New UK law makes a wide range of software illegal.
A new amendment to the UK's computer crimes law makes it illegal to: [...]makes, adapts, supplies or offers to supply any article a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3 [of the Computer Misuse Act]; or (b) believing that it is likely to be so used. A number of people have pointed out that, as phrased, this covers virtually all software, including compilers, operating systems, etc., since it is clear that they will be used from time to time in computer crimes. Full article: http://news.zdnet.co.uk/business/legal/0,39020651,39270045,00.htm -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Crypto hardware with secure key storage
I'm trying to investigate which of the current high-end PCI crypto accellerators include secure storage of key material -- that is, the use model where one loads, say, an RSA private key or key for a symmetric cipher into the device one, receives a reference, and can later, even after device power down, tell the card "use key with reference X for this operation". I realize that there are ways to do this without actual persistent storage on the card, e.g. encryption of the key with a symmetric cipher using a secret key stored in the card, which allows the cleartext key to be disposed of so long as the card can be told "okay, decrypt and use this key" in the future. That's fine, too. I've run into some vendors who claim to support "secure key storage" but turn out to mean something else by it. I'm specifically looking for a device that accellerates pubkey operations and is aimed at SSL. If people with experience with particular hardware want to share that with me in private rather than broadcasting it to the list, that's fine, too; I'm just trying to select a device to meet an immediate need and am okay with not shouting out a comparison of vendor capabilites to the entire world (though I do think it is regrettable that there's a lack of information on this kind of device capability anywhere public). -- Thor Lancelot Simon[EMAIL PROTECTED] "We cannot usually in social life pursue a single value or a single moral aim, untroubled by the need to compromise with others." - H.L.A. Hart - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
statistical inferences and PRNG characterization
Hi, I've been wondering about the proper application of statistics with regard to comparing PRNGs and encrypted text to truly random sources. As I understand it, when looking at output, one can take a hypothetical source model (e.g. "P(0) = 0.3, P(1) = 0.7, all bits independent") and come up with a probability that the source may have generated that output. One cannot, however, say what probability such a source had generated the output, because there is an infinite number of sources (e.g. "P(0) = 0.2.., P(1) = 7.000..."). Can one say that, if the source must be A or B, what probability it actually was A (and if so, how)? Also, it strikes me that it may not be possible to prove something cannot be distinguished from random, but that proofs must be of the opposite form, i.e. that some source is distinguishable from random. Am I correct? Are there any other subtleties in the application of statistics to crypto that anyone wishes to describe? I have yet to find a good book on statistics in these kinds of situations, or for that matter in any. As an aside, it's amusing to see the abuse of statistics and probability in the media. For example, when people ask "what's the probability of ?" -- "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: UK Government to force disclosure of encryption keys.
Perry E. Metzger wrote: >Excerpt: > > The UK Government is preparing to give the police the authority to > force organisations and individuals to disclose encryption keys, a > move which has outraged some security and civil rights experts. > >http://news.zdnet.co.uk/0,39020330,39269746,00.htm > > Interesting. That's the second reference I've received just this morning to that page, which has gone 404. Anyone have a mirror? -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not "It's just this little chromium switch, here." - TFT CRM114->procmail->/dev/null->bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]