Re: The wisdom of the ill informed
Allen <[EMAIL PROTECTED]> writes: >> There are well-attended conferences, papers published online and in many >> journals, etcetera. So it's not so difficult for people who don't know >> anything about security and crypto to eventually figure out who does, in >> the process also learning who else knows who the experts are. > > Actually I think it is just about as difficult to tell who is a > trustworthy expert in the field of cryptography as it is in any field > of science or medicine. Indeed. In fact, one even finds many people who post to public mailing lists who know less than they should. However, it is reasonably straightforward to figure out who knows what in a given field. Things like citation indexes, journal impact factors and such make a number of these things reasonably easy even for the outsider, provided that outsider knows what they're doing. One can also go through the expedient of finding what a substantial number of practitioners think. If most have one opinion, and one or two who don't seem terribly sane have a very different one, you know who's who. One of the most interesting things I find about most fields is the fact that people who are incompetent very often fancy themselves experts. There's a great study on this subject -- usually the least competent people are the ones that feel highly confident in their skills, while the people who aren't have more doubts. One sees this very phenomenon on this very list, and not infrequently. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Ed Gerck <[EMAIL PROTECTED]> writes: > [EMAIL PROTECTED] wrote: >> So I hold the PIN constant and vary the bank account number. > > This is, indeed, a possible attack considering that the same IP may be > legitimately used by different users behind NAT firewalls and/or with > dynamic IPs. However, there are a number of reasons, and evidence, why > this attack can be (and has been) prevented even for a short PIN: You're completely wrong here. Lets go through just two of the ways. > 1. there is a much higher number of combinations in a 12-digit account > number; There is a lot of structure in most bank account numbers. The space is pretty easy to narrow down if you do a nickel's worth of homework. For example, a typical bank bank might have the first three digits code for the branch (and a list of branches is easy to find), and several of the additional numbers code for account type, plus the space of remaining numbers is not exactly randomly assigned. If you need typical account numbers to examine to learn such secrets, you can buy them in bulk online these days. I suspect that currently invalid accounts are probably even cheaper than valid ones, though they're not a stock item -- you would have to ask to get them. > 2. banks are able to selectively block IP numbers for the /same/ > browser and /same/ PIN after 4 or 3 wrong attempts, Not really. These days, there are people hijacking huge IP blocks for brief periods for spamming. People also hijack vast numbers of zombie machines. Either technology is easily used to prevent block-by-IP from doing squat for you. I'm sure you will now go on about some other way to evade Dan's crucial point, but it should be obvious to almost anyone that you're not thinking like the bad guys. If you really want to go on about this, though, I'll let you have as much rope as you like, though only for a post or two as I don't want to bore people. In any case, there are a large number of reasons US banks don't (generally) require or even allow anyone to enter PINs for authentication over the internet. I don't know much about the practices of foreign banks, as for the most part I consult in the US. Perry -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
"James A. Donald" <[EMAIL PROTECTED]> writes: > Arshad Noor wrote: >> While programmers or business=people could be ill-informed, Allen, >> I think the greater danger is that IT auditors do not know enough >> about cryptography, and consequently pass unsafe business processes >> and/or software as being secure. > > Committees of experts regularly get cryptography wrong - consider, for > example the Wifi debacle. Each wifi release contains classic and > infamous errors - for example WPA-Personal is subject to offline > dictionary attack. The initial WEP design was done without cryptography experts. The design of subsequent generations of WiFi security was designed in the face of backward compatibility constraints that severely limited the space of possible designs. I would claim that this is not an example of crypto experts getting it wrong at all -- it is, in fact, an example of what can go wrong when people who don't know what they're doing design cryptography into something that's very widely deployed. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Allen wrote: During the transmission from an ATM machine 4 numeric characters are probably safe because the machines use dedicated dry pair phone lines for the most part, as I understand the system. This, combined with triple DES, makes it very difficult to compromise or do a MIM attack because one can not just tap into the lines remotely. We are in agreement. Even short PINs could be safe in a bank-side authenticated (no MITM) SSL connection with 128-bit encryption. What's also needed is to block multiple attempts after 3 or 4 tries, in both the ATM and the SSL online scenarios. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
On Mon, Jun 30, 2008 at 11:47:54AM -0700, Allen wrote: > Nicolas Williams wrote: > >On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote: > >>Given this, the real question is, /"Quis custodiet ipsos custodes?"/ > > > >Putting aside the fact that cryptographers aren't custodians of > >anything, it's all about social institutions. > > Well, I wouldn't say they aren't custodians. Perhaps not in the > sense that the word is commonly used, but most certainly in the > sense custodians of the wisdom used to make the choices. This is > exemplified by Bruce Schneier, an "acknowledged expert," changing > his mind about the way to do security from "encrypt everything" to > "monitor everything." Yes, I have simplified his stance, but just to > make the point that even experts learn and change over time. What does that have to do with anything? Expert != knowledge cast in stone. > >There are well-attended conferences, papers published online and in many > >journals, etcetera. So it's not so difficult for people who don't know > >anything about security and crypto to eventually figure out who does, in > >the process also learning who else knows who the experts are. > > Actually I think it is just about as difficult to tell who is a > trustworthy expert in the field of cryptography as it is in any > field of science or medicine. Just look at the junk science and > medical studies. One retrospective study of 90+ clinical trials > found that over 600 potentially important reaction to the drugs > occurred but only 39 were reported in the papers. I suspect if we > did the same sort of retrospective study for cryptography we would > find some similar issues, just, perhaps, not as large because there > is not as much money to be made with junk cryptography as junk > pharmaceuticals. The above does not really refute what I wrote. It takes effort to figure out who's an expert. But I believe that the situation w.r.t. crypto is similar to that in science (cold fusion frauds were identified rather quickly, were they not?) and better than in medicine (precisely because there is not much commercial incentive to fraud here; there is incentive for intelligence organizations to interfere, I suppose, but here the risk of getting caught is high and the potential cost of getting caught high as well). > I'm curious, how does software get sold for so long that is clearly > weak or broken? Detected, yes, but still sold like Windows LANMAN > backward compatibility. I thought we were talking about cryptographers, not marketing departments, market dynamics, ... If you want to include the latter in "custodes" then there is a clear custody hierarchy: the community of experts in the field is above individual implementors. Thus we have reports of snake oil on this list, on various blogs, etc... So we're back to "quis custodiet ipsos custodes?" Excluding marketing here is the right thing to do (see above). Which brings us back to my answer. > >When it comes to expertise in crypto, Quis custodiet ipsos custodes > >seems like a relatively simple problem. I'm sure it's much, much more > >difficult a problem for, say, police departments, financial > >organizations, intelligence organizations, etc... > > Well, Nico, this is where I diverge from your view. It is the > "police departments, financial organizations, intelligence > organizations, etc..." who deploy the cryptography. Why should they In my experience market realities have much more to do with what gets deployed than the current state of the art does; never mind who the experts are. "We'd love to deploy technology X, but in our heterogeneous network only one quarter of the vendors support X, and only if we upgrade systems, which requires QA testing, which..." -- surely you've run into that sort of situation, amongst others. Legacy, broken code dwarfs snake oil in terms of deployment; legacy != snake oil -- we're allowed to learn, as you yourself point out. Nico -- - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Nicolas Williams wrote: On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote: Given this, the real question is, /"Quis custodiet ipsos custodes?"/ Putting aside the fact that cryptographers aren't custodians of anything, it's all about social institutions. Well, I wouldn't say they aren't custodians. Perhaps not in the sense that the word is commonly used, but most certainly in the sense custodians of the wisdom used to make the choices. This is exemplified by Bruce Schneier, an "acknowledged expert," changing his mind about the way to do security from "encrypt everything" to "monitor everything." Yes, I have simplified his stance, but just to make the point that even experts learn and change over time. There are well-attended conferences, papers published online and in many journals, etcetera. So it's not so difficult for people who don't know anything about security and crypto to eventually figure out who does, in the process also learning who else knows who the experts are. Actually I think it is just about as difficult to tell who is a trustworthy expert in the field of cryptography as it is in any field of science or medicine. Just look at the junk science and medical studies. One retrospective study of 90+ clinical trials found that over 600 potentially important reaction to the drugs occurred but only 39 were reported in the papers. I suspect if we did the same sort of retrospective study for cryptography we would find some similar issues, just, perhaps, not as large because there is not as much money to be made with junk cryptography as junk pharmaceuticals. For example, in the IETF there's an institutional structure that makes finding out who to ask relatively simple. Large corporations tend to have some experts in house, even if they are only expert in finding the real experts. We (society) have new experts joining the field, with very low barriers to entry (financial and political barriers to entry are minimal -- it's all about brain power), and diversity amongst the existing experts. There's no major personal gain to be had, besides fame, and too much diversity and openness for anyone to have a prayer of manipulating the field undetected for too long. I'm curious, how does software get sold for so long that is clearly weak or broken? Detected, yes, but still sold like Windows LANMAN backward compatibility. When it comes to expertise in crypto, Quis custodiet ipsos custodes seems like a relatively simple problem. I'm sure it's much, much more difficult a problem for, say, police departments, financial organizations, intelligence organizations, etc... Well, Nico, this is where I diverge from your view. It is the "police departments, financial organizations, intelligence organizations, etc..." who deploy the cryptography. Why should they be able to do that any better than they do anything else? I suspect that a weakness in oversight in one area is likely to reflect a weakness in others as well. Not total failure, just not done the best possible. Best, Allen - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
[EMAIL PROTECTED] wrote: Ed Gerck writes: -+-- | ... | Not so fast. Bank PINs are usually just 4 numeric characters long and | yet they are considered /safe/ even for web access to the account | (where a physical card is not required). | | Why? Because after 4 tries the access is blocked for your IP number | (in some cases after 3 tries). | ... So I hold the PIN constant and vary the bank account number. Dan, This is, indeed, a possible attack considering that the same IP may be legitimately used by different users behind NAT firewalls and/or with dynamic IPs. However, there are a number of reasons, and evidence, why this attack can be (and has been) prevented even for a short PIN: 1. there is a much higher number of combinations in a 12-digit account number; 2. banks are able to selectively block IP numbers for the /same/ browser and /same/ PIN after 4 or 3 wrong attempts, with a small false detection probability for other users of the same IP (who are not blocked). I know one online system that has been using such method for protecting webmail accounts, with several attacks logged but no compromise and no false detection complaints in 4 years. 3. some banks reported that in order to satisfy FFIEC requirements for two-factor authentication, but without requiring the customer to use anything else (eg, a dongle or a "battle ship map"), they were detecting the IP, browser information and use patterns as part of the authentication procedure. This directly enables #2 above. I also note that the security problem with short PINs is not much different than that with passwords, as users notoriously choose passwords that are easy to guess. However, an online system that is not controlled by the attacker is able to likewise prevent multiple password tries, or multiple account tries for the same password. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Ed Gerck wrote: Allen wrote: Very. The (I hate to use this term for something so pathetic) password for the file is 6 (yes, six) numeric characters! My 6 year old K6-II can crack this in less than one minute as there are only 1.11*10^6 possible. Not so fast. Bank PINs are usually just 4 numeric characters long and yet they are considered /safe/ even for web access to the account (where a physical card is not required). Why? Because after 4 tries the access is blocked for your IP number (in some cases after 3 tries). The question is not only how many combinations you have but also how much time you need to try enough combinations so that you can succeed. I'm not defending the designers of that email system, as I do not know any specifics -- I'm just pointing out that what you mention is not necessarily a problem and may be even safer than secure online banking today. Indeed it might be more secure *if* the file was not downloaded as opposed to accessed via a web site. That aside, I believe the ATM PINs have been compromised recently, not by direct entry, but rather by harvesting them off the server where they were stored, so I would not say that they are "safe" anymore. I believe the same applies to web access to your account. My banks allow more than 4 numeric characters. They use a key space of 64 characters and with a 12 character password it would take about 1.5*10^5 years to generate the Rainbow table in 1 petabyte of storage at 1*10^9 hashes per second. After you have the table it would take about 1.9*10^5 to crack the password. (As the storage space goes down the time to crack goes up because of the number of possibilities between points but the initial time to generate the table is the same.) During the transmission from an ATM machine 4 numeric characters are probably safe because the machines use dedicated dry pair phone lines for the most part, as I understand the system. This, combined with triple DES, makes it very difficult to compromise or do a MIM attack because one can not just tap into the lines remotely. One has to get on the line from the machine to the CO to get the data and then decrypt. Best, Allen - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Ed Gerck writes: -+-- | ... | Not so fast. Bank PINs are usually just 4 numeric characters long and | yet they are considered /safe/ even for web access to the account | (where a physical card is not required). | | Why? Because after 4 tries the access is blocked for your IP number | (in some cases after 3 tries). | ... So I hold the PIN constant and vary the bank account number. --dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote: > Given this, the real question is, /"Quis custodiet ipsos custodes?"/ Putting aside the fact that cryptographers aren't custodians of anything, it's all about social institutions. There are well-attended conferences, papers published online and in many journals, etcetera. So it's not so difficult for people who don't know anything about security and crypto to eventually figure out who does, in the process also learning who else knows who the experts are. For example, in the IETF there's an institutional structure that makes finding out who to ask relatively simple. Large corporations tend to have some experts in house, even if they are only expert in finding the real experts. We (society) have new experts joining the field, with very low barriers to entry (financial and political barriers to entry are minimal -- it's all about brain power), and diversity amongst the existing experts. There's no major personal gain to be had, besides fame, and too much diversity and openness for anyone to have a prayer of manipulating the field undetected for too long. When it comes to expertise in crypto, Quis custodiet ipsos custodes seems like a relatively simple problem. I'm sure it's much, much more difficult a problem for, say, police departments, financial organizations, intelligence organizations, etc... Nico -- - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
James A. Donald wrote: Committees of experts regularly get cryptography wrong - consider, for example the Wifi debacle. Each wifi release contains classic and infamous errors - for example WPA-Personal is subject to offline dictionary attack. One would have thought that after the first disaster they would have hired someone who could do it right, but as Ian long ago pointed out, in "the market for silver bullets", they are unable to tell who can do it right. The only people who know who the real experts are, are the real experts. If you knew who to hire, you could do it yourself, and probably should do it yourself. So they hire expert salesmen, not cryptography experts. the other scenario was that the cryptography part was done from such a myopic standpoint ... that they failed to consider the end-to-end infrastructure. I've repeatedly heard excuses that the cryptographers in the wifi debacle believed that they could only design a solution based on significant hardware restrictions/constraints. part of what i observed ... by the time any of them shipped ... the hardware restrictions/constraints no longer existed . the other thing that i observed was that with relatively trivial knowledge about chips ... it was possible to come up with an integrated solution that incorporated both the necessary hardware and the necessary cryptography ... there has got to be some analogy here someplace about the blind trying to describe an elephant; in addition to the "point solution" analogy, failing to take in the overall infrastructure. i've repeatedly claimed that we did that in the AADS chip strawman solution http://www.garlic.com/~lynn/x959.html#aads that including addressing all the issues that showed up in scenarios like with the "yes cards" http://www.garlic.com/~lynn/subintegrity.html#yescards - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Arshad Noor wrote: While programmers or business=people could be ill-informed, Allen, I think the greater danger is that IT auditors do not know enough about cryptography, and consequently pass unsafe business processes and/or software as being secure. This is the reason why we in the OASIS Enterprise Key Management Infrastructure Technical Committee have made educating IT Auditors and providing them guidelines on how to audit symmetric key-management infrastructures, one of the four (4) primary goals of the TC. While the technology is well understood by most people on this forum, until we educate the gate-keepers, we have failed in our jobs to secure IT infrastructure. Yep. It seems like we've had a bit of this conversation recently, haven't we? ;-> And it is not just the gatekeepers, but also the users who need education. We know that we will not have enough "gatekeepers" to watch all users and uses. Given this, the real question is, /"Quis custodiet ipsos custodes?"/ (Given as either "Who will watch the watchers themselves?" or "Who will guard the guardians?" from Juvenal.) Here we have the perfect examples of the conundrum in No Such Agency or the Company, who evade oversight or it is so obfuscated that the watchers at the political level either don't know what is really going on or they are complicit. Funny how something as off the main track of society as cryptography still reflects the identical problems of the greater whole, isn't it? I also argue that badly structured protocol requirements that potentially obfuscate what is going on is a serious issue as well. Then too, there is documentation that does not get down to the bare metal, so to speak, so that those who are not skilled at reading code, and its implications, can understand what is going on. The Romans knew that and mad it law: /Quod non est in actis, non est in mundo./ ("What is not in the documents does not exist") All of this requires team thinking so that everyone who is looking at the issues involved, no matter from what direction, creator, auditor or end user, gets "it." Allen Arshad Noor StrongAuth, Inc. Allen wrote: Hi gang, All quiet on the cryptography front lately, I see. However, that does not prevent practices that *appear* like protection but are not even as strong as wet toilet paper. I had to order a medical device today and they need a signed authorization for payment by my insurance carrier. No biggie. So they ask how I want it set to me and I said via e-mail. Okay. /Then/ they said it was an encrypted file and I thought, cool. How wrong could I be? Very. The (I hate to use this term for something so pathetic) password for the file is 6 (yes, six) numeric characters! My 6 year old K6-II can crack this in less than one minute as there are only 1.11*10^6 possible. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Why doesn't Sun release the crypto module of the OpenSPARC?
On Fri, Jun 27, 2008 at 12:19:04PM -0700, zooko wrote: > and probably other commodity products). Likewise newfangled ciphers like > Salsa20 and EnRUPT will be considered by me to be faster than AES (because > they are faster in software) rather than slower (because AES might be built > into the commodity hardware). The calculus on AES may change in the nearish future: Intel is adding AES instructions in upcoming processors, and AMD is adding another set of instructions in SSE5 to assist AES implementations. AMD claims a 5x speedup for AES using SSE5 versus plain x86-64 instructions [2], I have not yet seen performance estimates for the Intel instructions. -Jack [1]: http://softwarecommunity.intel.com/articles/eng/3788.htm [2]: http://www.ddj.com/hpc-high-performance-computing/201803067 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Arshad Noor wrote: While programmers or business=people could be ill-informed, Allen, I think the greater danger is that IT auditors do not know enough about cryptography, and consequently pass unsafe business processes and/or software as being secure. Committees of experts regularly get cryptography wrong - consider, for example the Wifi debacle. Each wifi release contains classic and infamous errors - for example WPA-Personal is subject to offline dictionary attack. One would have thought that after the first disaster they would have hired someone who could do it right, but as Ian long ago pointed out, in "the market for silver bullets", they are unable to tell who can do it right. The only people who know who the real experts are, are the real experts. If you knew who to hire, you could do it yourself, and probably should do it yourself. So they hire expert salesmen, not cryptography experts. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The wisdom of the ill informed
Allen wrote: Very. The (I hate to use this term for something so pathetic) password for the file is 6 (yes, six) numeric characters! My 6 year old K6-II can crack this in less than one minute as there are only 1.11*10^6 possible. Not so fast. Bank PINs are usually just 4 numeric characters long and yet they are considered /safe/ even for web access to the account (where a physical card is not required). Why? Because after 4 tries the access is blocked for your IP number (in some cases after 3 tries). The question is not only how many combinations you have but also how much time you need to try enough combinations so that you can succeed. I'm not defending the designers of that email system, as I do not know any specifics -- I'm just pointing out that what you mention is not necessarily a problem and may be even safer than secure online banking today. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]