know
how much entropy you're getting.  But actually getting
reliably entropy estimates is:

a.  A data analysis problem, where you never really get a
final answer, you just get the best model you knew how to
test and don't find strong evidence to discard it, and 

b.  Enormously sensitive to implementation details that are
hard to deal with in software.  In a hardware RNG design,
you can at least analyze test-mode raw outputs of the ring
oscillator or whatever, build a statistical model, and know
that the same basic model will also describe the devices in
the field.  They may vary because of manufacturing defects,
changes in the field (like heating/cooling or component
failure), etc., but you at least know what kind of thing
you've got.  With software sources, there's pretty much no
limit to what changes the designer of the hardware is
allowed to make to your devices, so long as he keeps the
interface the same.  You do lots of analysis on a machine
with a spinning disk drive, and end up on one with one
networked drive and one flash drive, or some such horrible
thing.  

Additionally, building a probability model for stuff you
observe on a general purpose computer is *hard*, because
there's so much complicated deterministic stuff going on.
Even if you're using the same machine and setup to collect
entropy in production as you did to build your probability
model for entropy estimation, it's hard to have enormous
confidence in the correctness of your estimates.  How much
of that apparently random behavior you were getting when you
sampled the cycle counter in a tight loop was because of
genuine unpredictability, and how much was because of the
very patterned but complicated stuff going on behind the
scenes on your machine? 

--John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Lance James

Amir Herzberg wrote:


Lance James wrote:
...
  https://slam.securescience.com/threats/mixed.html



This site is set so that there is a frame of https://www.bankone.com 
inside my https://slam.securescience.com/threats/mixed.html site. The 
imaginative part is that you may have to reverse the rolls to 
understand the impact of this (https://www.bankone.com with 
https://slam.securescience.com frame - done via cross-user attacks



Ok, I can do the `mental exercise` and understand the attack. But I'm 
not sure what is new here. Yes, if a web-site allows such XSS, then 
even SSL won't help it - it could end up sending the _wrong_ page, 
protected by SSL... And in this case I don't even think we can blame 
browser UI; the browser actually got this `bad` page from the server...


Maybe I miss something?



Ok, XSS or not, my concern is that you have multiple Certificates within 
a session, and the user is not aware of the others. Yes, they are valid, 
but define valid within SSL certs means, I go to geotrust or some CA, 
use my stolen credit card and buy a valid cert.





BTW, there is a new list focsed on such issues, at 
http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud




--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Lance James

Florian Weimer wrote:


* Lance James:

 


Feature, or flaw?
   



Couldn't you just copy (or proxy all content) and get the same effect
without using frames at all?
 



How would you go about doing that and still get the SSL Lock to remain 
as the banks? Can you give an example?



Maybe I'm just missing something.


 




--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Florian Weimer
* Lance James:

Couldn't you just copy (or proxy all content) and get the same effect
without using frames at all?

 How would you go about doing that and still get the SSL Lock to remain 
 as the banks? Can you give an example?

In both cases, you have the SSL lock on your own certificate.

At least my browser does not provide a user interface to access the
certificates of the servers from which embedded objects (or frames)
were downloaded.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Lance James

Florian Weimer wrote:


* Lance James:

 


Couldn't you just copy (or proxy all content) and get the same effect
without using frames at all?
 



 

How would you go about doing that and still get the SSL Lock to remain 
as the banks? Can you give an example?
   



In both cases, you have the SSL lock on your own certificate.
 



And as stated above, reverse the effect and it would be the banks in 
scenarios such as XSS. The Banks SSL cert is actually handling all the 
data, my concern is that the user is not aware of this and only trusts 
the domain that's indicated in the address bar's cert.



At least my browser does not provide a user interface to access the
certificates of the servers from which embedded objects (or frames)
were downloaded.


 




--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Lance James

Amir Herzberg wrote:


Lance James wrote:
...
  https://slam.securescience.com/threats/mixed.html



This site is set so that there is a frame of https://www.bankone.com 
inside my https://slam.securescience.com/threats/mixed.html site. The 
imaginative part is that you may have to reverse the rolls to 
understand the impact of this (https://www.bankone.com with 
https://slam.securescience.com frame - done via cross-user attacks



Ok, I can do the `mental exercise` and understand the attack. But I'm 
not sure what is new here. Yes, if a web-site allows such XSS, then 
even SSL won't help it - it could end up sending the _wrong_ page, 
protected by SSL... And in this case I don't even think we can blame 
browser UI; the browser actually got this `bad` page from the server...




It's not the new issue - it's the concern that frames with other SSL 
protect information is not being indicated to the user, thus you can 
encrypt data with another valid cert within a frame(s) and the user will 
only know of the main cert from the domain that is indicated by the 
address bar.



Maybe I miss something?

BTW, there is a new list focsed on such issues, at 
http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud




--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Forwarded] RealID: How to become an unperson.

2005-07-05 Thread Perry E. Metzger

I'm forwarding this article, originally from the Cypherpunks mailing
list (I saw it on Dave Farber's Interesting People) because I find
the security implications important.

HOWEVER, I'm warning in advance that I'm not going to forward a lot of
followups, especially if they are unoriginal and/or contain lots of
ranting language and little content. (I'm mildly uncomfortable with
the original, actually, because I prefer light to heat, but it makes a
very interesting point...)

From: [apparently] J.A. Terranson
Sent: Friday, July 01, 2005 6:34 PM
Cc: [EMAIL PROTECTED]
Subject: The Nazification Of America (Show Me Your Papers - Day 1)

For those of you who may have missed it, today was the first day of the
new Real ID Act, a/k/a, the American Nazification Papers Act.  I
wouldn't have know myself except that I recently moved, and wanted to
exchange my current Illinois drivers license for a Missouri one.

Not so fast...

You have a passport?

No, I don't travel.

A certified copy of your original birth certificate?
Haven't had one since I was born, fifty years ago.  And since I was  
born about 1500 miles from here, getting one is no small task.

Too bad.  Your old license is invalid and you can't get another one in
any state, starting today, without at least one of the two documents,  
PLUS secondary ID to back them up.

Even though I have a current license, and even though I am in their
system as having held a valid Missouri license for 15+ years, photo
included, none of it is good enough.

OK, so I have no choice, I go to the post office to get a Passport -
same thing.

Fine, I'll just order the birth certificate and get it over with, right?

Wrong.  New York wants affirmative proof of identity for a copy now:
passport or your [missing] original birth certificate.  Anyone else
see a circular problem here?

I need a new birth certificate because the old one was lost about forty
years ago. And I don't have a passport to prove my identity.

Get your parents to testify who you are, and make sure they bring their
passports.

They are both dead.

Sorry Sir, I'm afraid we won't be able to help you then.

click


Durbin was right.  And he didn't even scratch the surface!  Anyone who
thinks this Real ID Act is about getting false ID out of the hands
of The Terrorists is an idiot: they will simply print their own
drivers licenses - this is about forcing the regular population to get
used to intrastate passports.  This act essentially forces you to have
a passport for everyday things like banking, car purchases and certain
repairs, checks, etc.

We have literally allowed the Nazification to begin, and we've even
welcomed it with eager open arms - all in the name of Fighting Terror.
Crystal clear, pure unadulterated bullshit.

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Jeremiah Rogers

 This site is set so that there is a frame of https://www.bankone.com
 inside my https://slam.securescience.com/threats/mixed.html site. The
 imaginative part is that you may have to reverse the rolls to 
understand

 the impact of this (https://www.bankone.com with
 https://slam.securescience.com frame - done via cross-user attacks
 trivially).

Let me get this right: here we have a page which appears to be from
domain A, but in fact it has frame(s) which display domain B. This
allows a page to have the content from domain B but the outward
appearance is of domain A, including the SSL lock on the page which
indicates this page is safe to the user.

It looks like this allows
one to spoof domain A quite successfully, unless I'm missing
something.

Jeremiah


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Florian Weimer
* Lance James:

 And as stated above, reverse the effect and it would be the banks in 
 scenarios such as XSS.

In case of XSS or CSRF, you have lost anyway.  The web was not
designed as a presentation service for transaction processing,
especially if the transactions involve significant value.  If you use
the web for this purpose, it's always a tradeoff.

Maybe it's time to realize that all these web applications together
form a huge monoculture, and to move on and diversify again.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Lance James

Florian Weimer wrote:


* Lance James:

 

And as stated above, reverse the effect and it would be the banks in 
scenarios such as XSS.
   



In case of XSS or CSRF, you have lost anyway.  The web was not
designed as a presentation service for transaction processing,
especially if the transactions involve significant value.  If you use
the web for this purpose, it's always a tradeoff.

Maybe it's time to realize that all these web applications together
form a huge monoculture, and to move on and diversify again.
 



Thank you - that was my point essentially. SSL is and always will be for 
web a broken concept.




 




--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Time-Memory-Key tradeoff attacks?

2005-07-05 Thread Perry E. Metzger

The following has appeared in the IACR preprint archive. I would
appreciate comments. The author certainly has reasonable credentials,
but the document is low on detail:

http://eprint.iacr.org/2005/207

  Some Thoughts on Time-Memory-Data Tradeoffs

  Author: Alex Biryukov

  Abstract: In this paper we show that Time-Memory tradeoff by Hellman
  may be extended to Time-Memory-Key tradeoff thus allowing attacks much
  faster than exhaustive search for ciphers for which typically it is
  stated that no such attack exists. For example, as a result AES with
  128-bit key has only 85-bit security if $2^{43}$ encryptions of an
  arbitrary fixed text under different keys are available to the
  attacker. Such attacks are generic and are more practical than some
  recent high complexity chosen related-key attacks on round-reduced
  versions of AES. They constitute a practical threat for any cipher
  with 80-bit or shorter keys and are marginally practical for 128-bit
  key ciphers. We also show that UNIX password scheme even with
  carefully generated passwords is vulnerable to practical tradeoff
  attacks. Finally we also demonstrate a combination of rainbow tables
  with the time-memory-data tradeoff which results in a new tradeoff
  curve.

By the way, much thanks to Eric Rescorla for pointing this out to me.

Perry
-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[ANNOUNCE] OpenSSL 0.9.8 released

2005-07-05 Thread Richard Levitte - VMS Whacker

  OpenSSL version 0.9.8 released
  ==

  OpenSSL - The Open Source toolkit for SSL/TLS
  http://www.openssl.org/

  The OpenSSL project team is pleased to announce the release of
  version 0.9.8 of our open source toolkit for SSL/TLS.  This new
  OpenSSL version is a major release and incorporates many new
  features as well as major fixes compared to 0.9.7x.  For a complete
  list of changes, please see http://www.openssl.org/source/exp/CHANGES .

  The most significant changes are:

o Major work on the BIGNUM library for higher efficiency and to
  make operations more streamlined and less contradictory.  This
  is the result of a major audit of the BIGNUM library.
o Addition of BIGNUM functions for fields GF(2^m) and NIST
  curves, to support the Elliptic Crypto functions.
o Major work on Elliptic Crypto; ECDH and ECDSA added, including
  the use through EVP, X509 and ENGINE.
o New ASN.1 mini-compiler that's usable through the OpenSSL
  configuration file.
o Added support for ASN.1 indefinite length constructed encoding.
o New PKCS#12 'medium level' API to manipulate PKCS#12 files.
o Complete rework of shared library construction and linking
  programs with shared or static libraries, through a separate
  Makefile.shared.
o Rework of the passing of parameters from one Makefile to another.
o Changed ENGINE framework to load dynamic engine modules
  automatically from specifically given directories.
o New structure and ASN.1 functions for CertificatePair.
o Changed the ZLIB compression method to be stateful.
o Changed the key-generation and primality testing progress
  mechanism to take a structure that contains the ticker
  function and an argument.
o New engine module: GMP (performs private key exponentiation).
o New engine module: VIA PadLOck ACE extension in VIA C3
  Nehemiah processors.
o Added support for IPv6 addresses in certificate extensions.
  See RFC 1884, section 2.2.
o Added support for certificate policy mappings, policy
  constraints and name constraints.
o Added support for multi-valued AVAs in the OpenSSL
  configuration file.
o Added support for multiple certificates with the same subject
  in the 'openssl ca' index file.
o Make it possible to create self-signed certificates using
  'openssl ca -selfsign'.
o Make it possible to generate a serial number file with
  'openssl ca -create_serial'.
o New binary search functions with extended functionality.
o New BUF functions.
o New STORE structure and library to provide an interface to all
  sorts of data repositories.  Supports storage of public and
  private keys, certificates, CRLs, numbers and arbitrary blobs.
  This library is unfortunately unfinished and unused withing
  OpenSSL.
o New control functions for the error stack.
o Changed the PKCS#7 library to support one-pass S/MIME
  processing.
o Added the possibility to compile without old deprecated
  functionality with the OPENSSL_NO_DEPRECATED macro or the
  'no-deprecated' argument to the config and Configure scripts.
o Constification of all ASN.1 conversion functions, and other
  affected functions.
o Improved platform support for PowerPC.
o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512).
o New X509_VERIFY_PARAM structure to support parametrisation
  of X.509 path validation.
o Major overhaul of RC4 performance on Intel P4, IA-64 and
  AMD64.
o Changed the Configure script to have some algorithms disabled
  by default.  Those can be explicitely enabled with the new
  argument form 'enable-xxx'.
o Change the default digest in 'openssl' commands from MD5 to
  SHA-1.
o Added support for DTLS.
o New BIGNUM blinding.
o Added support for the RSA-PSS encryption scheme
o Added support for the RSA X.931 padding.
o Added support for BSD sockets on NetWare.
o Added support for files larger than 2GB.
o Added initial support for Win64.
o Added alternate pkg-config files.

  We consider OpenSSL 0.9.8 to be the best version of OpenSSL available
  and we strongly recommend that users of older versions upgrade as
  soon as possible.  OpenSSL 0.9.8 is available for download via HTTP
  and FTP from the following master locations (you can find the various
  FTP mirrors under http://www.openssl.org/source/mirror.html):

o http://www.openssl.org/source/
o ftp://ftp.openssl.org/source/

  The distribution file name is:

o openssl-0.9.8.tar.gz
  MD5 checksum: 9da21071596a124acde6080552deac16
  SHA1 checksum: 7350b0f0d1a6d257cb24b9d4dc5e30b80e49d6ac

  The checksums were calculated using the following command:

openssl md5  openssl-0.9.8.tar.gz
openssl sha1  openssl-0.9.8.tar.gz


  Yours,
  The OpenSSL Project Team...  

Mark J. Cox 

[OT] The Nazification Of America, Part 2 (Day 5) (fwd)

2005-07-05 Thread J.A. Terranson

I was unaware that (a) this had hit Farber, or that (b) it had been cross
posted to cryptography, prior to my second posting - which is attached
below (for the sake of completeness).

//Alif

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF

-- Forwarded message --
Date: Tue, 5 Jul 2005 19:01:21 -0500 (CDT)
From: J.A. Terranson [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: The Nazification Of America, Part 2 (Day 5)

When last I wrote, I was facing a dilemma: how to get a copy of my brith
certificate so that I could get a copy of my birth certificate :-/

I managed to clear the hurdle of the missing brith certificate.  Kinda.
Sorta maybe...

So, new certificate in hand, I went off to the DMV to get my picture taken
(wearing my Frisk Me, I'm A Terrorist T-Shirt of course).  At 8:50am I
was eagerly awaiting the opening of the local DMV office, and by the
opening bell at 9:00, there was actually a *line* behind me!

I rushed to the counter, plopped down my proof of insurance, proof of
address (a recent mailed in voter reg card), my old Illinois drivers
license, social security card, and held my breath.

They took them, and handed me back a form to check that everything was
correct prior to snapping the pic.  Oddly, it wasn't: the date of birth
was wrong, and it took them about 15 minutes to fix it (apparently the
computers are programmed to avoid the changing of a DOB, and they were
dumbfounded at how to proceed).  Finally, the moment arrived, and I was
the proud owner of not just a new Missouri driver's license (with clearly
shoing T-Shirt on the photo), but a Missouri state ID as well.

Then it was my wife's turn.  Unfortunately, she was turned away: even
though she had everything I did, she forgot to bring a certified copy of
our marriage license!  Without it, they refused to use her married name
for the license...  I trudged over to the city for a copy of said marriage
license, and lo, of course, there was aline out the door - women of every
age and description suddenly finding it necessary to get a certified copy
of their marriage license!  What a shocker - the Collector of Revenue is
having a field day with this.

She will try again tomorrow, and I certain that this time it will all
work out, but still, I am left with disturbing questions.  For instance,
when we went to get *her* birth certificate, why did they not give a damn
*who* was asking for it?  Why is everyone on earth getting to charge an
extra $12.00 here and $12.00 there to allow us the privelege of complying
with this absurd law (which, BTW, even the fucking British refuse to
pass)?  This country is out of control, bouncing endlessly between
administrative fiat and endless taxation, and all we can worry about is
that some ephemeral Terrorist is going to blow up a bus?  To be honest,
I'm *far* more worried that George will blow up another country that I am
about some guy stealing my ID and using it to defeat democracy in
Quebec

--
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF


Never belong to any party, always oppose privileged classes and public
plunderers, never lack sympathy with the poor, always remain devoted to
the public welfare, never be satisfied with merely printing news, always
be drastically independent, never be afraid to attack wrong, whether by
predatory plutocracy or predatory poverty.

Joseph Pulitzer
1907 Speech

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Forwarded] RealID: How to become an unperson.

2005-07-05 Thread hadmut
Don't laugh. This is exactly the problem I had with my
german identity card.

In Germany, you are required to possess either an identity card 
or a passport once you reach the age of 16. If you're younger you
can just have a children's passport in case you need for travelling. 

Usually applying for an ID card is not a problem at all.

For reasons far beyond cryptography my father chose an
unusual given name for me, one that was usual in around the 8th-10th
century. He named me Hadmut. Most people in Germany have never heard
that name before and don't believe, that this name exists. There is
another name, Hartmut, which is ethymologically different, but sounds
similar. Therefore, most people assume that my name is just
misspelled and would correctly be Hartmut. 

When we moved to a different town some years ago, someone made a
mistake in the municipal register, and entered 'Hartmut' instead of
'Hadmut', obviously because he or she believed it was misspelled.

When I applied for an ID card after my 16th birthday, they told me
that they can't issue one, because my children's passport said my
given name is 'Hadmut', while the register said that I am 'Hartmut'. 

Whoever I decided to be, I would not receive an ID card before I could
prove which of both I am. They asked me to bring a certified copy of
my birth certificate. For reasons even more beyond cryptography, that
copy was lost years ago. So I had to go to the registry office where I
was born to get another copy. Fortunately, this was just 20 minutes by
bicycle away. 

For privacy reasons, you can't just go to a registry office and ask
for anyone's birth certificate. You have to proof your identity - with
your ID card. Exactly that circular problem as mentioned in the
posting.

But when I explained that circular problem, they checked by phone with
the town's registry office and gave me the copy of the birth
certificate without an ID card to solve the problem.


But nevertheless, I do not understand why americans are so afraid of
an ID card. It has by far more advantages than disadvantages, and
actually the US driving license is already a kind of ID card. And
whenever I enter the US, I have to give the fingerprints of my index
fingers and they take a picture of me. That's worse than an ID card. 

Remember the PGP signing party at the 1994 IETF meeting in San Jose? 
Several participants who had never seen me before did sign my PGP key 
after I showed them my german ID card (including Perry). 


Funny side effect: Since most americans don't know that we have ID
cards in germany the card is almost always believed to be a driving
license in the US. 

regards
Hadmut  

(currently in Boston, MA, after giving fingerprints at the 
airport immigration)






-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]