Re: OT: SSL certificate chain problems

2007-02-04 Thread Victor Duchovni
On Wed, Jan 31, 2007 at 01:57:04PM +1300, Peter Gutmann wrote:

 Victor Duchovni [EMAIL PROTECTED] writes:
 
 What I don't understand is how the old (finally expired) root helps to
 validate the new unexpired root, when a verifier has the old root and the
 server presents the new root in its trust chain.
 
 You use the key in the old root to validate the self-signature in the new
 root.  Since they're the same key, you know that the new root supersedes the
 expired one.

Does this actually work with OpenSSL and v3 CA certs that have X509v3
Authority Key Identifier extensions? With these extensions present
(default when OpenSSL constructs CA certs, ...), certs whose serial number
does not match the serial field in the extension are not considered
to be root CA certs (not self-signed), and CA certs sharing the same
keys and DN, but carrying different serials, simply don't match.

If I roll-back the serial numbers and issue a cert with all the details
(including serial number, ...) the same, but just the start/end dates
changed to start before the expiration of the verifier's expired CA,
and end after today's date, the verifier ends up with a trust chain that
starts with the expired cert and fails, regardless of whether the server
sends the new root CA cert or not.

CA0.pem:

serial=C27B874157E381C0
issuer= fixed-ca-dn
subject= fixed-ca-dn
notBefore=Jan  1 00:00:00 2007 GMT
notAfter=Jan 31 00:00:00 2007 GMT
...
X509v3 Authority Key Identifier:
keyid:CB:C0:45:68:F9:B0:DF:8B:A9:E9:EA:A0:F1:93:A1:C1:6B:7C:96:E4
DirName:fixed-ca-dn
serial:C2:7B:87:41:57:E3:81:C0

CA1.pem:

serial=C27B874157E381C0
issuer= fixed-ca-dn
subject= fixed-ca-dn
notBefore=Jan 15 00:00:00 2007 GMT
notAfter=Feb 28 00:00:00 2007 GMT
...
X509v3 Authority Key Identifier:
keyid:CB:C0:45:68:F9:B0:DF:8B:A9:E9:EA:A0:F1:93:A1:C1:6B:7C:96:E4
DirName:fixed-ca-dn
serial:C2:7B:87:41:57:E3:81:C0

SRV.pem:
-
serial=C27B874157E381C1
issuer= fixed-ca-dn
subject= server-dn
notBefore=Jan 15 00:00:00 2007 GMT
notAfter=Feb 28 00:00:00 2007 GMT
...
X509v3 Authority Key Identifier:
keyid:CB:C0:45:68:F9:B0:DF:8B:A9:E9:EA:A0:F1:93:A1:C1:6B:7C:96:E4
DirName:fixed-ca-dn
serial:C2:7B:87:41:57:E3:81:C0

A client with CAfile containing just CA0.pem fails to verify a server
configured to send the SRV,CA1 trust chain. My verification callback is
called three times and produces:

  Trace: certificate verification depth=1 verify=0 subject=fixed-ca-dn
  Error: CA certificate verification failed for peer certificate has expired

  Trace: certificate verification depth=1 verify=1 subject=fixed-ca-dn

  Trace: certificate verification depth=0 verify=1 subject=server-dn

If the verifier trusts the CA1.pem cert, I see instead:

  Trace: certificate verification depth=1 verify=1 subject=fixed-ca-dn

  Trace: certificate verification depth=0 verify=1 subject=fixed-server-dn

How does one construct a working (re-issued root CA) example with OpenSSL?
Am I setting this up incorrectly, or does OpenSSL not in fact support
establishing trust in re-issued root CA via now expired root CAs?

I have not tried to do this without the issuer key identifier extension,
but don't really expect to find anything different...

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: data under one key, was Re: analysis and implementation of LRW

2007-02-04 Thread Vlad \SATtva\ Miller
Allen wrote on 31.01.2007 01:02:
 I'll skip the rest of your excellent, and thought provoking post as it
 is future and I'm looking at now.

 From what you've written and other material I've read, it is clear that
 even if the horizon isn't as short as five years, it is certainly
 shorter than 70. Given that it appears what has to be done is the same
 as the audio industry has had to do with 30 year old master tapes when
 they discovered that the binder that held the oxide to the backing was
 becoming gummy and shedding the music as the tape was playing -
 reconstruct the data and re-encode it using more up to date technology.

 I guess we will have grunt jobs for a long time to come. :)

I think you underestimate what Travis said about ensurance on a
long-term encrypted data. If an attacker can (and it is very likely) now
obtain your ciphertext encrypted with a scheme that isn't strong in
70-years perspective, he will be able to break the scheme in the future
when technology and science allows it, effectively compromising [part
of] your clients private data, despite your efforts to re-encrypt it
later with improved scheme.

The point is that encryption scheme for long-term secrets must be strong
from the beginning to the end of the data needed to stay secret.

-- 
SATtva
www.vladmiller.info
www.pgpru.com




signature.asc
Description: OpenPGP digital signature


Re: Intuitive cryptography that's also practical and secure.

2007-02-04 Thread Alexander Klimov
On Tue, 30 Jan 2007, Leichter, Jerry wrote:
 This is a common misconception.  The legal system does not rely on
 lawyers, judges, members of Congress, and so on understanding how
 technology or science works.  It doesn't rely on them coming to
 accept the trustworthiness of the technology on any basis a
 technologist would consider reasonable.  All it requires is that
 they accept the authority of experts in the subject area, and that
 those experts agree strongly enough that the mechanism is sound.

Right, this is the theory, and in theory there is no difference
between practice and theory, unfortunately, in practice it exists:

http://www.norwichbulletin.com/apps/pbcs.dll/article?AID=/20070106/NEWS01/701060312/1002/NEWS17

   Oct. 19, 2004, while substituting for a seventh-grade
   language class at Kelly Middle School, Amero claimed she
   could not control the graphic images appearing in an endless
   cycle on her computer.

   The pop-ups never went away, Amero testified. They were
   continuous.

   Computer expert W. Herbert Horner, testifying in Amero's
   defense, said he found spyware on the computer and an
   innocent hair styling Web site that led to this pornographic
   loop that was out of control.

   [Jury] convicted Amero, 40, of Windham of four counts of risk of
   injury to a minor, or impairing the morals of a child. She faces a
   sentence of up to 40 years in prison.

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Private Key Generation from Passwords/phrases

2007-02-04 Thread Allen



Alexander Klimov wrote:

[snip]


(Of course, with 60K passwords there is almost for sure at
least one password1 or Steven123 and thus the salts are
irrelevant.)



I'm not sure I understand this statement as I just calculated the 
 HMAC MD5 for password1 using a salt of 7D00 (32,000 decimal) 
and got the result of 187de1db3348592a3595905a66cae418. Then I 
calculated the MD5 with a salt of 61A8 (25,000 decimal) and got a 
result of 9cad6ac9fd6c09fd8e99e478381f.


Are you saying that the salt is irrelevant because a dictionary 
attack is fast and common dictionary words would allow an easy 
attack?


Thanks,

Allen


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: News.com: IBM donates new privacy tool to open-source Higgins

2007-02-04 Thread Hal Finney
John Gilmore forwards:
 http://news.com.com/IBM+donates+new+privacy+tool+to+open-source/2100-1029_3-6153625.html

 IBM donates new privacy tool to open-source
   By  Joris Evers
   Staff Writer, CNET News.com
   Published: January 25, 2007, 9:00 PM PST

 IBM has developed software designed to let people keep personal  
 information secret when doing business online and donated it to the  
 Higgins open-source project.

   The software, called Identity Mixer, was developed by IBM  
 researchers. The idea is that people provide encrypted digital  
 credentials issued by trusted parties like a bank or government agency  
 when transacting online, instead of sharing credit card or other  
 details in plain text, Anthony Nadalin, IBM's chief security architect,  
 said in an interview.
 ...

I just wanted to note that the idemix software implements what we
sometimes call Camenisch credentials.  This is a very advanced credential
system based on zero knowledge and group signatures.  The basic idea is
that you get a credential on one pseudonym and can show it on another
pseudonym, unlinkably.  More advanced formulations also allow for
credential revocation.  I don't know the specifics of what this software
implements, and I'm also unclear about the patent status of some of the
more sophisticated aspects, but I'm looking forward to being able to
experiment with this technology.

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]