Re: PGP master keys

2006-04-28 Thread Hadmut Danisch
On Wed, Apr 26, 2006 at 10:41:12PM -0400, Steven M. Bellovin wrote:

 Ah -- corporate key escrow.  An overt back door for Little Brother, rather
 than a covert one for Big Brother



You should check the list of recipient keys in PGP messages from time
to time anyway. I recently found a bug in an MTU plugin: Once you had
a PGP pubkey with an empty ID in your keyring, the plugin had always
added this key to the recipient keys, although the owner was not
listed as a recipient of the e-mail. As far as we debugged, the key
had to be in 'trusted' state, but it worked. Once you managed to have
your pubkey added to someone else's keyring with an additional empty
user ID (what most users never realize) you could read any encrypted
mail sent by that person.

regards
Hadmut


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Solution revealed

2006-04-28 Thread Jeffrey Altman
Da Vinci judge's secret code revealed
Fri Apr 28, 2006 8:25 AM ET

By Peter Graff

LONDON (Reuters) - Mystery solved. It was the admiral.

A secret code embedded in the text of a court ruling in the case of Dan
Brown's bestseller The Da Vinci Code has been cracked, but far from
revealing an ancient conspiracy it is simply an obscure reference to a
Royal Navy admiral.

British High Court Justice Peter Smith, who handed down a ruling that
Brown had not plagiarized his book, had embedded his own secret message
in his judgment by italicizing letters scattered throughout the 71-page
document.

In Brown's book, a secret code reveals an ancient conspiracy to hide
facts about Jesus Christ.

The judge's own code briefly caused a wave of amused speculation when it
was discovered by a lawyer this week, nearly a month after the ruling
was handed down.

But the lawyer, Dan Tench, cracked it after a day of puzzling. The
judge's code was based on the Fibonacci sequence, a mathematical
progression discussed in the book.

After much trial and error, we found a formula which fitted, wrote
Tench, who had nothing to do with the Brown case but discovered the
italicized letters when studying the ruling.

The judge's secret message was: Jackie Fisher, who are you?
Dreadnought, Tench wrote in the Guardian newspaper.

Judge Smith is known as a navy buff, and Fisher was a Royal Navy admiral
who developed the idea for a giant battleship called the HMS Dreadnought
in the early 20th century.

Tench wrote that the judge had e-mailed him to confirm he had guessed
the secret code right.

The judge later confirmed the existence of the code, and revealed that
the Fibonacci sequence was indeed the secret to its solution.

The message reveals a significant but now overlooked event that
occurred virtually 100 years to the day of the start of the trial, he
said in a statement.

He said that he is not normally much of a fan of puzzles, such as the
Japanese number puzzles that have become an obsession of the British press.

The preparation of the Code took about 40 minutes and its insertion
another 40 minutes or so, he wrote. I hate crosswords and do not do
Sudoku as I do not have the patience.


smime.p7s
Description: S/MIME Cryptographic Signature


Re: PGP master keys

2006-04-28 Thread Anne Lynn Wheeler

Steven M. Bellovin wrote:

Ah -- corporate key escrow.  An overt back door for Little Brother, rather
than a covert one for Big Brother


the key escrow meetings attempted to differentiate between keys used for 
authentication and keys used for securing corporate data (I only went to 
a couple of the meetings). the case of key escrow as part of
securing corporate data was similar to business processes for backing up 
corporate data, disaster recovery, and no single point of failure. in 
fact, escrow of authentication keys was equally a violation of business 
standards as not having escrow of encryption keys.


there was cross-over from backup infrastructure and the transition from 
all corporate data residing in hardened datacenters to individual 
desktops ... where the they were finding critical corporate data being 
managed and maintained w/o adequate backup and recovery capabilities.


the point of key escrow as part of infrastructure securing corporate 
data ... was that the data belonged to the corporation ... and loss of 
keys could be equivalent to losing the data ... and as such, was as 
negligent as not backing up critical corporate data and not having a 
disaster/recovery plan.


there was some backup related study that claimed half of the 
corporations that had a disk failure (where the disk was not being 
backed up) containing critical corporate data ... filed for bankruptcy 
withing 30 days of the failure. i assumed that critical was stuff like 
account-billable files ... loosing a month worth of customer account 
billing information could create a real dent on the corporation's cash 
flow. one incident involved a corporation that lost something like $50m 
in monthly billings.


it wasn't suppose to be a back door to anything ... anymore than having 
copies of all corporate files on corporate backup tapes (however, the 
corporate backup tapes wouldn't be worth a lot if all the data has been 
secured with encryption ... and the encryption keys are lost).


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: PGP master keys

2006-04-28 Thread Anne Lynn Wheeler
note from the corporate side ... is was specifically the escrow of 
encryption keys for data at rest ... as part of prudent corporate asset 
protection; it was not escrow of authentication keys nor escrow of 
encryption keys used for communication.


the internal network was larger than the arpanet/internet from just 
about the beginning until possibly around summer of 85. at the time of 
the great change-over to internetworking protocol on 1/1/83, the number 
of arpanet/internet nodes was approx. 250 (a number that the internal 
network had passed in the mid-70s, the internal network passed 1000 
nodes a little later in 83).

http://www.garlic.com/~lynn/subnetwork.html#internalnet

corporate inter-site links had to be encrypted ... which at the time met 
link encryptors .. there was claims that the internal network had over 
half of all the link encryptors in the world. there wasn't any corporate 
escrow issues with link encryptor keys. there were various problems with 
gov. agencies ... significant problems especially in europe getting 
gov/ptt authorization for corporate link encryptors (on corporate links, 
between corporate sites, purely carrying corporate data) especially when 
the links crossed country boundaries.


issues did start showing up in the mid-90s in the corporate world ... 
there were a large number of former gov. employees starting to show up 
in different corporate security-related positions (apparently after 
being turfed from the gov). their interests appeared to possibly reflect 
what they may have been doing prior to leaving the gov.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: PGP master keys

2006-04-28 Thread Anne Lynn Wheeler
and real-time reference from today ... on backup tapes ... at off-site 
location that weren't encrypted (and should have been):


Data storage firm apologizes for loss of railroad data tapes
Information on as many as 17,000 workers at risk
http://www.boston.com/business/globe/articles/2006/04/28/data_storage_firm_apologizes_for_loss_of_railroad_data_tapes/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: PGP master keys

2006-04-28 Thread StealthMonger
Steven M. Bellovin [EMAIL PROTECTED] writes:

 In an article on disk encryption
 (http://www.theregister.co.uk/2006/04/26/pgp_infosec/), the following
 paragraph appears:

   BitLocker has landed Redmond in some hot water over its insistence
   that there are no back doors for law enforcement. As its
   encryption code is open source, PGP says it can guarantee no back
   doors, but that cyber sleuths can use its master keys if
   neccessary.

 What is a master key in this context?

Interesting epilog: theregister has apparently now edited out all
mention of master keys.  In a version downloaded via the Agora
web-to-mail gateway at Sat, 29 Apr 2006 03:42:05 +0900 (JST), the
second sentence reads PGP says its open source encryption code also
guarantees no back doors.  (full stop)

 -- StealthMonger

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]