Re: PGP master keys
On 29 Apr 2006 02:00:18 -, StealthMonger [EMAIL PROTECTED] wrote: Interesting epilog: theregister has apparently now edited out all mention of master keys. They probably had their misunderstanding pointed out to them by countless people by now. But... did anyone else note the phrasing of the qualification Redmond ostensibly used? ``BitLocker has landed Redmond in some hot water over its insistence that there are no back doors for law enforcement.'' On first reading, one might assume they meant no back doors except for the overt corporate ADK, but that is not in fact what they said. Does anyone have any experience with disk or filesystem encryption, especially with regard to unclean shutdowns and power failures? Normal file systems are designed to fail in ways that are easy to clean up with fsck, but when you start to throw encryption into the mix, it seems like you can easily end up with something unrecoverable. Even without encryption I've seen apparent bugs in ext2fs on SMP machines that lead to sectors of nulls placed in files that were being written around the time the system crashed. Personally, I was playing with disk encryption on my system, shut down the system and something was holding file descriptors open... the system tried to kill everything three times, and then gave up and rebooted. As a consequence, I had my first unrecoverable data loss since I started keeping track (probably 1992 or so), since I had not backed up the data (the file system was too large for my backup device). Lesson learned! Now I do a nightly rsync to a partition that is only briefly mounted. Not as good as backup tapes, but it'll do for now. Are there any good solutions to the problem where a key isn't used frequently enough to stay in human memory, yet needs to be present in certain rare circumstances? Even with PGP keys... I've forgotten some of mine. Print it out and put it in a safety deposit box? I wonder if the typical corporate escrow key is exercised enough to avoid needing to write it down. IMHO interaction with human factors and imperfect hardware/software are understudied relative to their importance in actually having a functional robust real-world system. How complex can passwords be before users start to write them down? How many times does it take to memorize a passphrase? How frequently must one use it in order to retain it? -- Curiousity killed the cat, but for a while I was a suspect -- Steven Wright Security Guru for Hire http://www.lightconsulting.com/~travis/ -- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
encrypted file system issues (was Re: PGP master keys)
Travis H. [EMAIL PROTECTED] writes: Does anyone have any experience with disk or filesystem encryption, especially with regard to unclean shutdowns and power failures? Normal file systems are designed to fail in ways that are easy to clean up with fsck, but when you start to throw encryption into the mix, it seems like you can easily end up with something unrecoverable. Not if you design it correctly. Disk encryption systems like CGD work on the block level, and do not propagate CBC operations across blocks, so if the atomic disk block write assumption is correct (and almost all modern file systems operate on that assumption), you have no more real risk of corruption than you would in any other application. The only real risk points come in if you're doing a re-key of the entire disk or some similar operation in which care must be taken with the design or you could leave yourself in an unknown state. Even without encryption I've seen apparent bugs in ext2fs on SMP machines that lead to sectors of nulls placed in files that were being written around the time the system crashed. Bugs happen in everything. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Disk Encryption (was: Re: PGP master keys)
I use the following approach to encrypting my disks. I use an encrypted loopback device. The version of losetup I use permits me to store the disk key in a PGP encrypted file and decrypt it (with gpg) when needed. I made many backups of the both my personal keyring and the file with the encrypted loop key. So the only secret I have to remember is the passphrase on my normal PGP key, which I am not liekly to forget. Of course there is a trade-off here. If my PGP key is compromised, my disk encryption is at risk (if the encrypted disk key file is compromised as well). -Jeff P.S. If you run a reasonably modern Linux system, and have more then one system, you can use drbd to implement software mirroring between the two systems. Clever use of openvpn and encrypted loopback devices can do this securely as well. -- = Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
Re: PGP master keys
| issues did start showing up in the mid-90s in the corporate world ... | there were a large number of former gov. employees starting to show up | in different corporate security-related positions (apparently after | being turfed from the gov). their interests appeared to possibly reflect | what they may have been doing prior to leaving the gov. | | one of the issues is that corporate/commercial world has had much more | orientation towards prevention of wrong doing. govs. have tended to be | much more preoccupied with evidence and prosecution of wrong doing. the | influx of former gov. employees into the corporate world in the 2nd half | of the 90s, tended to shift some of the attention from activities | related to prevention to activities related to evidence and prosecution | (including evesdropping). What I've heard described as the bull in the china shop theory of security: You can always buy new china, but the bull is dead meat. (I'm pretty sure I heard this from Paul Karger, who probably picked it up during his time at the Air Force.) | for lots of drift ... one of the features of the work on x9.59 from the | mid-90s | http://www.garlic.com/~lynn/x959.html#x959 | http://www.garlic.com/~lynn/subpubkey.html#x959 | | was its recognition that insiders had always been a major factor in the | majority of financial fraud and security breaches. furthermore that with | various financial functions overloaded for both authentication and | normal day-to-day operations ... that there was no way to practical way | of eliminating all such security breaches with that type of information. | ... part of this is my repeated comment on security proportional to risk | http://www.garlic.com/~lynn/2001h.html#61 The dodge of creating phantom troops and then collecting their pay checks has been around since Roman times. No one has ever found a way of detecting it cost-effectively. However, it's also been known forever that it's just about impossible to avoid detection indefinitely: The officer who created the troops gets transferred, or retires, and he has no way to maintain the fiction. Or the troops themselves are transferred. other events intervene. So armies focus on making sure they *eventually* find and severely and publicly punish anyone who tries this, no matter how long it takes. A large enough fraction of the population is deterred to keep the problem under control. A similar issue occurs in a civilian context, sometimes with fake employees, other times with fake bills. Often, these get found because they rely on the person committing the fraud being there every time a check arrives: It's the check sitting around with no one speaking for it that raises the alarm. The long-standing policy has been to *require* people in a position to handle those checks to take their vacation. (Of course, with direct deposit of salaries, the form of the fraud, and what one needs to do to detect it, have changed in detail - but probably not by much.) -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: PGP master keys
[EMAIL PROTECTED] wrote: A similar issue occurs in a civilian context, sometimes with fake employees, other times with fake bills. Often, these get found because they rely on the person committing the fraud being there every time a check arrives: It's the check sitting around with no one speaking for it that raises the alarm. The long-standing policy has been to *require* people in a position to handle those checks to take their vacation. (Of course, with direct deposit of salaries, the form of the fraud, and what one needs to do to detect it, have changed in detail - but probably not by much.) multi-party operations were supposedly countermeasure to single person insider threads. the fraud response was collusion. so by at least the early 80s you started seeing work on collusion countermeasures. 25 years later, things have regressed to a pre-occupation with intrusion threats and intrusion countermeasures; even tho insiders have continued to be the major source of fraud through the whole period. insiders may even leverage the pre-occupation with intrusion to obfuscate the source of the exploit. somewhat related issue with regard to sarbanes-oxley and auditing assumptions about independent information sources looking for inconsistencies. http://www.garlic.com/~lynn/2006h.html#58 Sarbanes-Oxley http://www.garlic.com/~lynn/2006i.html#1 Sarbanes-Oxley and a couple recent articles about current fraud pre-occupation SSL Trojans: The next Great Bank Heist http://www.infoworld.com/reports/18SRsslmalware.html Ripped Off: Identity Theft - A View from the Financial Services Industry http://www.mondaq.com/article.asp?article_id=39334mostpopular=1 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: encrypted file system issues (was Re: PGP master keys)
On 5/1/06, Perry E. Metzger [EMAIL PROTECTED] wrote: Not if you design it correctly. Disk encryption systems like CGD work on the block level, and do not propagate CBC operations across blocks, So is it vulnerable to any of the attacks here? http://clemens.endorphin.org/LinuxHDEncSettings I used to run NetBSD 1.6 IIRC, and for some reason cgd was in previous and later releases but not that one. I found that puzzling. -- Curiousity killed the cat, but for a while I was a suspect -- Steven Wright Security Guru for Hire http://www.lightconsulting.com/~travis/ -- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: encrypted file system issues
Travis H. [EMAIL PROTECTED] writes: On 5/1/06, Perry E. Metzger [EMAIL PROTECTED] wrote: Not if you design it correctly. Disk encryption systems like CGD work on the block level, and do not propagate CBC operations across blocks, So is it vulnerable to any of the attacks here? http://clemens.endorphin.org/LinuxHDEncSettings Yes, but they are all uninteresting. For example, yes, it is trivially true that if two 128 bit ciphertext blocks are identical that you can extract some information about those two blocks, but that only reveals information about two blocks and the odds of this happening are microscopic. I used to run NetBSD 1.6 IIRC, and for some reason cgd was in previous and later releases but not that one. I found that puzzling. So do I, since it isn't true. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
what's wrong with HMAC?
Ross Anderson once said cryptically, HMAC has a long story attched to it - the triumph of the theory community over common sense He wouldn't expand on that any more... does anyone have an idea of what he is referring to? -- Curiousity killed the cat, but for a while I was a suspect -- Steven Wright Security Guru for Hire http://www.lightconsulting.com/~travis/ -- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Windows XP product activation, product keys, installation IDs, c.
In case you wondered what was behind those sequences of digits... Gory details here: http://www.licenturion.com/xp/fully-licensed-wpa.txt Ew, I think I have to take a shower now. -- Curiousity killed the cat, but for a while I was a suspect -- Steven Wright Security Guru for Hire http://www.lightconsulting.com/~travis/ -- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: what's wrong with HMAC?
Travis H. wrote: Ross Anderson once said cryptically, HMAC has a long story attched to it - the triumph of the theory community over common sense He wouldn't expand on that any more... does anyone have an idea of what he is referring to? I suggest that you read the theory, make your own mind, and share your opinion with us. Perhaps Mr. Anderson read the theory, made his own mind, and shared his opinion with whoever was listening or reading the above citation. I recall having read some theory, made my own mind, and Mr. Anderson's citation above wouldn't be too far from my opinion at that time. All theories are equal, but some theories are more equal than others ... Have fun! -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]