Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Nicolas Rachinsky
* Ed Gerck [EMAIL PROTECTED] [2006-02-25 13:11 -0800]:
 Finally, the properties of MY public-key will directly affect the 
 confidentiality
 properties of YOUR envelope. For example, if (on purpose or by force) my 
 public-key
 enables a covert channel (eg, weak key, key escrow, shared private key), 
 YOUR
 envelope is compromised from the start and you have no way of knowing it. 
 This is
 quite different from an address, which single purpose is to route the 
 communication.
 
 That's I said the postal analogue of the public-key is the envelope.

I don't agree with that analogue. An paper envelope does not prevent
anybody from opening it (you can open it without any tools and with
nearly no effort). The encryption should make it impossible for
anybody to see the contents.  The recipient might detect that the
envelope was opened or replaced, but you must trust that he will
detect this (you can't check it yourself).

Nicolas

-- 
http://www.rachinsky.de/nicolas

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Matthew Byng-Maddick
On Sat, Feb 25, 2006 at 07:33:38PM +0100, Ian G wrote:
 areas.  The fact is that SSH came in with a solution
 and beat the other guy - Telnet secured over SSL.  It
 wasn't the crypto that did this, it was the key management,
 plain and simple.

Very few people I knew at the time moved to SSH because it was more
secure and because passwords weren't in plaintext. Most of the
people moved because of the things you could do with SSH above and
beyond telnet (port forwarding, X11 forwarding etc). In fact, the
latter is the main reason I moved - it dated before i started taking
an interest in security. Not to say that there weren't *any* who had
the security reasons for moving, but then kerberized telnet existed
too at that point in time.

Cheers,

MBM

-- 
Matthew Byng-Maddick  [EMAIL PROTECTED]   http://colondot.net/
  (Please use this address to reply)

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: hamachi p2p vpn nat-friendly protocol details

2006-02-28 Thread Eric Rescorla
Travis H. [EMAIL PROTECTED] writes:

 On 2/24/06, Alex Pankratov [EMAIL PROTECTED] wrote:
 Tero Kivinen wrote:
  Secondly I cannot find where it
  authenticates the crypto suite used at all (it is not included in the
  signature of the AUTH message).

 Crypto suite is essentially just a protocol number. It requires
 no authentication. If the server side responds with HELO.OK, it
 means that it can comprehend specified protocol revision. Similar
 to what happens during the SSH handshake.

 In SSL, the lack of authentication of the cryptosuite could be used to
 convince a v3 client that it is communicating with a v2 server, and
 the v3 server that it is communicating with a v2 client, causing them
 to communicate using SSL v2, which is called the version rollback
 attack.

This isn't quite accurate.

SSLv2 didn't do any kind of downgrade protection at all, for the
version number, cipher suite, or anything else. SSLv3 used a MAC
across the entire handshake. The tricky problem is to protect
downgrade from SSLv3 to SSLv2, which obviously can't be done with the
SSLv3 mechanisms. The trick that SSLv3 used was that when falling back
to SSLv2, SSLv3-capable clients would pad their RSA PKCS#1 blocks
in a special way that SSLv3 servers would detect. If they detected
it, that meant there had been a downgrade.

Unfortunately, not all clients correctly generate this padding
and the check wasn't universally implemented correctly:

http://www.openssl.org/news/secadv_20051011.txt


-Ekr

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Trevor Perrin

Ed Gerck wrote:

Ben Laurie wrote:


I totally don't buy this distinction - in order to write to you with
postal mail, I first have to ask you for your address.



We all agree that having to use name and address are NOT the problem,
for email or postal mail. Both can also deliver a letter just with
the address (CURRENT RESIDENT junk mail, for example).

The problem is that pesky public-key. A public-key such as

[2. application/pgp-keys]...


is N O T user-friendly.



True enough about public keys.  Not so true about key fingerprints - a 
20-char fingerprint is probably not much harder to manage than the usual 
sorts of contact info (email, postal,  IM addresses, phone numbers, etc.).


Of course, a fingerprint won't let you encrypt an email without 
supporting infrastructure for key lookups.  However, it *will* let you 
authenticate a session (e.g., IM, VoIP, SSH) if your parter presents his 
public key in the handshake.


Perhaps this is further support for Iang's contention that we should 
expect newer, interactive protocols (IM, Skype, etc.) to take the lead 
in communication security.  Email-style message encryption may simply 
be a much harder problem.



Trevor

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Alex Alten

At 05:12 PM 2/26/2006 +, Ben Laurie wrote:

Alex Alten wrote:
 At 02:59 PM 2/24/2006 +, Ben Laurie wrote:
 Ed Gerck wrote: We have keyservers for this (my chosen technology
 was PGP). If you liken their use to looking up an address in an
 address book, this isn't hard for users to grasp.

 I used PGP (Enterprise edition?) to encrypt my work emails to a
 distributed set of members last year.  We all had each other's public
 keys (about a dozen or so).

 What I really hated about it was that when [EMAIL PROTECTED] sent me
 an email often I couldn't decrypt it.  Why?  Because his firm's email
 server decided to put in the FROM field [EMAIL PROTECTED].
 Since it didn't match the email name in his X.509 certificate's DN it
 wouldn't decrypt the S/MIME attachment. This also caused problems
 with replying to his email.  It took us hours, with several
 experimental emails sent back and forth, to figure out the root of
 the problem.

 No wonder PKI has died commercially and encrypted email is on the
 endangered species list.

I trust you don't think this is a problem with PKI, right? Since clearly
the issue is with the s/w you were using.


I place the blame squarely on X.509 PKI.  The identity aspect of it is all 
screwed up.

No software implementation can overcome such a fundamental architectural flaw.

- Alex


--

- Alex Alten


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Peter Gutmann
Alex Alten [EMAIL PROTECTED] writes:

What I really hated about it was that when [EMAIL PROTECTED] sent me an email
often I couldn't decrypt it.  Why?  Because his firm's email server decided
to put in the FROM field [EMAIL PROTECTED].  Since it didn't match
the email name in his X.509 certificate's DN it wouldn't decrypt the S/MIME
attachment. This also caused problems with replying to his email.  It took us
hours, with several experimental emails sent back and forth, to figure out
the root of the problem.

Something's getting lost in this description.  What does the value in the
From field have to do with you decrypting a message?  OTOH the mention of an
attachment indicates a detached S/MIME signature, which doesn't have
anything to do with encryption.  If it is a signature, then the software
should verify it with the included cert and display that as the signer.

Please correct and resubmit.

Peter.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Ben Laurie
Florian Weimer wrote:
 * Ben Laurie:
 
 I don't use PGP - for email encryption I use enigmail, and getting
 missing keys is as hard as pressing the get missing keys button.
 
 A step which has really profound privacy implications.
 
 I couldn't find a PGP key server operator that committed itself to
 keeping logs confidential and deleting them in a timely manner (but I
 didn't look very hard, either).  Of course, since PGP hasn't
 progressed as faster as our computing resources, I'm nowadays in a
 position to run my own key server, but this is hardly a solution to
 that kind of problem.

OK, I buy the problem, but until we do something about the totally
non-anonymising properties of the 'net, revealing that I want the public
key for some person seems to be quite minor - compared, for example, to
revealing that I sent him email each time I do.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Ben Laurie
Alex Alten wrote:
 At 05:12 PM 2/26/2006 +, Ben Laurie wrote:
 Alex Alten wrote:
 At 02:59 PM 2/24/2006 +, Ben Laurie wrote:
 Ed Gerck wrote: We have keyservers for this (my chosen
 technology was PGP). If you liken their use to looking up an
 address in an address book, this isn't hard for users to grasp.
 
 
 I used PGP (Enterprise edition?) to encrypt my work emails to a 
 distributed set of members last year.  We all had each other's
 public keys (about a dozen or so).
 
 What I really hated about it was that when [EMAIL PROTECTED] sent
 me an email often I couldn't decrypt it.  Why?  Because his
 firm's email server decided to put in the FROM field
 [EMAIL PROTECTED]. Since it didn't match the email name
 in his X.509 certificate's DN it wouldn't decrypt the S/MIME
 attachment. This also caused problems with replying to his email.
 It took us hours, with several experimental emails sent back and
 forth, to figure out the root of the problem.
 
 No wonder PKI has died commercially and encrypted email is on the
  endangered species list.
 
 I trust you don't think this is a problem with PKI, right? Since
 clearly the issue is with the s/w you were using.
 
 I place the blame squarely on X.509 PKI.  The identity aspect of it
 is all screwed up. No software implementation can overcome such a
 fundamental architectural flaw.

OK - I'll bite - why does the sender's identity have any impact on the
recipient's ability to decrypt?

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Victor Duchovni
On Sat, Feb 25, 2006 at 07:33:38PM +0100, Ian G wrote:

 Hence, IM/chat, Skype, TLS experiments at Jabber, as
 well as the OpenPGP attempts.
 
 There are important lessons to be learnt in the rise of
 IM over email.

Likewise the rise of the telephone over paper mail, but the phone does
not obviate the need for paper mail.

 Email is held back by its standardisation, chat seems to overcome
spam quite nicely.

Where's Gaddi Evron when you need him? This is just not true, the spam
volume is rising for both blogs and IM.

 Email is hard to get encrypted, but it didn't stop Skype from doing
 encryped IMs easily.

Likewise I have secured email communications with my wife via a single
key exchange, so what? Skype has not easily created an interoperable
federated system that secures all IM communications end-to-end, and
many of the issues in doing that are non-technical.

 The competition between the IM systems is what is driving
 the security forward.  As there is no competition in the
 email world, at least at the level of the basic protocol
 and standard, there is no way for the security to move
 forward.
 

IM is islands of automation, luckily email works globally.

 Phishing is possible over chat,
 but has also been relatively easy to address - because
 the system owners have incentives and can adjust.

This is naive, IM will become federated and decentralized and abuse
issues will be the same as for email. You can't fence the bad guys
out of the network.

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


DHS: Sony rootkit may lead to regulation

2006-02-28 Thread leichter_jerrold
DHS: Sony rootkit may lead to regulation U.S. officials aim to avoid future 
security threats caused by copy protection software

News Story by Robert McMillan

FEBRUARY 16, 2006 (IDG NEWS SERVICE) - A U.S.  Department of Homeland
Security
official warned today that if software distributors continue to sell
products
with dangerous rootkit software, as Sony BMG Music Entertainment recently
did,
legislation or regulation could follow.

We need to think about how that situation could have been avoided in the
first place, said Jonathan Frenkel, director of law enforcement policy for
the DHS's Border and Transportation Security Directorate, speaking at the
RSA
Conference 2006 in San Jose. Legislation or regulation may not be
appropriate
in all cases, but it may be warranted in some circumstances.

Last year, Sony began distributing XCP (Extended Copy Protection) software
in
some of its products. The digital rights management software, which used
rootkit cloaking techniques normally employed by hackers, was later found to
be a security risk, and Sony was forced to recall millions of its CDs.

The incident quickly turned into a public relations disaster for Sony. It
also
attracted the attention of DHS officials, who met with Sony a few weeks
after
news of the rootkit was first published, Frenkel said. The message was
certainly delivered in forceful terms that this was certainly not a useful
thing, he said.

While Sony's software was distributed without malicious intent, the DHS is
worried that a similar situation could occur again, this time with
more-serious consequences. It's a potential vulnerability that's of strong
concern to the department, Frenkel said.

Though the DHS has no ability to implement the kind of regulation that
Frenkel
mentioned, the organization is attempting to increase industry awareness of
the rootkit problem, he said. All we can do is, in essence, talk to them
and
embarrass them a little bit, Frenkel said.

In fact, this is not the first time the department has expressed concerns
over
the security of copy protection software. In November, the DHS's assistant
secretary for policy, Stewart Baker, warned copyright holders to be careful
of
how they protect their music and DVDs. In the pursuit of protection of
intellectual property, it's important not to defeat or undermine the
security
measures that people need to adopt in these days, Baker said, according to
a
video posted to The Washington Post Web site.

Despite the Sony experience, the entertainment industry's use of rootkits
appears to be an ongoing problem. Earlier this week, security vendor
F-Secure
Corp. reported that it had discovered rootkit technology in the copy
protection system of the German DVD release of the American movie Mr. and
Mrs. Smith. The DVD is distributed in Germany by Kinowelt GmbH, according to
the Internet Movie Database.

Baker stopped short of mentioning Sony by name, but Frenkel did not. The
recent Sony experience shows us that we need to be thinking about how to
ensure that consumers aren't surprised by what their software is programmed
to
do, he said.

Sony BMG officials could not immediately be reached for comment.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Peter Saint-Andre
bear wrote:
 
 On Fri, 24 Feb 2006, Peter Saint-Andre wrote:
 
 
 Personally I doubt that anything other than a small percentage of email
 will ever be signed, let alone encrypted (heck, most people on this list
 don't even sign their mail).

 
 I don't think I've said anything here that I will later want to be
 able to prove incontrovertibly was said by me.
 
 In general, signing your mail has a downside in this age of litigous
 potential mail recipients, and except when your mail regards the
 disposition of assets, no upside.
 
 In the long run, I think the population of people who want to sign
 their mail is about the same as the population of people who want to
 post on usenet with their real name and put their street address
 and phone number at the bottom of every post.
 
 Why give the anonymous cowards who are collecting information with
 robotic trawlers, whether for spam lists or any other reason, proof
 of exactly who you are?

The short answer to your unstated question is: anonymity is not high in
my scale of values. The long answer will require some reflection on my
part, which I won't post here but at my blog when I have the time.

Peter

--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml



smime.p7s
Description: S/MIME Cryptographic Signature


What's the easiest way to crack an RSA key?

2006-02-28 Thread Peter Gutmann
Answer: Use google.

http://johnny.ihackstuff.com/index.php?module=prodreviewsfunc=showcontentid=246
 
yields just under *four thousand* OpenSSL private key files.  Admittedly some
of these are test keys, but it looks like many of them aren't.

(I doubt this is restricted to OpenSSL.  If there was a way to search for
 registry keys via Google, I'm sure we'd find a vast mass of IIS and whatnot
 keys as well).

Peter (thanks to anon for the info).


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Jon Callas
I have to chime in on a number of points. I'll try to keep commercial  
plugs to a minimum.


* An awful lot of this discussion is some combination of outdated and  
true but irrelevant. For example, it is true that usability of all  
computers is not what it could be. But a lot of what has cruised by  
here is similar to someone saying, Yes, usability is atrocious --  
here, look at this screenshot of Windows 3.1. Someone else pipes up,  
You think that's bad, let me show you this example from the Xerox  
Alto. What*ever* were they thinking? And then someone else says,  
Yeah, and if you think that's bad, look at what 'ls' did in Unix  
V6! Then when someone else says, Y'know, I'm using the latest  
version of Firefox, and it's actually pretty good the next message  
says, But what about the Y2K issues, and what happens when in 2038?  
I swear, guys, this thread is the crypto version of the Monty Python  
Luxury sketch.


* Whitten and Tygar is a great paper, but it was written ages ago on  
software that was released in 1997. Things aren't perfect now, but  
let's talk about what's out there now. Even at the time, one of  
Whitten's main points is how hard it is to apply usability to  
security, because of how odd it is. As a very quick example, in most  
forms of user design, you let exploration take a prominent place. But  
it doesn't work in security because you can't click undo when you do  
something you didn't intend.


* There are new generations of crypto software out there. I produce  
the PGP products, and PGP Desktop and PGP Universal are automatic  
systems that look up certs use them, automatically encrypt, and even  
does both OpenPGP and S/MIME.


They're not perfect, and lead to other amusing issues. For example,  
an hour ago, I was coordinating with someone that I'm meeting at a  
conference. I got a reply saying, I'm at the airport and can't  
decrypt your message from my phone. I hadn't realized that I *had*  
encrypted my message, because my system and my colleague's system had  
been doing things for us.


I habitually send most of my email securely, but I don't think about  
it. My robots take care of it for me. I tune policies, I don't  
encrypt messages.


If you don't want to use my products, as Ben Laurie pointed out,  
there's a very nice plugin for Thunderbird called Enigmail that makes  
doing crypto painless.


* There are also new generations of keyservers out there that work on  
the issues of the old servers to trim defunct keys, and manage other  
issues. I have out there the PGP Global Directory. Think of it as a  
mash-up of a keyserver along with Robot CA concepts and user  
management goodness adapted from modern mailing list servers like  
Mailman.


* A number of us are also re-thinking other concepts such as using  
short-lived certificates based on the freshness model to constrain  
lifecycle management issues.


* There are many challenges remaining. Heck, the fact that people  
here apparently have not updated their knowledge any time this  
century is part of the problem. But let me tell you that email  
encryption is growing, and growing strongly. However, most of the  
successes are not happening where you see them. They're happening in  
business, where communities of partners decide they need to do secure  
email, and then they do. This is another place where things have  
changed radically. A decade ago, we thought that security would be a  
grass-roots phenomenon where end-users and consumers would push  
security into those stodgy businesses. What's happening now is the  
exact opposite -- savvy businesses are putting together sophisticated  
security systems, and that's slowly starting to get end-users to wake  
up.


I'd be happy to discuss at length where things are getting better,  
where they aren't, and where some issues have been shuffled around.  
But we do need to talk about what's going on now, not ten years ago.


Jon






-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]