Re: Cross logins

2005-08-04 Thread Victor Duchovni
On Wed, Aug 03, 2005 at 03:15:00PM -0700, James A. Donald wrote:

 --
 Is it possible for two web sites to arrange for cross 
 logins?
 
 The goal is that if someone is logged into website 
 https://A.com as user127, and then browses to 
 https://B.com/A_com_registrants, he will be 
 automatically logged in on b.com as [EMAIL PROTECTED]
 

This requires B to trust A, and trust requires a shared key or
equivalently a trusted introducer. Given a shared key, A is able to sign
(shared secret HMAC, public/private keys or signed Kerberos message)
assertions about the user for B's consumption. The signature can be
in a referral URL.


http://A.com/federated_login.cgi?d=B.comuser=user127expiration=epochtimesignature=base64dataurl=...

Absent a valid cookie for a B session, B redirects the user to A's
federated login generator page (passing B's name and the url the user
wanted), and A redirects the user back to B's federated login verification
page passing back the authentication data and the original url, so the user
is taken to the right place after the credentials are verified.

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Cross logins

2005-08-04 Thread Rich Salz
 Is it possible for two web sites to arrange for cross
 logins?

Check out SAML, esp the browser artifact profile.

/r$

-- 
Rich Salz  Chief Security Architect
DataPower Technology   http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Clips] Escaping Password Purgatory

2005-08-04 Thread Bill Frantz
On 8/3/05, [EMAIL PROTECTED] (R.A. Hettinga) quoted:


 http://www.forbes.com/2005/08/03/usps-password-casestudy-cx_de_0803password_print.html

 Forbes


 Computer Hardware Software
 Escaping Password Purgatory
 David M. Ewalt,  08.03.05, 3:00 PM ET

 ... I think I have passwords for
 over 47 different applications both internal and external that I access,
 and I've acquired those IDs and passwords over several years, says Wayne
 Grimes, manager of customer care operations for the U.S. Postal Service.

Try Site Password, http://www.hpl.hp.com/personal/Alan_Karp/site_password/.  
It takes a good master password, and a site name, and hashes them together to 
produce a site-specific password.

Cheers - Bill


-
Bill Frantz| The first thing you need   | Periwinkle 
(408)356-8506  | when using a perimeter | 16345 Englewood Ave
www.pwpconsult.com | defense is a perimeter.| Los Gatos, CA 95032

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: draft paper: Deploying a New Hash Algorithm

2005-08-04 Thread Alex Alten

Steve,

At 05:34 PM 7/29/2005 -0400, Steven M. Bellovin wrote:
In message [EMAIL PROTECTED], Alex Alten 
write

s:
At 08:12 AM 7/25/2005 -0400, Steven M. Bellovin wrote:
In message [EMAIL PROTECTED], Alex Alten
write
s:
 Steve,
 
 This also seems to be in conjunction with the potential switch over from
 RSA et al. to
 ECC for PKI, etc.
 

Yes, Eric and I have been talking about that, and we'll add some
discussion of that to the next version of the paper.

Variable output is really needed too, say 16, 32, 64, 128, 256 and 512 bits.
And on the wishful side, the ability to optimize compression across
multiple CPUs.


That's completely orthogoal to what the paper is about.  We're talking
about how to convert to *any* new hash algorithm; we're not concerned
with which is chosen.  (I confess, though, that hash outputs of less
than 128 bits don't strike me as cryptographically useful except for
HMAC and the like.)


Sorry for going off on a tangent.

Actually 32 (or even 16) bits is really useful for retrofitting old 
insecure protocols where you
don't want to alter the header size, you only need access control, and the 
packets only exist

for less than 100 msecs.

- Alex

--

- Alex Alten


[Moderator's note: I have to strongly disagree. 16 bits is rarely, if
ever, of any use in authentication in a modern system. Even if you
think something can't live long enough to be spoofed, it usually can,
and as it turns out, attackers are often cleverer than protocol
designers. Crypto is too brittle to play such games with it. --Perry]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Cross logins

2005-08-04 Thread Steve Furlong
On 8/3/05, James A. Donald [EMAIL PROTECTED] wrote:
--
 Is it possible for two web sites to arrange for cross
 logins?

snippety-do-dah

Does this question have a practical end in mind? If so, can you
simplify matters by running both web sites on the same host?


(cc-ing JAD because I never see any responses to messages sent from my
GMail acct. I don't know if the GMail traffic is making it to the
list.)

-- 
There are no bad teachers, only defective children.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] At Online Stores, Sniffing Out Crooks Is a Matter of Survival

2005-08-04 Thread R.A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 4 Aug 2005 09:33:22 -0400
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R.A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] At Online Stores, Sniffing Out Crooks Is a Matter of Survival
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://online.wsj.com/article_print/0,,SB112311786883304593,00.html

 The Wall Street Journal

  August 4, 2005
  PAGE ONE


 At Online Stores,
  Sniffing Out Crooks
  Is a Matter of Survival
 Mr. Kugelman Gets Scammed
  By a Web-Site Customer;
  A $3,077 Platinum Chain

 By MITCHELL PACELLE
 Staff Reporter of THE WALL STREET JOURNAL
 August 4, 2005; Page A1


 LYNBROOK, N.Y. -- Six years ago, Neil Kugelman found himself puzzling over
 the very first customer to arrive at the Web site he had launched to sell
 jewelry online.

 The order: a $496 men's diamond ring. The North Carolina address didn't
 match the address tied to the credit card. The shipping address was
 different still. Mr. Kugelman tried to telephone the customer, but the
 number didn't work. His email bounced back. He was no expert on fraud, but
 neither was he born yesterday. He spiked the order.

 Our first order -- order No. 1 -- was fraudulent, he marvels.

 Since then, as family-controlled Goldspeed.com Inc. grew from a basement
 start-up to a 10-person operation that fills more than 50,000 orders a
 year, Mr. Kugelman has taught himself to regard each and every customer as
 a potential online crook -- and with good reason. He says fraudulent orders
 have risen to a staggering 30% of the total, up from just 5% when he
 started.

 Over the years, Mr. Kugelman, 44 years old, got so good at sniffing out the
 cons that just 0.5% of his sales were lost to fraud. But a run-in he had
 seven months ago with a cagey crook who ordered $8,384 of flashy jewelry --
 and stuck him with his largest fraud loss ever -- has left him worried that
 the bad guys are now gaining the upper hand. The tale of Mr. Kugelman's
 unsuccessful effort to discover the fraud, despite his suspicions, shows
 the increasing perils faced by the burgeoning online retail industry.

 For Mr. Kugelman and other Internet retailers, ferreting out bogus orders
 is a matter of survival. When a crook uses a stolen credit card in a
 traditional store, and the store follows proper procedures, the
 card-issuing bank usually swallows the loss. For online retailers, the
 tables are turned. Credit-card association rules dictate that merchants who
 accept charges from cyberspace, a riskier endeavor, must also shoulder the
 risk of fraud.

 When Mr. Kugelman began peddling everything from pearl earrings to thick
 gold chains over the Internet in 1998, his biggest problem was simple
 credit-card fraud: the use of stolen account numbers. The bogus orders were
 often glaringly obvious. Fraudsters ordered big and requested next-day
 shipping. They left fake phone numbers. They placed odd orders, such as for
 two engagement rings. Mr. Kugelman designed a computer system to screen
 incoming orders for such red flags and to bounce suspicious ones into human
 hands.

 Over time, the crooks got better. More of them stole whole identities,
 using purloined personal information to set up entirely new credit-card
 accounts. They used untraceable cellular phones, and avoided making
 oversized orders. When Mr. Kugelman phoned them with questions, they didn't
 get rattled. He fine-tuned his system, incorporating proprietary scoring
 guidelines based on such information as what kind of jewelry is ordered and
 from what part of the country the order originates.

 Late last year, he says, the fraudsters upped the ante. All of a sudden,
 Goldspeed.com was getting orders that showed no obvious signs of fraud on
 his computer-screening system, but seemed suspicious nonetheless. On Jan.
 9, for example, when a customer placed separate orders on the same day, he
 thought something looked wrong.

 A Vincenza Wells of Detroit had ordered a $1,199 Aqua Master men's diamond
 watch. Four minutes later, the same customer ordered a $1,259 men's diamond
 and tanzanite ring. The Bank One Visa credit-card number she supplied was
 good for the full amount, and she had provided the validation code from the
 back of the card. Visa's address verification system showed a match.

 But the order's size, and the strange two-step ordering, had Mr. Kugelman's
 radar up. The next day, he called the card issuer, J.P. Morgan Chase  Co.,
 which had acquired Bank One. He says a bank representative confirmed that
 the name, address and phone number on the order matched the bank's own
 account information, except for one small detail about the address.

 Mr. Kugelman called his customer, who explained the disparity to his
 satisfaction. Mr. Kugelman called back the bank representative with the
 revised information. She told him that bank security had phoned Ms. Wells
 separately, and verified her identity.

 Still wary, Mr. 

Re: Cross logins

2005-08-04 Thread Florian Weimer
* James A. Donald:

 Is it possible for two web sites to arrange for cross 
 logins?

SXIP is a relatively open effort in that direction.  The rootsite
seems to be proprietary, though.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Clips] Escaping Password Purgatory

2005-08-04 Thread Ian Grigg
On Thursday 04 August 2005 04:31, Bill Frantz wrote:

 Try Site Password, http://www.hpl.hp.com/personal/Alan_Karp/site_password/. 
  It takes a good master password, and a site name, and hashes them together 
 to produce a site-specific password.

I think PwdHash also does this for browsers (probably Firefox):

http://crypto.stanford.edu/PwdHash/

iang
-- 
Advances in Financial Cryptography, Issue 2:
   https://www.financialcryptography.com/mt/archives/000498.html
Mark Stiegler, An Introduction to Petname Systems
Nick Szabo, Scarce Objects
Ian Grigg, Triple Entry Accounting

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Query about hash function capability

2005-08-04 Thread Victor Duchovni
On Thu, Aug 04, 2005 at 12:55:51PM +1000, Arash Partow wrote:

 Hi all,
 
 My question relates to hash functions in general and not specifically
 cryptographic hashes. I was wondering if there exists a group of hash
 function(s) that will return an identical result for sequentially
 similar yet rotate/shift wise dissimilar input:
 
 ie: input1 : abcdefg - h(abcdefg) = 123
 input2 : gabcdef - h(gabcdef) = 123
 input3 : fgabcde - h(fgabcde) = 123
 

Sure, just pick the lexicographically first cycle and hash
that. This is an invariant of all cyclic permutations of the
string.

epermut - h(epermut) 
ermutep - h(epermut)
muteper - h(epermut)
permute - h(epermut)
rmutepe - h(epermut)
tepermu - h(epermut)
uteperm - h(epermut)

More generally given any automorphism group on the input strings, hashing
the lexicographically smallest member of the orbit of an input string
under the group gives a hash that is invariant under the group operation.

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Standardization and renewability

2005-08-04 Thread Thierry Moreau



Hagai Bar-El wrote:

[...]

Up till now I could come up with three approaches to solve this problem:

1. Limit renewability to keying.


	Then you should study A Note About Trust Anchor Key Distribution, see 
http://www.connotech.com/takrem.pdf. It allows to distribute public keys 
to be used, if need be, at a later time in a different context.


2. Generalize the scheme (like the SPDC concept, or MPEG IPMP), more or 
less by making the standard part general, with non-standard profiles.
3. Standardize sets of key management methods at once, so to have spares 
for immediate switching.


[...]



--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Query about hash function capability

2005-08-04 Thread Alexander Klimov
On Thu, 4 Aug 2005, Arash Partow wrote:
 My question relates to hash functions in general and not specifically
 cryptographic hashes. I was wondering if there exists a group of hash
 function(s) that will return an identical result for sequentially
 similar yet rotate/shift wise dissimilar input:

 ie: input1 : abcdefg - h(abcdefg) = 123
  input2 : gabcdef - h(gabcdef) = 123
  input3 : fgabcde - h(fgabcde) = 123

 Here a,b,c,d,e,f,g represent symbols (ie: groups of bits with equivalent
 group sizes etc...)

 I know that one simple hash method would be to add the symbols
 together, but the results would also be equivalent if say the symbols
 were in any order, also collisions would occur with other totally
 dissimilar sequences that happen to have the same sum as the sequence.

 Is there anything out there research/papers etc, or is this a meaningless
 avenue of enquiry?

Just sort all the rotations and use some known hash for the smallest.
For example, if you start with abcab you sort abcab, babca, ababc,
cabab, and bcaba, and calculate SHA1(ababc).

BTW: this rotate-and-sort technique is actually used for data
compression -- search for `Burrows-Wheeler Transform' if you are
interested.

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: draft paper: Deploying a New Hash Algorithm

2005-08-04 Thread Steve Furlong
 [Moderator's note: ... attackers are often cleverer than protocol
 designers. ...

Is that true? Or is it a combination of

(a) a hundred attackers for every designer, and
(b) vastly disparate rewards: continued employment and maybe some
kudos for a designer or implementer, access to $1,000,000,000 of bank
accounts for an attacker


SRF

-- 
There are no bad teachers, only defective children.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Cross logins

2005-08-04 Thread Peter Saint-Andre

Rich Salz wrote:

Is it possible for two web sites to arrange for cross
logins?



Check out SAML, esp the browser artifact profile.


Check out Passel, which lacks the complexity of SAML:

http://www.passel.org/

Peter



smime.p7s
Description: S/MIME Cryptographic Signature


Re: Query about hash function capability

2005-08-04 Thread Ian Clelland

On Aug 3, 2005, at 7:55 PM, Arash Partow wrote:

My question relates to hash functions in general and not specifically
cryptographic hashes. I was wondering if there exists a group of hash
function(s) that will return an identical result for sequentially
similar yet rotate/shift wise dissimilar input:

ie: input1 : abcdefg - h(abcdefg) = 123
input2 : gabcdef - h(gabcdef) = 123
input3 : fgabcde - h(fgabcde) = 123

Here a,b,c,d,e,f,g represent symbols (ie: groups of bits with 
equivalent

group sizes etc...)


Why not just include a canonicalization step at the beginning of the
hash that is designed to ignore rotation?

For example, if you can define an ordering on the set of possible 
inputs to the hash, then you can rotate any input to the point where it 
is the smallest (or largest) that it can be, and then hash *that* 
value.


Ian Clelland
[EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]