NIST considering submissions of block cipher modes
Forwarded message: -- From: Morris Dworkin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: NIST considering submissions of block cipher modes Date: Sun, 08 Jun 2008 19:28:06 -0400 Message-ID: [EMAIL PROTECTED] FYI, in recent months, NIST received submissions for three new modes of operation for the AES, one of which NIST is now proposing to approve for government use. In particular, on Thursday NIST initiated a 90-day period of public comment (ending September 3, 2008), on the XTS encryption mode of the AES, submitted by the P1619 Task Group of the IEEE Security in Storage Working Group. NIST proposes to approve the algorithm by reference to IEEE Stnd 1619-2007. For additional information, see the Request for Public Comment on XTS, at http://www.csrc.nist.gov/groups/ST/documents/Request-for-Public-Comment-on_XTS.pdf . The request includes a link to the relevant extract of IEEE Stnd 1619, which IEEE has agreed to make available free of charge during the public comment period. NIST also would welcome public input on whether to propose either of the other two modes for approval: 1. Synthetic IV (SIV), an authenticated encryption mode submitted by Rogaway and Shrimpton, and 2. Feistel Finite Set Encryption Mode (FFSEM), submitted by Spies. Both submissions are available on the Modes Development page of the NIST website, http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html. Comments may be submitted to [EMAIL PROTECTED]; please identify the mode(s) somewhere in the subject line. -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
A call for aid in cracking a 1024-bit malware key
According to http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818intsrc=hm_list%3E%20articleId=9094818intsrc=hm_list some new malware is encrypting files with a 1024-bit RSA key. Victims are asked to pay a random to get their files decrypted. So -- can the key be factored? --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Ransomware
Computerworld reports: http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 on a call from Kaspersky Labs for help breaking encryption used by some ransomeware: Code that infects a system, uses a public key embedded in the code to encrypt your files, then tells you you have to go to some web site and pay for the decryption key. Apparently earlier versions of this ransomware were broken because of a faulty implementation of the encryption. This one seems to get it right. It uses a 1024-bit RSA key. Vesselin Bontchev, a long-time antivirus developer at another company, claims that Kaspersky is just looking for publicity: The encryption in this case is done right and there's no real hope of breaking it. Speculation about this kind of attack has made the rounds for years. It appears the speculations have now become reality. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
Leichter, Jerry wrote: Computerworld reports: http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 This is no different than suffering a disk crash. That's what backups are for. /ji PS: Oh, backups you say. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
On Jun 9, 2008, at 11:54 AM, Leichter, Jerry wrote: Computerworld reports: http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 [...] Apparently earlier versions of this ransomware were broken because of a faulty implementation of the encryption. This one seems to get it right. It uses a 1024-bit RSA key. Vesselin Bontchev, a long-time antivirus developer at another company, claims that Kaspersky is just looking for publicity: The encryption in this case is done right and there's no real hope of breaking it. If there's just one key, then Kaspersky could get maximum press by paying the ransom and publishing it. If there are many keys, then Kaspersky still has reached its press-coverage quota, just not as dramatically. Speculation about this kind of attack has made the rounds for years. It appears the speculations have now become reality. But press gambits from security companies have been in the realm of reality for quite some time! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
On Mon, 9 Jun 2008, John Ioannidis wrote: | Date: Mon, 09 Jun 2008 15:08:03 -0400 | From: John Ioannidis [EMAIL PROTECTED] | To: Leichter, Jerry [EMAIL PROTECTED] | Cc: cryptography@metzdowd.com | Subject: Re: Ransomware | | Leichter, Jerry wrote: | Computerworld reports: | | http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 | | | This is no different than suffering a disk crash. That's what backups are | for. | | /ji | | PS: Oh, backups you say. Bontochev's comment as well. Of course, there is one way this can be much worse than a disk crash: A clever bit of malware can sit there silently and encrypt files you don't seem to be using much. By the time it makes its ransom demands, you may find you have to go back days or even weeks in your backups to get valuable data back. Even worse, targeted malwared could attack your backups. If it encrypted the data on the way to the backup device, it could survive silently for months, by which time encrypting the live data and demanding the ransom would be a very credible threat. (Since many backup programs already offer encryption, hooking it might just involve changing the key. It's always so nice when your opponent provides the mechanisms needed to attack him) -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A call for aid in cracking a 1024-bit malware key
Steven M. Bellovin wrote: According to http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818intsrc=hm_list%3E%20articleId=9094818intsrc=hm_list some new malware is encrypting files with a 1024-bit RSA key. Victims are asked to pay a random to get their files decrypted. So -- can the key be factored? I saw a similar story reported on Slashdot a few days ago. I wonder if the malware authors cited Adam Young and Moti Yung? They hypothesized about such malware a few years ago: http://en.wikipedia.org/wiki/Cryptovirology -James - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
John Ioannidis wrote: This is no different than suffering a disk crash. That's what backups are for. At Jim Gray's tribute on the 31st, Bruce Lindsay gave a talk about Jim's formalization of transaction processing enabled online transactions ... i.e. needed trust in the integrity of integrity of transaction as prerequisite to move from manual/paper processes. In the early 90s, when glasshouse and mainframes seeing significant downturn in their use ... with lots of stuff moving off to PCs, there was a study that half of the companies that had a disk failure involving (business) data that wasn't backed up ... filed for bankruptcy within 30 days. The issue was that glasshouse tended to have all sorts of business processes to backup business critical data. Disk failures that lost stuff like billing data had significant impact on cash flow (there was case of large telco that had bug in its nightly backup and when the disk crashed with customer billing data ... they found that there didn't have valid backups). Something similar also showed up in the Key Escrow meetings in the mid-90s with regard to business data that was normally kept in encrypted form ... i.e. would require replicated key backup/storage in order to retrieve data (countermeasure to single point of failure). part of the downfall of key escrow was that it seem to want all keys ... not just infrastructure where business needed to have replicated its own keys. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
skype claims they have no technical means to assist wiretapping
Excerpt: Jennifer Caukin, Skype's director of corporate communications replied to us: We have not received any subpoenas or court orders asking us to perform a live interception or wiretap of Skype-to-Skype communications. In any event, because of Skype's peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request. http://news.cnet.com/8301-13578_3-9963028-38.html?part=rsstag=feedsubj=TheIconoclast -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
survey of instant messaging privacy
Also from Declan McCullagh today, a full survey of instant message service security: http://news.cnet.com/8301-13578_3-9962106-38.html?part=rsstag=feedsubj=TheIconoclast -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: survey of instant messaging privacy
Perry E. Metzger wrote: Also from Declan McCullagh today, a full survey of instant message service security: http://news.cnet.com/8301-13578_3-9962106-38.html?part=rsstag=feedsubj=TheIconoclast Interesting. Of course, with the possible exception of Skype, only the over-the-network part of the communication is protected. The IM providers can still give the contents of your communications to third parties. As OTR has shown, it's not hard to do end-to-end crypto even if you don't have direct client connectivity. Makes one wonder why the default clients don't have the functionality :) /ji, Pidgin user - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]