SSL MITM attack vs wiretap laws question

2007-05-05 Thread Alex Alten
I have a question about the legality of doing a successful MITM attack 
against SSL
(server-side authentication only).  This is mainly a USA only 
question.  Although
Europe and Japan is of interest too.  This is not a CALEA or ETSI type of 
situation.


If the SSL connection is traversing an enterprise or a common carrier is it 
legal for
that party to perform a MITM against it in order to examine the encrypted 
information?


My reading of the US Federal wiretap laws seems to indicate that this is ok 
if one of the

following conditions exists:
1. The enterprise/carrier posts a notice that all SSL connections are 
subject to inspection.
2. The enterprise/carrier notifies one or both parties of the SSL 
connection that inspection

is taking place.
3. The enterprise/carrier examines the SSL to prevent 
DoS/DDoS/Worm/Phishing attacks

or to do QoS (load balancing, bandwidth shaping, etc).

I don't think wire fraud laws are involved, even though a properly signed 
yet fake X.509
PKI certificate is sent to the browser by the MITM enterprise/carrier 
pretending to be
the destination site in order to extract the encryption keys used to 
encrypt the

SSL connection.

Any lawyers out there who would know how to interpret US federal law regarding
this area?  (European/Japan, or other rule-of-law type countries are of 
interest too.)


Thanks,

- Alex
--

Alex Alten
[EMAIL PROTECTED]



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: phone encryption technology becoming popular in Italy

2007-05-05 Thread Hagai Bar-El
Hello,

On 02/05/07 20:12, Dave Korn wrote:
   Interesting, but of course they're still a good way from 100% secure.  It's
 really great that they issue the source, but unless they also issue the
 toolchain, and the source to the toolchain, so that anyone who wants can
 recompile and reflash their phone, it's less than secure.

I know these devices.

You are right. The source code you get cannot be used for full
assurance, because you don't get everything required to build an image
and replace the existent one with it. The source you get allows you to
check and be convinced that the code has no software bugs that were not
intended by the vendor. It does not aim to assure you against malicious
attempts by the vendor to introduce back-doors into the product.

So, you are secure, just not against everything... It's still more
than you get with completely closed-source devices, let alone with ones
that implement proprietary crypto...

And, of course, the source code is probably published also because the
marketing guys (probably) said that people skilled in the art will
appreciate this feature when evaluating this product against others.

Hagai.

-- 
Hagai Bar-El - Information Security Analyst
T/F: 972-8-9354152 Web: www.hbarel.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Was a mistake made in the design of AACS?

2007-05-05 Thread Steve Schear

At 07:50 AM 5/4/2007, Nicolas Williams wrote:

On Thu, May 03, 2007 at 10:25:34AM -0700, Steve Schear wrote:
 At 03:52 PM 5/2/2007, Ian G wrote:
 This seems to assume that when a crack is announced, all revenue
 stops.  This would appear to be false.  When cracks are announced in such
 systems, normally revenues aren't strongly effected.  C.f. DVDs.

 Agreed.  But there is an incremental effect.  In the same way many people
 now copy DVDs they have rented many will gain access to HD content made

Wait, are you saying that people copy rented DVDs onto DVD media?  Or
that they _extract_ the content?

There's a big difference: there's no need to crack the DVD DRM system to
do the former, but there is for the latter.


I guess I wasn't clear.  Unlike ripping and copying DVD's bit-for-bit, 
content ripped from H-DVDs and BluRay discs are first distributed as simply 
unencrypted copies.  Watching this content means you will probably do so 
from your PC (e.g., using a curent version of Power DVD) as burning a 
bit-for-bit HD DVD/BluRay is either not available or economically 
practical.  Later, HD videophiles re-encode the content using the same 
advanced coders (i.e., H./X/264 andVC1) so at least the feature movie can 
be stored on a dual layer DVD.  Despite the smaller data size of the DVD 
(about 8.5 GB) vs. HD media (20+ GB) the quality of playback is impressive, 
good enough for all but the most discerning Home Theater buff.



Well, there's an idea: use different physical media formats for
entertainment and non-entertainment content (meaning, content created by
MPAA members vs. not) and don't sell writable media nor devices capable
of writing it for the former, not to the public, keeping very tight
controls on the specs and supplies.


Authoring DVDs are available for people wishing to master protected 
content.  These, unlike the consumer variety, allows the CSS to be 
present.  Special burners, never very popular with consumers, even video 
philes, are required.


Steve 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Was a mistake made in the design of AACS?

2007-05-05 Thread Hal Finney
Allen [EMAIL PROTECTED] writes:
 I know I'm in over my head on this so my apologies, but if the 
 key is used in one machine in a product line - Sony DVD players 
 say - then if they find the one machine that it came from and 
 disable it, wouldn't figuring out the key for the next machine in 
 the production run be relatively trivial as the algorithm and 
 hardware implementation used by all machines of a give run be the 
 same? Therefore, couldn't one buy several of them and use them 
 one after another as they are discovered and disabled?

Perhaps so, depending on the nature of the crack.  It may require
unsoldering chips from the machine motherboard or other rather difficult
to perform operations that would not be possible for average users.
Keep in mind that each machine costs several hundred dollars, and they
will be turned into bricks once revoked.  This raises the question of
who is bankrolling this effort and what his motivations are.


 So, in order to prevent any of those machines from being used 
 they'd have to disable a whole lot of machines owned by ordinary 
 individuals, right? What are the downside risks for Sony in doing 
 this?

I imagine it is safe to say that this is not a step that AACSLA would take
lightly.  If they ever did this then I suppose the machine manufacturer
would have to provide owners of the affected models with upgrades to
newer machines.

It's very hard to predict the future and it is not clear to me that
we will get into a scenario where a very small number of sacrificial
machines are the source of every HD movie being uploaded to the pirate
nets, such that when these few machines are revoked, immediately
another few machines are swapped in to replace them.  It would require
a relatively large degree of coordination among what I would imagine
is a generally loose affiliation of attackers with diverse motivations.
But as I said, my crystal ball is foggy.

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Yet a deeper crack in the AACS

2007-05-05 Thread Hal Finney
 Article AACS cracks cannot be revoked, says hacker

 http://arstechnica.com/news.ars/post/20070415-aacs-cracks-cannot-be-revoked-says-hacker.html

 Excerpt: The latest attack vector bypasses the encryption performed
 by the Device Keys -- the same keys that were revoked by the WinDVD
 update -- and the so-called 'Host Private Key,' which as yet has not
 been found. This was accomplished by de-soldering the HD DVD drive's
 firmware chip, reading its contents, and then patching it. Once that
 was done, the firmware was soldered back onto the drive.

This article was not too accurate, and further progress has been
made.  At this point it is possible to remotely patch the firmware
of a particular kind of HD-DVD drive so that it will provide certain
information without the usually required authentication.  This makes it
easy to retrieve the per-disk Volume ID, which must be combined with
the widely-published Processing Key to generate the media keys that
can decrypt content.  If this Processing Key is invalidated on future
releases, this hack will not be useful until new keys are discovered.
It provides only part of the picture.

The hack was a real accomplishment because firmware updates had to
be authenticated with what was apparently something like an AES-based
CBC-MAC.  The hackers had to figure this out without much background
in cryptography and working only with dumps of the firmware that used a
somewhat obscure embedded CPU.  They had to figure out what CPU was being
used, find a disassembler for it, and examine assembly language dumps to
deduce that crypto was involved, recognize AES, and see how to create
their own checksums that would make their firmware updates succeed.
Just goes to show the motivation and hard work that hackers bring to
these efforts, largely for the love of the challenge.

It's possible that the ability to modify firmware will lead to more
successes for the hackers in the future, perhaps helping them to break
into future versions of software players to extract their embedded keys.
I peruse the doom9.org forums from time to time, where this work took
place right out in the open, before the public eye.  Definitely some
smart people involved there.

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]