Re: TPM disk crypto

2006-10-08 Thread Thor Lancelot Simon
On Thu, Oct 05, 2006 at 11:51:49PM +0200, Erik Tews wrote:
 Am Donnerstag, den 05.10.2006, 16:25 -0500 schrieb Travis H.:
  On 10/2/06, Erik Tews [EMAIL PROTECTED] wrote:
   Am Sonntag, den 01.10.2006, 23:42 -0500 schrieb Travis H.:
Anyone have any information on how to develop TPM software?
http://tpm4java.datenzone.de/
   Using this lib, you need less than 10 lines of java-code for doing some
   simple tpm operations.
  
  Interesting, but not what I meant.  I want to program the chip to verify
  that the BIOS, boot sector, root partition conform to *my* specification.
  
 You can do that (at least in theory).
 
 First, you need a system with tpm. I assume you are running linux. Then
 you boot your linux-kernel and an initrd using the trusted grub
 bootloader. Your bios will report the checksum of trusted grub to the
 tpm before giving control to your grub bootloader.

And the TPM knows that your BIOS has not lied about the checksum of grub
how?

Thor

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: TPM disk crypto

2006-10-08 Thread Erik Tews
Am Freitag, den 06.10.2006, 17:29 -0400 schrieb Thor Lancelot Simon:
 On Thu, Oct 05, 2006 at 11:51:49PM +0200, Erik Tews wrote:
  Am Donnerstag, den 05.10.2006, 16:25 -0500 schrieb Travis H.:
   On 10/2/06, Erik Tews [EMAIL PROTECTED] wrote:
Am Sonntag, den 01.10.2006, 23:42 -0500 schrieb Travis H.:
 Anyone have any information on how to develop TPM software?
 http://tpm4java.datenzone.de/
Using this lib, you need less than 10 lines of java-code for doing some
simple tpm operations.
   
   Interesting, but not what I meant.  I want to program the chip to verify
   that the BIOS, boot sector, root partition conform to *my* specification.
   
  You can do that (at least in theory).
  
  First, you need a system with tpm. I assume you are running linux. Then
  you boot your linux-kernel and an initrd using the trusted grub
  bootloader. Your bios will report the checksum of trusted grub to the
  tpm before giving control to your grub bootloader.
 
 And the TPM knows that your BIOS has not lied about the checksum of grub
 how?

The TPM does not know that the BIOS did not lie about the checksum of
grub or any other bios component.

What you do is, you trust your TPM and your BIOS that they never lie to
you, because they are certified by the manufature of the system and the
tpm. (This is why it is called trusted computing)

So if you don't trust your hardware and your manufactor, trusted
computing is absolutely worthless for you. But if you trust a
manufactor, the manufactor trusts the tpms he has build and embedded in
some systems, and you don't trust a user that he did not boot a modified
version of your operating system, you can use these components to find
out if the user is lieing.


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


[EMAIL PROTECTED]: [fc-announce] CFP EXTENDED DEADLINE (Oct 16): Financial Cryptography 2007, Feb 12-15, 2007, Tobago]

2006-10-08 Thread R. Hirschfeld
From: Sven Dietrich [EMAIL PROTECTED]
Subject: [fc-announce] CFP EXTENDED DEADLINE (Oct 16): Financial
 Cryptography 2007, Feb 12-15, 2007, Tobago
Date: Fri, 6 Oct 2006 16:36:36 -0400 (EDT)

Dear Colleague,

by popular request, the deadline has been extended to Oct 16, 2006. Please 
inform your students and colleagues of this new deadline and encourage them to 
submit given this extra time.

Regards,

Sven
- -- 
Sven Dietrich - [EMAIL PROTECTED]
Program Chair, Financial Cryptography and Data Security 2007
http://fc07.ifca.ai/

- ---
Final Call for Papers

FC'07: Financial Cryptography and Data Security
http://fc07.ifca.ai/

Eleventh International Conference
February 12-15, 2007
Lowlands, Scarborough, Trinidad and Tobago

Submissions Due Date (EXTENDED): October 16, 2006, 11:59pm, EDT (UTC-4)

Program Chair:  Sven Dietrich (Carnegie Mellon University)
General Chair:  Rafael Hirschfeld (Unipay)

At its 11th year edition, Financial Cryptography and Data Security (FC'07) is a 
well established and major international forum for research, advanced 
development, education, exploration, and debate regarding security in the 
context of finance and commerce. We will continue last year's augmentation of 
the conference title and expansion of our scope to cover all aspects of 
securing transactions and systems. These aspects include a range of technical 
areas such as: cryptography, payment systems, secure transaction architectures, 
software systems and tools, fraud prevention, secure IT infrastructure, and 
analysis methodologies. Our focus will also encompass financial, legal, 
business, and policy aspects. Material both on theoretical (fundamental) 
aspects of securing systems,and on secure applications and real-world 
deployments will be considered.

The conference goal is to bring together top cryptographers, data-security 
specialists, and computer scientists with economists, bankers, implementers, 
and policy makers. Intimate and colorful by tradition, the FC'07 program will 
feature invited talks, academic presentations, technical demonstrations, and 
panel discussions.

This conference is organized annually by the International Financial 
Cryptography Association (IFCA).

Original papers, surveys, and presentations on all aspects of financial and 
commerce security are invited. Submissions must have a strong and visible 
bearing on financial and commerce security issues, but can be interdisciplinary 
in nature and need not be exclusively concerned with cryptography or security. 
Possible topics for submission to the various sessions include, but are not 
limited to:

Anonymity and Privacy
Auctions
Audit and Auditability
Authentication and Identification, including Biometrics
Certification and Authorization
Commercial Cryptographic Applications
Commercial Transactions and Contracts
Digital Cash and Payment Systems
Digital Incentive and Loyalty Systems
Digital Rights Management
Financial Regulation and Reporting
Fraud Detection
Game Theoretic Approaches to Security
Identity Theft, Phishing and Social Engineering
Infrastructure Design
Legal and Regulatory Issues
Microfinance and Micropayments
Monitoring, Management and Operations
Reputation Systems
RFID-Based and Contactless Payment Systems
Risk Assessment and Management
Secure Banking and Financial Web Services
Securing Emerging Computational Paradigms
Security and Risk Perceptions and Judgments
Security Economics
Smart Cards and Secure Tokens
Trust Management
Trustability and Trustworthiness
Underground-Market Economics
Virtual Economies
Voting system security

For those interested, last year's proceedings are available from Springer.

Submission Instructions

Submission Categories

FC'07 is inviting submissions in four categories: (1) research papers, (2) 
systems and applications presentations, (3) panel sessions, (4) surveys. For 
all accepted submissions, at least one author must attend the conference and 
present the work.

Research Papers

Research papers should describe novel scientific contributions to the field, 
and they will be subject to rigorous peer review. Accepted submissions will be 
included in the conference proceedings to be published in the Springer-Verlag 
Lecture Notes in Computer Science (LNCS) series after the conference, so the 
submissions must be formatted in the standard LNCS format (15 page limit).

Systems and Application Presentations

Submissions in this category should describe novel or successful systems with 
an emphasis on secure digital commerce applications. Presentations may concern 
commercial systems, academic prototypes, or open-source projects for any of the 
topics listed above. Where appropriate, software or hardware demonstrations are 
encouraged as part of the presentations in these sessions. Submissions in this 
category should consist of a short summary of the work (1-6 pages in length) to 
be reviewed by the Program Committee, along with a short biography of the 
presenters. Accepted submissions 

Re: OpenSSL PKCS #7 supports AES SHA-2 ?

2006-10-08 Thread Alex Alten

After reading PKCS #1 v2 more closely and SHA-2 is not even in the specs,
therefore OpenSSL PKCS #7 functions won't support SHA-2.  This spec was
last updated in 1998.

PKCS Editor, is there a new update in progress by RSA Labs to incorporate
SHA-2 and AES?

Does OpenSSL implement PKCS #1 v2 or just v1.5?  If the latter then not even
SHA-1 is supported.

PKCS editor, is there any timeline as to when PKCS #7 will then be updated
with references to official OIDs, etc., for specifying SHA-2 and AES?

Dr. Ron Rivest, are you going to publish new message-digest IETF RFCs for 
SHA-1

and SHA-2?  (So that they can be referenced by an updated PKCS #7.)

Mr. Russ Housley, can you weigh in with what happening in the IETF WG security
area?  I know that Mr. Eric Rescorla is working on a new TLS v1.2 
draft.  Will this

be done/ratified soon?  I assume OpenSSL will incorporate this soon thereafter?

This mess with the MD5 and SHA-1 hashes is really starting to becoming a 
problem.
It's certainly impacting new development projects/products I'm involved 
with using

SSL and PKI certificates.  My customers are concerned about using MD5 and
SHA-1, and they don't want to keep paying for implementations repeatedly as 
the

standards catch up to reality.  Updating these various heavily used standards
quickly is quite important.

Sincerely (and thanks in advance for all of your replies),

- Alex


At 09:05 AM 10/6/2006 -0700, Alex Alten wrote:

Does anyone know if the OpenSSL PKCS #7 functions support AES and SHA-2?
(I assuming OpenSSL 0.9.7 or later.)

Thanks,

- Alex



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]