Re: How important is FIPS 140-2 Level 1 cert?

2006-12-24 Thread Matthias Bruestle
 restrictions on current implementations. As a result a FIPS 140-
 certified key generator will be worse than a well-designed non-FIPS-140
 one because the FIPS requirements prevent you from doing several things
 that would improve the functioning like injecting extra entropy into the
 generator besides the DES3 key.

That's interesting. I would have expected to revise things like that for
FIPS140-*2*.

 In addition since no two eval labs can
 agree on exactly what is and isnt OK here its pretty much a crap-shoot
 as to what you can get through. Ive heard stories from different vendors
 of Lab B disallowing something that had already been certified by Lab A
 in a previous pass through the FIPS process.

I had a talk with a FIPS-140 lab. I have been told, that undocumented
wording has to be used that only the labs know. The FIPS-140 is to me a
obscure process. And btw. the lab told me, that they don't want to
have called it a certification (despite getting a certificate), but a
validation.


Mahlzeit,
Matthias

-- 
Matthias Bruestle, Managing Director

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: How important is FIPS 140-2 Level 1 cert?

2006-12-24 Thread Leichter, Jerry
| From: [Name Withheld]
| To: cryptography@metzdowd.com
| Subject: Re: How important is FIPS 140-2 Level 1 cert?
| 
| Paul Hoffman [EMAIL PROTECTED] wrote:
| 
|  At 11:25 AM -0500 12/21/06, Saqib Ali wrote:
|  If two products have exactly same feature set, but one is FIPS 140-2
|  Level 1 certified but cost twice. Would you go for it, considering the
|  Level 1 is the lowest.
| 
|  Assuming that the two products use Internet protocols (as compared to
|  proprietary protocols): no. Probably the only thing that could
|  differentiate the two is if the cheaper one has a crappy random number
|  generator, the more expensive one will have a good one.
| 
| Actually you cant even guarantee that because the FIPS 140 requirements
| for the ANSI X9.17/X9.31 PRNG include a pile of oddball things that made
| sense for the original X9.17 use (where it was assumed the only source
| of entropy was a DES3 key embedded in secure hardware) but are severe
| restrictions on current implementations. As a result a FIPS 140-
| certified key generator will be worse than a well-designed non-FIPS-140
| one because the FIPS requirements prevent you from doing several things
| that would improve the functioning like injecting extra entropy into the
| generator besides the DES3 key. 
I think this was changed as FIPS 140 evolved.  Several things about the
random number generator evolved.  For example, in earlier versions, you
had to run some tests on your generator at every startup.  That
disappeared by FIPS 140-2.  (It makes sense for a hardware generator,
but never did for software.)

I don't have the actual text handy now, but to the best of my
recollection, there are now two approved PRNG's you can use, and the
way the text is written, what's mainly important is that you run the
internal state through the PRNG before exporting it.  You're definitely
free to set the starting state using any source of entropy you like.
I *think* you can add extra entropy along the way; though even if this
were not allowed, you could probably declare that you were restarting.
(Of course, this might allow the silly implementation that restarts
with state 0 on every call.  There's enough leaway in the wording of
the standard to allow a lab to toss out such a thing.)

| In addition since no two eval labs can
| agree on exactly what is and isnt OK here its pretty much a crap-shoot
| as to what you can get through. Ive heard stories from different vendors
| of Lab B disallowing something that had already been certified by Lab A
| in a previous pass through the FIPS process.
This could happen, but probably not because of a disagreement between
the labs as such:  The interpretation of the standard changes over time.
In fact, it's the interpretations - which only insiders really get to
learn about - that really define what the thing means; the written
standard leaves way too much open, most especially for software.  (It's
reasonably clear what it means to isolate hardware - though beyond that
there are some pretty specific discussions of potting technology and
such - but isolation for software?  That whole area has been defined
by interpretation.)

For what it's worth, I've been involved in (parts of, never worked
through the whole process) both FIPS 140 and Common Criteria
validations.  The latter strike me as fairly vacuous:  Shoot your
arrow (write your code), paint circles around it (define your protection
profile), declare you shot a bull's eye (certified!).  FIPS 140 *can*
have some real teeth, but it can also be gamed - again, especially
for software.  All the real meat is in the definition of the envelope.
I can declare I have a FIPS 140 certification for my AES implementation -
and then use a completely separate, insecure implementation, just so
long as I use it for data scrambling instead of encryption.  A good
lab will call you if you play too many games, but ultimately labs are
paid to complete certifications, not to block them.  So it's caveat
emptor:  The full certification report is available for the customer's
review.  If you're concerned, get a copy and read it.  If the vendor
was gaming the system, that will show.  If he made a really serious
effort, that will show, too.
-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: gang uses crypto to hide identity theft databases

2006-12-24 Thread John Denker
On 12/22/2006 01:57 PM, Alex Alten wrote:

 I'm curious as to why the cops didn't just pull the plugs right away. 

Because that would be a Bad Idea.  In a halfway-well-designed
system, cutting the power would just do the secret-keepers' job
for them.

 It would probably
 take a while (minutes, hours?) to encrypt any significant amount of
 data.  

That's why you don't do it that way.  If you want it to work, you
use an encrypting disk system so that everything on disk (including
swap) is encrypted all the time, and gets decrypted as needed when
it is read.

 Not to
 mention, where is the master key? 

It should be in volatile unswappable RAM.  Cutting the power is one
way (among many) to obliterate it.  Overwriting it with randomness
suffices if there is any chance that the RAM might be non-volatile.
The time and cost of obliterating a key are negligible.

 The guy couldn't have jumped up and typed
 in a pass phrase to generate it in handcuffs? 

That's another reason why you don't do it that way.

 Even if it got erased,
 it's image could
 be recovered from a disk or RAM.  My understanding is that even
 tamperproof cards
 one can get keys from them with the right equipment from the right folks.

Once something is gone from RAM, it's really, really gone.  The circuit
structure and the laws of thermodynamics ensure it.  No power on earth
can do anything about that.



There are, however, some things the cats can do to improve their chance of
success in this cat-and-mouse game.

  *) For starters, the cats must anticipate the possibility that the
   mice might try to secure their data.  The early-adopter mice benefit
   from a certain amount of security-through-obscurity, insofar as the
   cats have not heretofore fully appreciated the possibilities.

 *) The mice have a dilemma:  If they do not cache the passphrase somewhere,
  they will need to constantly re-enter it, which makes them vulnerable to
  shoulder-surfing, sophisticated key-loggers, unsophisticated rubber-hose
  methods, et cetera.  Conversely, if the mice do cache the passphrase for
  long periods of time, there is the possibility that the cats will capture
  the whole system intact, passphrase and all, and will be able to make a
  permanent copy of the passphrase before the system realizes that a compromise
  has occurred.  The cats can improve their chances by causing 
not-too-suspicious
  power failures and seeing how the mice handle the ensuing passphrase issues.
  The mice can improve their odds by ensuring good physical security, ensuring
  personnel reliability, providing easy-to-use panic buttons, rotating their
  passphrases, and so forth.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: gang uses crypto to hide identity theft databases

2006-12-24 Thread David I. Emery
On Fri, Dec 22, 2006 at 10:57:17AM -0800, Alex Alten wrote:
 I'm curious as to why the cops didn't just pull the plugs right away.  It 
 would probably
 take a while (minutes, hours?) to encrypt any significant amount of 
 data.

At the risk of stating the obvious, this is almost certainly
a case of key zeroization rather than suddenly encrypting otherwise
in-the-clear databases.

What one does is ALWAYS encrypt all the data, but store only
one single copy of the key(s) required to decrypt it and make provision
for some kind of dead man switch that zeroizes the key store when 
pushed.   Shutting off the power leaves almost all of the data intact
and unaltered, but without the keys it is just random bits.

Special switches and hardware assistance for key zeroization are
a very standard feature of US government crypto gear and installations.
The idea is that one zeros the key if one is expecting to be captured
(or crash or sink) and then all the remaining data in non volatile 
storage is useless to your adversary if he is able to recover the
media and attempt to read it.

-- 
   Dave Emery N1PRE,  [EMAIL PROTECTED]  DIE Consulting, Weston, Mass 02493
An empty zombie mind with a forlorn barely readable weatherbeaten
'For Rent' sign still vainly flapping outside on the weed encrusted pole - in 
celebration of what could have been, but wasn't and is not to be now either.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: A Cost Analysis of Windows Vista Content Protection

2006-12-24 Thread Peter Gutmann
Some people have asked for references for the information in the writeup,
these weren't so easy to provide because some of the content was from non-
public sources, but after a fair bit of searching I've managed to find public
locations for much of the information.  It's in the updated online version at
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt.  The comments by an
ATI product manager are particularly illuminating, the phrase increased costs
will be passed on to consumers seems to appear on every second slide of his
presentation.

Peter.

-- Snip --

Sources
---

Because this writeup started out as a private discussion in email, a number of
the sources used were non-public.  The best public sources that I know of are:

Output Content Protection and Windows Vista,
http://www.microsoft.com/whdc/device/stream/output_protect.mspx, from WHDC.

Windows Longhorn Output Content Protection,
http://download.microsoft.com/download/9/8/f/98f3fe47-dfc3-4e74-92a3-088782200fe7/TWEN05006_WinHEC05.ppt,
from WinHEC.

How to Implement Windows Vista Content Output Protection,
http://download.microsoft.com/download/5/b/9/5b97017b-e28a-4bae-ba48-174cf47d23cd/MED038_WH06.ppt,
from WinHEC.

Protected Media Path and Driver Interoperability Requirements,
http://download.microsoft.com/download/9/8/f/98f3fe47-dfc3-4e74-92a3-088782200fe7/TWEN05005_WinHEC05.ppt,
from WinHEC.

An excellent analysis from one of the hardware vendors involved in this comes
from ATI, in the form of Digital Media Content Protection,
http://download.microsoft.com/download/9/8/f/98f3fe47-dfc3-4e74-92a3-088782200fe7/TWEN05002_WinHEC05.ppt,
from WinHEC.  This points out (in the form of PowerPoint bullet-points) the
manifold problems associated with Vista's content-protection measures, with
repeated mention of increased development costs, degraded performance and the
phrase increased costs passed on to consumers pervading the entire
presentation like a mantra.

(Note that the crypto requirements have changed since some of the information
above was published, for example SHA-1 has been deprecated in favour of
SHA-256 and SHA-512, and public keys seem to be uniformly set at 2048 bits in
place of the mixture of 1024-bit and 2048-bit mentioned in the presentations).

In addition there have been quite a few writeups on this (although not going
into as much detail as this document) in magazines both online and in print,
one example being PC World's feature article Will your PC run Windows
Vista?, http://www.pcw.co.uk/articles/print/2154785, which covers this in the
appropriately-titled section Multimedia in chains.  Audience reactions at
WinHEC are covered in Longhorn: tough trail to PC digital media published in
EE Times 
(http://www.eetimes.com/issue/fp/showArticle.jhtml?articleID=162100180),
unfortunately you need to be a subscriber to read this but you may be able to
find accessible cached copies using your favourite search engine.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Big NSA expansion in Augusta, GA

2006-12-24 Thread John Gilmore
http://augustans.blogspot.com/2006/12/out-of-thin-air.html

This comes from an interesting SIGINT and more blog from
the Augusta Metro Spirit, a local weekly newspaper.  Excerpts:

... Augusta is about to get a $340-million taste of Sweet Tea.

The National Security Agency is building a massive new operations
facility, dubbed project Sweet Tea. It will come complete with all the
amenities: a workout room, nursing areas, a mini-shopping center, a
credit union, an 800-seat cafeteria and thousands of exclusive parking
spaces. Secret parking spaces.

There are, of course, actual operational national security-type
elements to the project. For example, it will include a new shredder
facility (for all those classified documents) and an antenna farm (to
help listen in on enemy combatants like Osama bin Laden and Princess
Di).  ...

The document says the main new structure, a 525,000- square-foot
Regional Security Operations Center, should be complete by May 2010.

The NSA and its allies in the U.S. Congress have been pushing this
project for years. The Defense Department requested a $340.8 million
appropriation for the Georgia Regional Security Operations Center back
in February. And a construction award was scheduled for Sept. 25, NSA
documents show.

Maybe the deal was awarded on schedule. Maybe there was a
delay. Either way, it wasn't announced until Dec. 8, one day after the
Metro Spirit started calling around with questions. The announcement
was one of only eight press releases that the usually silent spy
agency had issued all year.  ...

Indeed, there is reason to believe that the NSA-Georgia project's
actual cost will be even higher than the $340 million that's
known to have been appropriated.

A military source familiar with cost analysis told the Metro Spirit
that the facilities may wind up costing more than $1 billion.  ...

Clyde Taylor, military legislative assistant to Georgia Sen. Saxby
Chambliss, said his office spent a couple of years obtaining the
appropriation. Taylor also gave credit to Georgia Rep. Charlie
Norwood, whose office issued its own press release last Friday.

The need for the new NSA facility is driven by the growth in overseas
surveillance activities, Taylor said. He said that the agency plans to
move linguists and analysts down from its Fort Meade, Md.,
headquarters to the Augusta listening station, which targets the
Middle East.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Startup to launch new random number generator from space

2006-12-24 Thread David Wagner
Udhay Shankar reports:
http://news.zdnet.com/2100-1009_22-6142935.html

British start-up Yuzoz has announced that it will be launching its 
beta service in the next two weeks--an online random-number generator 
driven by astronomical events.

Heh heh.  Pretty amusing.  I guess the founders haven't really thought
this through.  One problem with such a service, of course, is total
reliance upon Yuzoz: Yuzoz learns all your secret keys -- and so does
any hacker who figures out how to break into Yuzoz's servers.  That doesn't
sound like such a great deal -- especially considering that high-quality
random-number sources are not that hard to come by.

I guess we can take ill-conceived startups like this as a sign of
increasing awareness about the security risks and the need for security
solutions, even if there is some, err, lack of sophistication about how
to distinguish good security technology from bad.  (Quantum crypto seems
like another one for that camp.  Oracle's Unbreakable marketing slogan
was another good one.)

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]