The summer of PKI love

2005-08-11 Thread Anne Lynn Wheeler
http://www.infoworld.com/article/05/08/10/33OPstrategic_1.html

The annual PKI Deployment Summit at Dartmouth College is becoming a
summer tradition. Universities differ from other large enterprises in
ways that make them bellwethers for IT's future.

... snip ..

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Motorist wins case after maths whizzes break speed camera code

2005-08-11 Thread Victor Duchovni
On Wed, Aug 10, 2005 at 02:29:38PM -0400, [EMAIL PROTECTED] wrote:

 The facts are very scrambled but I like it.
 The brief TV reports from lawyers were more factual.
 
 Motorist wins case after maths whizzes break speed camera code
 

http://www.faqs.org/qa/rfcc-1420.html

Possibly related:

http://www.redflex.com.au/traffic/pdfs/RedflexSpeed2V2.pdf

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NY Times article on biometrics and border control

2005-08-11 Thread Stefan Kelm
 Hurdles for High-Tech Efforts to Track Who Crosses Borders
 By ERIC LIPTON
 The government's effort to collect biometric data to track foreigners
 visiting the U.S. has fallen far short of its goals.

Well, this article is somewhat blurry. They start by
Hoping to block the entry of criminals and terrorists
whereas even immigration officers agree that that's not
one of their goals.

Fortunately, they then cite some politician:

When it's all in place, there's still no real additional
security or at least it's of marginal value which is, as
we all know, correct.

BTW, on some airports DHS does indeed take one's fingerprint
and photos when leaving the country. They currently do so
at Baltimore for example.

What worries me is that all the information collected
can be, and will be, misused eventually.

What worries me even more is that the europeans now
feel under pressure and happily will introduce the
very same crap.

Cheers,

Stefan.
---
Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Stra├če 12-14, D-76137 Karlsruhe

Tel. +49 721 255171-304, Fax +49 721 255171-100
[EMAIL PROTECTED], http://www.secorvo.de/
---
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


How much for a DoD X.509 certificate?

2005-08-11 Thread Peter Gutmann
$25 and a bit of marijuana, apparently.  See:

  http://www.wjla.com/news/stories/0305/210558.html
  http://www.wjla.com/news/stories/0105/200474.html

Although the story doesn't mention this, the ID in question was the DoD
Common Access Card, a smart card containing a DoD-issued certificate.  To get
a CAC, you normally have to provide two forms of verification... in this case
I guess the two were photo ID of dead presidents and empirical proof that you
know how to buy weed.

The cards were issued by Yusuf Khalil Jackson, a man with a long criminal
history (including, ironically, identity fraud):

  John Pike, Global Security.org:  The notion that we're going to let
  somebody with this type of criminal record, with no background check on him
  and give him the ID card machine defies understanding.

Jackson admitted to making about 30 of the ID cards:

  John Pike:  The good news is that it looks like some of these people were
  just doing it so they could go to a bar and claim to be over 21. The bad
  news is that you don't know what else some of these other people might have
  done.

One of the cards was later seized from a Pakistani national by the police.

  Bowens:  That's the nightmare of it. The cards themselves are not
  counterfeit. They're authentically made but they've been issued in an
  unauthorized manner for profit or ideology or a little of both.

This sort of thing doesn't bode well for Real ID either.  These cards were
real ID too.

Peter.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: How much for a DoD X.509 certificate?

2005-08-11 Thread Anne Lynn Wheeler
Peter Gutmann wrote:
 $25 and a bit of marijuana, apparently.  See:
 
   http://www.wjla.com/news/stories/0305/210558.html
   http://www.wjla.com/news/stories/0105/200474.html
 
 Although the story doesn't mention this, the ID in question was the DoD
 Common Access Card, a smart card containing a DoD-issued certificate.  To get
 a CAC, you normally have to provide two forms of verification... in this case
 I guess the two were photo ID of dead presidents and empirical proof that you
 know how to buy weed.
 
 The cards were issued by Yusuf Khalil Jackson, a man with a long criminal
 history (including, ironically, identity fraud):

one might claim that part of this is the lingering affinity to offline
credentials ... when most really secure operations have gone to online
and realtime operations ... leaving any physical object primarily a
feature of something you have authentication that might be used in
conjunction with other authentication factors.

the issue of many offline credentials are that they are left over from a
bygone era that is rapidly disappearing, but some of the legacy mindsets
still linger on.

the issue was raised in the mid-90s in financial infrastructures ...
that such offline credentials ... even tho superfluous and redundant (in
a modern online world) wouldn't actually be hurting anything (other than
possibly the out-of-pocket expense to support such operations).

the danger did show up when operations were tempted to use the redundant
and superfluous credential in lieu of doing an actual online operation.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] The summer of PKI love

2005-08-11 Thread R.A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 11 Aug 2005 15:10:52 -0400
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R.A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] The summer of PKI love
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://www.infoworld.com/article/05/08/10/33OPstrategic_1.html

 InfoWorld


 The summer of PKI love
 Dartmouth College's PKI Deployment Summit showed public key infrastructure
 moving forward
 Strategic Developer,  By   Jon Udell   ?
 August 10, 2005


 The annual  PKI Deployment Summit at Dartmouth College is becoming a summer
 tradition. Universities differ from other large enterprises in ways that
 make them  bellwethers for IT's future. University user populations are
 transient, platform monocultures cannot be imposed, and collaboration
 across institutional borders is mission-critical. These are excellent
 circumstances in which to evolve methods of identity  management that will
 also meet the requirements of corporations as they increasingly outsource,
 connect with customers through  the Web, and engage with partners in
 federations of Web services.


 One reason for PKI's slow uptake has been the lack of two kinds of
 portability. It hasn't been easy to move cryptographic  keys from one
 machine to another, or to use credentials issued by one institution at
 another. But as we learned at the summit,  there's been progress on both
 fronts. Growing adoption of hardware tokens is making cryptographic
 identities independent of  machines. And emerging trust bridges are
 enabling those identities to be federated among universities, the federal
 government,  and industry.

 On the token front, we're still unfortunately waiting for the ideal key
 storage device. USB tokens, smart cards, and cell  phones are all
 candidates, and the pros and cons of these options form a complex matrix.
 Universities tend to prefer the USB  approach because the tokens work with
 PCs and Macs that can't easily be outfitted with card readers.

 No matter what flavor of device, however, the deployment procedure is
 critical. This year, several summit attendees talked  about moving away
 from a model in which the token caches keys that are also stored elsewhere,
 to a model in which keys are  generated directly on the token and are
 stored only there. If you lose your token, you have to reregister for a new
 one and  get freshly minted keys. Work-arounds are painful experiences that
 people won't lightly inflict on themselves a second time.

 It sounds draconian, and indeed is, but the benefits are twofold. It
 virtually eliminates password sharing, which, as I mentioned  last year, is
 otherwise rampant. And the required in-person registration is a  ceremony
 that helps users understand what the token means and how to use it.

 On the trust front, a number of initiatives are under way. A handful of
 universities and resource providers have been using  the Internet2
 consortium's  Shibboleth to enable users at one institution to access
 online resources at another. In March, that trust network was formalized as
 the  InCommon Federation.

 Shibboleth isn't PKI-based, but it can be bridged to PKI systems, and trust
 bridges were a hot topic this year. Dartmouth's  Scott Rea gave a status
 report on the  Higher Education Bridge Certification Authority. Peter
 Alterman, from the National Institutes of Health, described the  Federal
 Bridge Certification Authority. Cybertrust's Russ Weiser presented  Secure
 Access for Everyone, which focuses on the biopharmaceutical industry. And
 Jim Jokl, from the University of Virginia, showed how to leverage grid
 networks as a trust fabric by exploiting the  Globus Toolkit's intrinsic
 PKI.

 Once these and other bridges can cross-certify, token-borne credentials
 issued by one will be recognized -- subject to appropriate  policy mapping
 -- by the others. A year ago that seemed far-fetched, but the picture is
 coming into focus.



 Jon Udell is lead analyst and blogger in chief at  the InfoWorld Test Center.


 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'


Re: Motorist wins case after maths whizzes break speed camera code

2005-08-11 Thread Aram Perez

On Aug 10, 2005, at 7:01 PM, Victor Duchovni wrote:


On Wed, Aug 10, 2005 at 02:29:38PM -0400, [EMAIL PROTECTED] wrote:


The facts are very scrambled but I like it.
The brief TV reports from lawyers were more factual.

Motorist wins case after maths whizzes break speed camera code


http://www.faqs.org/qa/rfcc-1420.html

Possibly related:

http://www.redflex.com.au/traffic/pdfs/RedflexSpeed2V2.pdf


From the brochure: Security/Encryption: all enforcement information  
is public key authenticated using MD5 encryption to ensure  
information is authentic and tamper free. So, of course, it must be  
very secure, no marketing enhancements here.


On the other hand, it seems that the prosecutor didn't use/hire the  
proper expert witness. Putting aside the inaccuracies of the article  
I'm trying to interpret correctly what the article stated. The record  
being protected by MD5 consists of the  time, date, place,  
numberplate and speed. Assuming that only the speed was in question,  
then it should be possible to calculate all the MD5's for all  
possible speed values and see if you get a collision (actually, just  
the speed values above the speed limit).


Just my 2 centavos,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: How much for a DoD X.509 certificate?

2005-08-11 Thread John Kelsey
From: Peter Gutmann [EMAIL PROTECTED]
Sent: Aug 11, 2005 7:42 AM
To: cryptography@metzdowd.com
Subject: How much for a DoD X.509 certificate?

$25 and a bit of marijuana, apparently.  See:

  http://www.wjla.com/news/stories/0305/210558.html
  http://www.wjla.com/news/stories/0105/200474.html

Although the story doesn't mention this, the ID in
question was the DoD Common Access Card, a smart card
containing a DoD-issued certificate.  To get a CAC, you
normally have to provide two forms of verification... in
this case I guess the two were photo ID of dead presidents
and empirical proof that you know how to buy weed.

Ah, so this was more of an attribute certificate, then.  And
that the certificate was issued based partly on a
nonstandard proof of possession protocol.  (More
specifically, proof of possession with intent to
distribute.)

Peter.

--John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]