Re: A web site that believes in crypto

2007-01-13 Thread Erik Tews
Am Mittwoch, den 10.01.2007, 18:31 -0500 schrieb Steven M. Bellovin:
 I just stumbled on a web site that strongly believes in crypto --
 *everything* on the site is protected by https.  If you go there via
 http, you receive a Redirect.  The site? does this for some time now.

A lot of years ago, (german hacker club, something
like 2600 in the usa) switched to https only, but switched back to http
later. This happened when netscape 4.x was the most common browser and a
lot of users had problems with https.

Description: Dies ist ein digital signierter Nachrichtenteil

Re: Private Key Generation from Passwords/phrases

2007-01-13 Thread Joseph Ashwood
- Original Message - 
From: Matthias Bruestle [EMAIL PROTECTED]

Subject: Private Key Generation from Passwords/phrases

What do you think about this?

I think you need some serious help in learning the difference between 2^112 
and 112, and that you really don't seem to have much grasp of the entire 
concept. 112 bits of entropy is 112 bits of entropy, not 76 bits of entropy, 
27 bits of bull, 7 bits of cocaine, and a little bit of alcohol, and the 224 
bits of ECC is approximate anyway, as you noted the time units are 
inconsistent. Basically just stop fiddling around trying to convince 
yourself you need less than you do, and locate 112 bits of apparent entropy, 
anything else and you're into the world of trying to prove equivalence 
between entropy and work which work in physics but doesn't work in 
computation because next year the work level will be different and you'll 
have to redo all your figures.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

[Cryptocollectors] STU III 2500

2007-01-13 Thread Richard Brisson
Good morning all,


Available to those in the U.S., STU-III 2500 with manual and AC adapter (and
perhaps even a key in the plastic bag but it's not stated nor obvious) on
eBay: 330073910569


Best regards from a finally much colder Ottawa (-15 deg C),




[Non-text portions of this message have been removed]

Attachments are not permitted on this list to prevent the spread of viruses. 
Yahoo! Groups Links

* To visit your group on the web, go to:

* Your email settings:
Individual Email | Traditional

* To change settings online go to:
(Yahoo! ID required)

* To change settings via email:

* To unsubscribe from this group, send an email to:

* Your use of Yahoo! Groups is subject to:

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Private Key Generation from Passwords/phrases

2007-01-13 Thread James A. Donald

Matthias Bruestle wrote:


I am thinking about this since last night. On the web I haven't found
much and I want to go in a different direction as I have found.

Say I want to have 112bit security, i.e. as secure as 3DES. For this I
would choose (as everybody writes) 224bit ECC (or Tipsy Curve
Cryptosystem/TCC as I prefer, because the European Citizen Card is also
called ECC officially). With the Passwords I would have to provide so
much entropy, that a bruteforce attack needs as much time as 3DES to get
the same security. (Higher value of ECC key ignored.)

When I look at benchmarks ratio of the number of 3DES operations and of
point multiplications is about 4000:1, so I have gained here about 2^12
bits. (Processing of Password with a hash function is so fast that it
can be ignored unless the procession is artificially extended.) I am
aware that a DES unit is cheaper than an ECC unit and that for DES there
are special implementations for key search possible, so the gain might
be even more.

Lets assume the key is only very seldom regenerated. Then we could add a
short fragment of real entropy to the passwords and throw it away after
our first key generation. If a point multiplication takes around 4ms
then we can brute force on one day 2^24 keys. So if the user is willing
to wait for one day for his key recreation than he can add 3 random
bytes to his passwords and throw them away.

If we add this together, than we have already 2^36 bits of security from
our goal of 2^112 bits. The remaining necessary entropy is then 2^76
bits which would have then to be provided by the passwords/phrase. That
means the necessary length is reduced by about one third.

What do you think about this?

You are not going to get 76 bits of entropy in a password.

Memorizing a 76 bit password is equivalent to memorizing three seven 
digit telephone numbers.

Assume that the private key is generated from the password plus an n bit 
true random number.

To regenerate the private key we have to try 2^n private keys, looking 
for a match to the public key.  Assume this takes time X.

Assume the actual entropy in the password is m bits.  Then an attacker 
who has similar computing resources is going to take time X * 2^m

Any time a password can be subject to offline attack by anyone, it is 
not a good design.  You are better off fixing it so that only certain 
people can offline attack the password, and everyone else has to do an 
online attack on the passwrod.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Banking Follies

2007-01-13 Thread Perry E. Metzger

As many people here are aware, one of my least favorite banks,
especially in terms of system security, is Chase.

Today I received an email message from Chase informing me that I'd
gotten a brand new hotel rewards program branded Visa card from them,
and inviting me to click on various links to set up my internet access
to the account, and inviting me to call a particular phone number to
activate the account.

Unfortunately, I had never applied for such an account. The name in
the email was also not my name, and the email was also sent to an
account I never give out to anyone.

A detailed examination of the email made it appear genuine, though of
course one can never know. (Chase's credit card operations send
similar emails all to customers all the time, including links to click
on, training their customers to become victims of phishing while
carefully explaining to them that they should be very careful about
phishing. Chase also has the bad habit of sending their security
critical emails through third party providers -- in this case was in the path the mail took, though past
experience tells me this alone does not mean the mail is
fraudulent. Thank you, Chase, for making it so easy for people.)

It was possible that the mail in question was purely fraudulent, but
one couldn't really know. I suspected it was more likely that Chase
had either sent the email to the wrong place or that a particularly
stupid person had given the wrong email address to Chase when applying
for the card and that it happened to be one of mine by accident.

(Note to banks: 1) Always require round trip confirmations before
accepting an email address for an account holder. 2) Never send anyone
email inviting them to click on things, period. In fact, you probably
shouldn't be sending people email. 3) Study what Chase does carefully
and send out reports internally saying don't let this happen to us.)

Now, here I am, either the subject of phishing, the victim of some
sort of identity theft (possible but not likely) or in possession of
important information that would allow me to commit credit card
fraud. As an honest person, my reaction is to call the bank.

Unsurprisingly, Chase's confirm that you have gotten your credit
card number has a small bug. It really doesn't want to allow you to
report that something is wrong, it only wants to let you report that
everything is okay. One wonders at a confirm you got your card phone
number where you can't easily report a problem but only success -- it
certainly isn't brilliant security design.

By pretending to not have a touch tone phone (I'm sure that trick to
get to a person will end when they put voice recognition on the line) I
managed to eventually get through to a live sentient being, but sadly
the human in question was not really well equipped to speak with other
humans -- in particular, beyond the fact that this person was
remarkably unintelligent, he was also remarkably unintelligible. By
the accent, I don't think he was in an offshore call center, but he
might as well have been.

First, he asked me what I expected him to do about the situation. Now,
generally speaking, one imagines that a bank would want to know about
such a situation, but this being Chase I suppose I should not have
been surprised at the quality of personnel training involved.

When I explained that I thought that perhaps the bank would be
interested in preventing fraud, he then asked that I give him all my
personal information, even though I explained that not only was I
suspicious enough under the circumstances that I didn't want him to
have my social security number, but also that I thought it was
unlikely that the card in question had my social security number
attached to it. After a few passes back and forth, I asked to speak to
his supervisor, which after a number of minutes on hold didn't
happen. Then finally he transferred me to an anti-fraud department.

The anti-fraud group seemed to be at least slightly more on the ball,
but kept insisting on things like knowing my zip code when I was
pretty sure my zip code would not be attached to the card in
question. After I carefully guided the phone agent through doing a
the database query, she finally located the card in question, which
may or may not be legitimate but which (we established by checking a
couple of digits) was not associated with my address, name or social
security number. I suggested to her that she might want to have the
account frozen, but she declined, and said that someone would simply
contact the card holder. Not my problem any more, I said, and we
ended the call.

I suppose the lesson of all of this is that security is hard, and a
security system that depends on large numbers of telephone center
representatives to function is probably a bad idea. There are several
ways that this could have been avoided, and that the entire problem
could, in fact, have been avoided -- Chase could have avoided
attaching an unconfirmed 

Why AACS will fail

2007-01-13 Thread Frank A Stevenson
I have just finished a positional paper holding the view that AACS,
Advanced Access Control System used for protection of HD recordable
media, will fail as an effective measure against unauthorized copying of
content. The argument is largely of an economical nature.

The document may be revised if questions and comments demands it. Any
feedback is welcome. In leu of a proper copyright notice, the article is
published on a creative commons licence where it mey be quoted in full
or in part, as long as reference is made to the author and the above link.

  Frank A. Stevenson

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

How to leak a secret and not get caught

2007-01-13 Thread PeterThermos

Leaking a sensitive government document can mean risking a jail sentence -
but not for much longer if an online service called WikiLeaks goes ahead.
WikiLeaks is designed to allow anyone to post documents on the web without
fear of being traced.


The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]