Re: general defensive crypto coding principles
Jack Lloyd [EMAIL PROTECTED] writes: On Thu, Feb 09, 2006 at 05:01:05PM +1300, Peter Gutmann wrote: So you can use encrypt-then-MAC, but you'd better be *very* careful how you apply it, and MAC at least some of the additional non-message- data components as well. Looking at the definitions in the paper, I think it is pretty clear that that was their intent. The scheme definitions in section 4 make no provisions for initialization vectors or any kind of parameterization, so I'm assuming that they assumed the encryption function will include all that as part of the output, meaning it will be included as part of the MAC. Well, that's the exact problem that I pointed out in my previous message - in order to get this right, people have to read the mind of the paper author to divine their intent. Since the consumers of the material in the paper generally won't be expert cryptographers (or even inexpert cryptographers, they'll be programmers), the result is a disaster waiting to happen. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Nonrepudiation - in some sense
From a description of the Imperva SecureSphere technology. Imperva makes firewalls that can look inside SSL sessions: SSL Security that Maintains Non-Repudiation SecureSphere can inspect the contents of both HTTP and HTTPS (SSL) traffic. SecureSphere delivers higher HTTPS performance than competing reverse proxy point solutions because SecureSphere decrypts SSL encrypted traffic but does not terminate it. Therefore SecureSphere simply passes the encrypted packets unchanged to the application or database server. This eliminates the overhead of re-packaging (i.e. changing) the communications, re-negotiating a new SSL connection to the server, and re-encrypting the information. Moreover, it maintains the non-repudiation of transactions since the encrypted communication is between client and application with no proxy acting as middleman. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
GnuTLS 1.2.10 - Security release
From: Simon Josefsson [EMAIL PROTECTED] To: [EMAIL PROTECTED], help-gnutls@gnu.org, info-gnu@gnu.org OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:21:060209:[EMAIL PROTECTED]::zaOuZtWmJFhp9CnX:7K5h X-Hashcash: 1:21:060209:help-gnutls@gnu.org::jeAkm4ig/gb/UmeB:9RnD X-Hashcash: 1:21:060209:info-gnu@gnu.org::Ii3w27rTBUk11ps6:Qt4B Date: Thu, 09 Feb 2006 16:46:28 +0100 MIME-Version: 1.0 Subject: GnuTLS 1.2.10 - Security release Content-Type: multipart/mixed; boundary1374029283== --===1374029283== Content-Type: multipart/signed; boundary==-=-=; micalg=pgp-sha1; protocol=application/pgp-signature --=-=-= Content-Transfer-Encoding: quoted-printable We are pleased to announce the availability of GnuTLS version 1.2.10, a security bug-fix release on the stable 1.2.x branch. This release fixes several serious bugs that would make the DER decoder in libtasn1 crash on invalid input. The problems were reported by Evgeny Legerov on the 31th of January. We invite more detailed analysis of the problem, following our general security advisory approach explained on: http://www.gnu.org/software/gnutls/security.html Particularly, it would be useful to answer the question of whether these bugs are possible to exploit remotely. It is certainly possible to cause the server to crash. We don't have resources to investigate this problem more ourselves currently. To make it easier for you to review this problem, I have prepared a self test that trigger three bugs in the old libtasn1. It will be part of GnuTLS 1.3.4, in tests/certder.c. A diff between libtasn1 0.2.17 and libtasn1 0.2.18 is also available, for those wishing to analyze the changes made to address the problems. It contains a few unrelated fixes too, but it is not too large. It is available from: http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.18-from-0.2.17.p= atch Please send your analysis to [EMAIL PROTECTED] and I'll update the security advisory web page pointing to it. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. Noteworthy changes since version 1.2.9: =2D Fix read out bounds bug in DER parser. Reported by Evgeny Legerov [EMAIL PROTECTED], and debugging help from Protover SSL. =2D Libtasn1 0.2.18 is now required (contains the previous bug fix). The included version has been updated too. =2D Fix gnutls-cli STARTTLS hang when SIGINT is sent too quickly, thanks to Otto Maddox [EMAIL PROTECTED] and Nozomu Ando [EMAIL PROTECTED]. =2D Corrected a bug in certtool for 64 bit machines. Reported by Max Kellermann [EMAIL PROTECTED]. =2D Corrected bugs in gnutls_certificate_set_x509_crl() and gnutls_certificate_set_x509_trust(), that caused memory corruption if more than one certificates were added. Report and patch by Max Kellermann. =2D Fixed bug in non-blocking gnutls_bye(). gnutls_record_send() will no=20 longer invalidate a session if the underlying send fails, but it will=20 prevent future writes. That is to allow reading the already received data. Patches and bug reports by Yoann Vandoorselaere [EMAIL PROTECTED] Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: http://lists.gnu.org/mailman/listinfo/help-gnutls. The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ (updated fastest) Here are the compressed sources: http://josefsson.org/gnutls/releases/gnutls-1.2.10.tar.bz2 (2.7MB) ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.2.10.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/gnutls-1.2.10.tar.bz2.sig ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.2.10.tar.bz2.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: 1280R/B565716F 2002-05-05 [expires: 2006-02-28] Key fingerprint =3D 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=3DCERT Here are the build reports for various platforms: http://josefsson.org/autobuild-logs/gnutls.html Here are the SHA-1 checksums: 18140bebae006e019deb77962836bcd775256aab gnutls-1.2.10.tar.bz2 19d200ce04dc54b55d609a091500d1a2aee6e368 gnutls-1.2.10.tar.bz2.sig
GnuTLS (libgrypt really) and Postfix
On Fri, Feb 10, 2006 at 09:15:26AM -0800, John Gilmore wrote: Subject: GnuTLS 1.2.10 - Security release If I may be granted the segue, the Postfix documentation has recently been updated to include the following text: NOTE: Do not use Gnu TLS. It will spontaneously terminate a process with exit status code 2, instead of properly reporting problems to Postfix, so that it can log them to the maillog file. This was discovered when the Postfix cleanup(8) daemon was reported exiting in LDAP initialization. The system LDAP library was linked against GnuTLS, and /dev/urandom was missing from the chroot jail. The real culprit is libgcrypt, whose log_fatal() macro terminates the calling process. This is undesirable in a general purpose library. If the authors of GnuTLS have any influence on the design/implementation of libgcrypt, I hope they will make an effort to see this issue addressed. cipher/cipher.c: log_fatal(cipher_encrypt: invalid mode %d\n, c-mode ); cipher/cipher.c: log_fatal (cipher_decrypt: invalid mode %d\n, c-mode ); cipher/dsa.c: log_fatal(DSA:: sign, verify failed\n); cipher/elgamal.c: log_fatal(ElGamal operation: encrypt, decrypt failed\n); cipher/elgamal.c: log_fatal(ElGamal operation: sign, verify failed\n); cipher/primegen.c: log_fatal (can't generate a prime with less than %d bits\n, 16); cipher/random.c: log_fatal (failed to create the pool lock: %s\n, strerror (err) ); cipher/random.c: log_fatal (failed to create the nonce buffer lock: %s\n, cipher/random.c: log_fatal (failed to acquire the pool lock: %s\n, strerror (err)); cipher/random.c: log_fatal (failed to release the pool lock: %s\n, strerror (err)); cipher/random.c: log_fatal (failed to acquire the pool lock: %s\n, strerror (err)); cipher/random.c: log_fatal (failed to release the pool lock: %s\n, strerror (err)); cipher/random.c: log_fatal(_(can't read `%s': %s\n), seed_file_name,strerror(errno) ); cipher/random.c: log_fatal (failed to acquire the pool lock: %s\n, strerror (err)); cipher/random.c: log_fatal (failed to release the pool lock: %s\n, strerror (err)); cipher/random.c: log_fatal (_(no entropy gathering module detected\n)); cipher/random.c: log_fatal (failed to acquire the pool lock: %s\n, strerror (err)); cipher/random.c: log_fatal (failed to acquire the pool lock: %s\n, strerror (err)); cipher/random.c: log_fatal (No way to gather entropy for the RNG\n); cipher/random.c: log_fatal (failed to acquire the nonce buffer lock: %s\n, cipher/random.c: log_fatal (failed to release the nonce buffer lock: %s\n, cipher/rndegd.c: log_fatal (EGD socketname is too long\n); cipher/rndegd.c: log_fatal(can't create unix domain socket: %s\n, strerror(errno) ); cipher/rndegd.c: log_fatal(can't connect to EGD socket `%s': %s\n, cipher/rndegd.c: log_fatal(can't write to the EGD: %s\n, strerror(errno) ); cipher/rndegd.c: log_fatal(can't write to the EGD: %s\n, strerror(errno) ); cipher/rndlinux.c: log_fatal (can't open %s: %s\n, name, strerror(errno) ); cipher/rndlinux.c: log_fatal(stat() off %s failed: %s\n, name, strerror(errno) ); cipher/rndlinux.c: log_fatal(invalid random device!\n ); cipher/rndlinux.c: log_fatal(read error on random device: %s\n, strerror(errno)); cipher/rndw32.c: log_fatal ( rndw32: can't get module handle\n ); cipher/rndw32.c: log_fatal ( rndw32: failed to get a toolhelp function\n ); cipher/rndw32.c: log_fatal ( rndw32: failed to take a toolhelp snapshot\n ); cipher/rndw32.c: log_fatal(can't run on a W32s platform\n ); cipher/rsa.c: log_fatal(RSA operation: public, secret failed\n); cipher/rsa.c: log_fatal(RSA operation: secret, public failed\n); src/secmem.c: log_fatal (failed to reset uid: %s\n, strerror (errno)); src/secmem.c: log_fatal (can't allocate memory pool of %u bytes\n, src/secmem.c: log_fatal (failed to drop setuid\n); -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Nonrepudiation - in some sense
On Fri, Feb 10, 2006 at 07:49:59PM +, Ben Laurie wrote: Secondly, obviously, you can only decrypt SSL if you have the private key, so presumably this is referring only to incoming SSL connections. And only if EDH (or more generally all PFS) ciphers are disabled. This is AFAIK common with HTTP servers, but the majority of TLS capable MTAs negotiate EDH ciphers. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]