Re: ADMIN: end of latest SSL discussion

2005-12-28 Thread James A. Donald
--
In the SSL thread various solutions were proposed, or 
rather existing solutions pointed to:

1.  SSH just works.   So generalizing from the success 
of SSH, the browser should remember who you have 
relationships with, and the keys of the people you have 
relationships with.   To avoid the name overload 
problem, those relationships should be named by Zooko's 
triangle, as the petname tool does, and should be a 
special kind of favorite, as the petname tool makes 
them.   This requires that establishing a relationship, 
and verifying a shared secret, should be part of the 
browser chrome, as it is with SSH, rather than a 
particular application of generic web forms, as it is 
with existing practice.   So when you hit a phisher, 
significantly different chrome comes up.

2. Phishers are after shared secrets, so secure each 
shared secret, and thus each relationship, with 
SRP-TLS-OpenSSL  This also requires that establishing a 
relationship, and verifying a shared secret, should be 
part of the browser chrome, rather than a particular 
application of generic web forms. 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 8epIQqxZ+sfUW+5ao0hWd4g/hAhRlqifZr6xWoQn
 47kvMBcL6UqQ54XSgEcxbJd8xqAh2LSxufi/3IBdG



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


new openssh directions

2005-12-28 Thread Travis H.
Interview with OpenSSH developer:

http://www.securityfocus.com/columnists/375

Summary: Arbitrary layer 2/3 tunnelling using tun(4) interfaces over
ssh.  Various changes to reduce attack possibilities.  My first
encounter with the term attack surface.

Commentary: TCP over TCP --- retransmit timeout synchrony.  Creeping
featurism?  Ubiquitous network tunnelling is just a revision away. 
This is inevitable.

Aside:  I'm currently imagining some kind of network shell that deals
with tunnels between nodes like /bin/sh deals with pipes between
programs.
--
http://www.lightconsulting.com/~travis/
Vast emptiness, nothing sacred. -- Bodhidharma --
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: another feature RNGs could provide

2005-12-28 Thread David Malone
On Tue, Dec 27, 2005 at 11:34:15PM +, Ben Laurie wrote:
 If you don't have sufficient plain/ciphertext, then of course you can
 choose incorrect pairs.

Yep - that's my point. The thing to note is that for an arbitrary
permutation, knowing the image of n plaintexts tells you (almost)
nothing else.  Usually for a block cipher with a smaller key space,
knowing a plaintext/ciphertext pair actually has a pretty big impact
on what you know about the key, and this is how people usually think
about block ciphers.

In AES with a 128 bit block and 256 bit key, if the images are
uniformly and independently distributed, then each pair known reduces
the possible amount of key space by about 128 bits, so 2 or 3 pairs
will nail the key down with reasonable probability. For good measure
we could say 20 or 30 would be sufficient, even if the images aren't
well distributed.

For S_(2^128) the original key space has (2^128)! keys so it is
about 128*(2^128) bits. Knowing 30 pairs here will reduce the key
space by about 128*30 bits, leaving us with 128*(2^128) - 128*30 =
128*(2^128-30) bits. We've barely had any impact at all, because
the key space was much bigger to begin with.

Of course, this also shows why using an arbitrary permutation in
S_(2^128) isn't very practical - you need to store 128*(2^128) bits
to remember which one you're using!

David.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Hey kids, come join the NSA!

2005-12-28 Thread Eric Rescorla
Hey boys and girls! Want to help your country defeat that mean old
Osama? Then check out the National Security Agency's CryptoKids web site
(http://www.nsa.gov/kids/):

On this site, you can learn all about codes and ciphers, play lots
of games and activities, and get to know each of us - Crypto Cat,
Decipher Dog, Rosetta Stone, Slate, Joules, T.Top, and, of course,
our leader CSS Sam.

You can also learn about the National Security Agency/Central
Security Service - they're Americas real codemakers and
codebreakers. Our Nation's leaders and warfighters count on the
technology and information they get from NSA/CSS to get their jobs
done. Without NSA/CSS, they wouldnt be able to talk to one another
without the bad guys listening and they wouldnt be able to figure
out what the bad guys were planning.

We hope you have lots of fun learning about cryptology and
NSA/CSS. You might be part of the next generation of Americas
codemakers and codebreakers.

The site comes complete with a bunch of material on making and breaking
simple codes (cool), resources to teach kids about crypto (also cool),
and detailed biographies of the CryptoKids characters (kind of
creepy). Here's some of what CryptoCat does for fun:

I'm usually hanging out with my friends at the mall or catching the
latest movie. I love helping people so I find different ways to help
out around the community. Right now, I volunteer as a swim coach for
children with special needs. Its a lot of fun AND I get to spend
extra time with my sister who has Downs Syndrome.

The NSA Gifted and Talented program looks pretty cool, though.

-Ekr


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


What phishers want

2005-12-28 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], James A. Donald writes:
--
You wrote:

2. Phishers are after shared secrets, so secure each 
shared secret, and thus each relationship, with 
SRP-TLS-OpenSSL  This also requires that establishing a 
relationship, and verifying a shared secret, should be 
part of the browser chrome, rather than a particular 
application of generic web forms. 


No -- what phishers are after is money.  They get that today by going 
after shared secrets.  If banks change, they'll change.  


--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]