Status of SRP

2006-06-04 Thread Beryllium Sphere LLC
On 6/3/06, Florian Weimer fw-at-deneb.enyo.de |Perry's Cryptography mailing 
list|  ... wrote:

  We  have no real-world studies how
users make their day-to-day trust decisions when using the Internet.

We do have a beginning, in the study done by Garfinkel, Miller and Wu at MIT
(http://groups.csail.mit.edu/uid/projects/phishing/chi-security-toolbar.pdf).
It's lab data so not strictly real-world, and was really aimed at
checking the effectiveness of anti-phish toolbars (low), but it spun
off some interesting observations that don't contradict anything from
the field. A sample quote: 17 subjects (85%) mentioned in the
interview that the web content looked professional or similar to what
they had seen before.

That paper's list of references is also a useful place to look for
material about trust decisions, especially the Fogg et.al. paper What
makes Web sites credible?:a report on a large quantitative study. CHI
2001, pp. 61-68.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of opportunistic encryption

2006-06-04 Thread Thomas Harold

James A. Donald wrote:



Attacks on DNS are common, though less common than other
attacks, but they are by scammers, not TLA agencies,
perhaps because they are so easily detected.

All logons should move to SRP to avoid the phishing
problem, as this is the most direct and strongest
solution for phishing for shared secrets, and phishing
for shared secrets is the biggest problem we now have.

Encrypting DNS is unacceptable, because the very large
number of very short messages make public key encryption
an intolerable overhead.  A DNS message also has to fit
in a single datagram.



IIRC, from following the development of SPF (which uses rather lengthy 
DNS data records).  A DNS message that fits inside of a single datagram 
can be sent via UDP, but if it spills over, the DNS server has to setup 
a TCP connection.


So longer DNS messages are allowed, but they are either expensive (TCP 
vs UDP) or not supported by all implementations?


(Did I get that right?)

I do suspect at some point that the lightweight nature of DNS will give 
way to a heavier, encrypted or signed protocol.  Economic factors will 
probably be the driving force (online banking).


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of SRP

2006-06-04 Thread Jeffrey Altman
James A. Donald wrote:
 --
 Jeffrey Altman wrote:
 Unfortunately, SRP is not the solution to the phishing
 problem. The phishing problem is made up of many
 subtle sub-problems involving the ease of spoofing a
 web site and the challenges involved in securing the
 enrollment and password change mechanisms.
 
 With SRP, the web site cannot be spoofed, for it must
 prove it knows the  user's secret passphrase.

James, SRP can only prevent spoof's of successful authentications
and it can only prevent spoof's when it is actually used.

It cannot prevent spoof's of unsuccessful authentications and that
is where a huge part of the problem lies.  Consider the reaction
of many individuals when they receive a page that indicates that
their username and/or password are incorrect?

Sites that offer the common secret question(s) can be spoofed.
The attacker spoof's sits in the middle, captures the question from
the real site, the answer from the user, and if the real site says
that the new password is being sent, puts up a new page indicating
that the password should be changed online along with prompts for
private information that the attacker wants.

Stopping phishing with successful authentication is not even half
the problem.

Jeffrey Altman


smime.p7s
Description: S/MIME Cryptographic Signature


Re: Status of attacks on AES?

2006-06-04 Thread Marcos el Ruptor

I skimmed this.  The start of the article says that after 3 rounds AES
achieves perfect diffusion?!


1. It's complete diffusion, not perfect diffusion. Perfect diffusion is
a property meaning something completely different.

2. My post incorrectly stated that cryptographers believed that the AES
achieved complete diffusion after 3 rounds. In fact, in Rijndael complete
diffusion (every bit influences every bit in the block or state) is achieved
by the end of the second round. I have corrected the post.


A simple square attack (that I teach in class in about 60 mins) recovers
the key of 4-round AES with 256 chosen-plaintexts.  The six-round attack
isn't too much harder.


Isn't what you are referring to called secure number of rounds? In other
words the number of rounds after which no known attack exists that can break
the cipher faster than brute-forcing the key?

It looks like I have no choice but to invent a new term, PRF rounds - the
number of rounds after which each function that defines the value of each
bit of the block/state/output is a pseudo-random function (PRF) of all the
bits of the block/state/key/input, in other words a function
indistinguishable from random by any existing general purpose randomness
tests. Of course dedicate randomness tests exploiting the cipher structure
and utilising a significant amount of computational resources could be
effective in distinguishing a larger number of rounds from random, but
that's in the area of the secure number of rounds research.

PRF rounds is usually larger than the complete diffusion rounds. For
most good ciphers it's usually somewhere between the complete diffusion
rounds and the secure rounds, but for some ciphers it's either way over
the secure rounds or it never happens at all (LILI, KeeLoq, Trivium, etc).
Some ciphers maintain sparcity of their functions or their
distinguishability from random even if iterated perpetually.

I have corrected all the articles:

http://defectoscopy.com/forum/viewtopic.php?t=3

http://defectoscopy.com/results.html
and
http://defectoscopy.com/background.html

Ruptor


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of opportunistic encryption

2006-06-04 Thread Thierry Moreau



Thomas Harold wrote, in part:



I do suspect at some point that the lightweight nature of DNS will give 
way to a heavier, encrypted or signed protocol.  Economic factors will 
probably be the driving force (online banking).




E.g. RFC4033, RFC4034, RFC4035.

- Thierry


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]