Re: signing all outbound email

2006-10-02 Thread James A. Donald

Lynn Wheeler wrote:
 recently published IETF RFC

 ... from my IETF RFC index
 http://www.garlic.com/~lynn/rfcietff.htm

 4686 I
  Analysis of Threats Motivating DomainKeys Identified
  Mail (DKIM),
 Fenton J., 2006/09/26 (29pp) (.txt=70382) (Refs
 1939, 2821, 2822, 3501, 4033) (was
 draft-ietf-dkim-threats-03.txt)

 from the introduction:

 The DomainKeys Identified Mail (DKIM) protocol is
 being specified by the IETF DKIM Working Group.  The
 DKIM protocol defines a mechanism by which email
 messages can be cryptographically signed, permitting a
 signing domain to claim responsibility for the use of
 a given email address.  Message recipients can verify
 the signature by querying the signer's domain directly
 to retrieve the appropriate public key, and thereby
 confirm that the message was attested to by a party in
 possession of the private key for the signing domain.
 This document addresses threats relative to two works
 in progress by the DKIM Working Group, the DKIM
 signature specification [DKIM-BASE] and DKIM Sender
 Signing Practices [DKIM-SSP].

In order for this to actually be any use, the recipient
needs to verify the signature and do something on the
basis of that signature - presumably whitelist email
that genuinely comes from well known domains.

Unfortunately, the MTA cannot reliably do something - if
it drops unsigned mail that is fairly disastrous, and
the MUA cannot reliably check signatures, since the MTA
is apt to mess the signatures up.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: signing all outbound email

2006-10-02 Thread Anne Lynn Wheeler
James A. Donald wrote:
 In order for this to actually be any use, the recipient
 needs to verify the signature and do something on the
 basis of that signature - presumably whitelist email
 that genuinely comes from well known domains.
 
 Unfortunately, the MTA cannot reliably do something - if
 it drops unsigned mail that is fairly disastrous, and
 the MUA cannot reliably check signatures, since the MTA
 is apt to mess the signatures up.

so what if an isp only signs email where the origin address is the same
as the claimed email from address.

then email that claims to be from such an isp, that isn't
signed, might assumed to be impersonation.

and any abuse reports to the isp ...where the email has been signed
... should at least trace back to the correct originating account.

ISPs could do ingress filtering where they only process incoming email
from their customers ... where the origin address matches the email
from address ... which would eliminate their customers from
impersonating other addresses ... but doesn't preclude customers at
non-participating ISPs from impersonating their customers.

ISPs could also start to quarentine unsigned email that claims to have
originated from ISPs that are known to sign email.

it might be considered to be small step up from ssl domain
name digital certificates ... where the browser checks that
the domain name in the URL is the same as the URL in the
certificate. the issue in the ssl domain name scenario is
some common use where the user has little or no awareness
of the domain name in the URL   so the fact that the
actual domain name matches the domain name in the certificate
may bring little additional benefit.

lots of past collected posts mentioning ssl domain name
certificates ... some of the posts mentioning merchant
comfort digital certificates
http://www.garlic.com/~lynn/subpubkey.html#sslcert

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


TPM disk crypto

2006-10-02 Thread Travis H.

Quoting:

Disk drives gear up for a lockdown
Rick Merritt, EE Times (09/25/2006 9:00 AM EDT)

Built-in security is the next big thing for hard-disk drives. By 2008,
drive makers should be shipping in volume a broad array of drives
based on a maturing standard.

...

The first version of the Trusted Computing Group's standard for disk
drive security could be completed by year's end. Seagate Technology
Inc. already ships one drive with an integrated security chip,
although some see that approach as an interim step. For mass
production, security has to be integrated into the controller. It's
not that many gates, even if the function is not used, said A. Currie
Munce, vice president of research for Hitachi Global Storage
Technologies. Seagate CTO Mark Kryder agreed, saying his company will
integrate security functions in the drive controller very soon.

A security standard will open the door to selling drives preloaded
with content that users can unlock after paying online for a digital
key...'

===

Anyone know if this is going to be compatible with the IEEE SISWG standard?

Anyone have any information on how to develop TPM software?

Anyone else recognize how features migrate from the CPU to an add-on
card and back to the CPU?  Same thing happened with RAID and on-board
video and so on... it seems to me that people need an open-source
add-in card for crypto, perhaps based around an FPGA, that is
updatable if the algorithms need strengthening.  It seems that Peter
Gutmann has already done something similar:
http://www.cypherpunks.to/~peter/usenix00.pdf
--
Enhance your calm, fellow citizen; it's just ones and zeroes.
Unix guru for rent or hire -- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


The Geheimschreiber Secret - Swedish WWII SIGINT

2006-10-02 Thread Travis H.

http://frode.home.cern.ch/frode/ulfving/ulfving.html

This discusses Swedish decryption of a German crypto machine.
Although the break was done without any hints, it was a fairly
straightforward system of long-period XOR and fixed transposition, and
eventual success was predicated on the laziness of the operators (what
else is new?).  Perhaps someone can make this into some form of
game-theoretic research paper.

An interesting economic commentary, if somewhat off-topic, is:

``Many analysts consider that war preparations serve only as
instruments of pressure during negotiations. However, that ignore the
dynamics of future military developments which are created by a
deployment as large as that which occurred here. Economic factors and
military logistics make it almost impossible to keep large, inactive
troop concentrations in place as a trump card during long
negotiations, just as it is damaging for the units' fighting spirit.
It is too expensive not to use the troops, therefore they must either
be used in combat or be demobilized and returned to civilian life.
Only victory justifies the price -- even if it is high. For example,
consider the collapse of the economic, political and ecological
systems now affecting the states of the former Soviet Union as a
consequence, during a long period, of a highly forced ``war economy''
that did not result in any gains.''

Perhaps the mission creep seen in most large bureaucracies need not
always be attributed to power-grabs and personal aspirations of
department leaders, but to relatively benign economic arguments that
we already pay for it, we might as well use it.  Along with the idea
that capabilities must periodically be exercised in order to prevent
atrophy, that probably explains a lot of otherwise puzzling decisions
and apparent over-reactions on the part of decision-makers.
--
Enhance your calm, fellow citizen; it's just ones and zeroes.
Unix guru for rent or hire -- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Circle Bank plays with two-factor authentication

2006-10-02 Thread Peter van Liesdonk

Here in the Netherlands, we have a bank (Rabobank) which sends the
required code by SMS to your (registered) cellular phone as soon as
you want to log in. So the codes are always fresh and random and only
available to whoever knows the password ánd has the phone.

At my own bank, the bank-card is also a smartcard. When trying to log
in, the bank issues a random six-digit challenge. With the use of a
seperate cardreader, the bank-/smartcard can compute an (8-digit)
response to the challenge. This response is computed with a private
key stored in the card. The card can only be used after entering the
correct PIN. Three wrong PINs block the smartcard.

These two systems also obviously have their pro's and cons, but they
both seem much more secure than the other schemes i have seen here.

Peter

2006/9/28, pat hache [EMAIL PROTECTED]:

Here,(Mexico) BBVA / Bancomer uses 24 special three digits numbers on a
  card you need  to have at hand to access your account after login and
username... the system asks you one of those 24 numbers to allow each
session - entry.
supposed to be effective.  donno if there is a similar system
elsewhere.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Circle Bank plays with two-factor authentication

2006-10-02 Thread Jason Axley
snip

The question is what the threat model is.  We all know that email can be
intercepted over the wire.  We also know that that's not very common or
very easy, except for wireless hotspots.  I assert that *most* email does
not flow over such links, and that the probability of a successful
interception by someone who's staked out a hotspot is quite low.
Residential wireless?  Sure, there's a lot of it, mostly unencrypted.  If
you're a bad guy, is there any reason you should be watching for that
particular piece of email?  You don't even know who the customers of that
bank are.  (Sure, there can be targeted attacks aimed at a given
individual.  Unless you're a member of the HP board of directors or a
prominent technology journalist, that risk is low, too)

Again -- the scheme isn't foolproof, but it's probably *good enough*.

What is their threat?  There are two obvious answers: phishing and
keystroke loggers.

/snip

The threat model that does not get enough attention (especially by
purported anti-phishing security mechanisms) is that if a phisher can
obtain your password, and most people use the same password all over the
place, then the adversary can simply log into your email and read any
sensitive information directly.  They don't need to eavesdrop.  They don't
need to put spyware on your box to busy-poll your email inbox.
Traditional phishing attacks _still work_, just with a level of
indirection.

Ultimately, these kinds of anti-phishing schemes that require sending
secret information to your email inbox are no more secure than your email
password.  Presumably, the reason that these schemes are required is to
combat password theft (phishing) and password guessing so at the end of
the day, how much do they really buy you?  One level of indirection?  One
minor change in tactics?

-Jason

- The
Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]






-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: TPM disk crypto

2006-10-02 Thread Erik Tews
Am Sonntag, den 01.10.2006, 23:42 -0500 schrieb Travis H.:
 Anyone have any information on how to develop TPM software?

Yes, thats easy. We created a java library for the tpm chip. You can get
it at 

 http://tpm4java.datenzone.de/

Using this lib, you need less than 10 lines of java-code for doing some
simple tpm operations.


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil