Re: Strength in Complexity?

[Perry E. Metzger]

[EMAIL PROTECTED] (Peter Gutmann) writes:
> "Perry E. Metzger" <[EMAIL PROTECTED]> writes:
>
>>No. In fact, it is about as far from the truth as I've ever seen. No real
>>expert would choose to deliberately make a protocol more complicated.
>
> IPsec.  Anything to do with PKI.  XMLdsig.  Gimme a few minutes and I can
> provide a list as long as your arm.  Protocol designers *love* complexity.
> The more complex and awkward they can make a protocol, the better it has to
> be.

The problem, Peter, is that people who don't know you may mistake your
sarcasm for agreement with misconception in the article Arshad quoted.

Oh, and by the way, you missed half a dozen failed secure mail
protocols, SET (the Wikipedia article for SET really needs to be
changed from present to past tense), and 20 other easy examples. It is
sort of like shooting fish in a barrel, isn't it?

The point is not that fools (often including us) haven't built
monstrous ziggurats that failed. The point is that no one rational
should *SEEK* to make a protocol into monstrous ziggurat on the basis
that this will improve security, and don't pretend you don't agree,
because most of us know you better than that.

Perry
-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Strength in Complexity?

[Arshad Noor]

Steven M. Bellovin wrote:


I did see one possible red flag in
the article: "the key server verifies the client request, then
encrypts, digitally signs, and escrows the key in a database".
Escrowed keys are potentially *very* dangerous, but without knowing
just what's being stored and how it's being protected, I can't say 
more.


I appreciate the affirmation from Perry and Steven (so far) that
I'm not off-base wrt designing security with simplicity in mind.
I will confirm that security has taken precedence over simplicity
where it was necessary to make a trade-off and where security was
the primary goal.

To respond to your concern, Steven, the escrowed symmetric keys
are encrypted using a Public Key from an asymmetric key-pair (the
recommended key-size is 2048-4096 bits RSA).

The Private Key of the RSA key-pair capable of decrypting the
escrowed keys is recommended to be generated and stored on a FIPS
140-2 Level 3 (or greater) certified HSM.

For activating the HSM to use the Private Key by the SKMS service,
it is recommended to use M of N FIPS-certified smartcards for strong
authentication, so that no single individual is capable of accessing
the Private Key (and consequently, any of the escrowed symmetric
keys) on their own.

(For those interested, an ACM paper on an earlier DRAFT version of
the protocol/architecture of the SKSML protocol is available at:
http://middleware.internet2.edu/idtrust/2008/papers/07-noor-ekmi.pdf
I hope to inform this forum of the public availability of a more
recent DRAFT of the protocol within the next two weeks, for review
and comments.  We, on the OASIS committee will be grateful for any
feedback we get from this forum).

My understanding of cryptography, after spending 9 years deploying
PKIs - large and small - is that it is necessary to use a combination
of strong technology and procedures for effective security.  Relying
on just one component alone can lead to a breakdown in security (as
my experience has shown me).

Arshad Noor
StrongAuth, Inc.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Strength in Complexity?

[Peter Gutmann]

"Perry E. Metzger" <[EMAIL PROTECTED]> writes:

>No. In fact, it is about as far from the truth as I've ever seen. No real
>expert would choose to deliberately make a protocol more complicated.

IPsec.  Anything to do with PKI.  XMLdsig.  Gimme a few minutes and I can
provide a list as long as your arm.  Protocol designers *love* complexity.
The more complex and awkward they can make a protocol, the better it has to
be.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Strength in Complexity?

[Peter Gutmann]

Arshad Noor <[EMAIL PROTECTED]> writes:

>In light of the recent discussions about experts in cryptography, I thought
>I'd ask this forum to comment on the above author's statement: is this true?
>
>Do cryptography experts deliberately choose complexity over simplicity when
>the latter might provide the same strength of protection?

It's true to some extent.  For most crypto protocols, usability is job #8,107,
right after "did we get the punctuation right in the footnotes for the third
appendix?".

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Strength in Complexity?

[Steven M. Bellovin]

On Tue, 01 Jul 2008 12:12:26 -0700
Arshad Noor <[EMAIL PROTECTED]> wrote:

> The author of an article that appeared in InformationWeek this week
> (June 30, 2008) on Enterprise Key Management Infrastructure (EKMI):
> 
> http://www.informationweek.com/shared/printableArticle.jhtml?articleID=208800937
> 
> states the following:
> 
> "There are, of course, obstacles that must still be overcome by EKMI 
> proponents. For example, the proposed components are somewhat simple
> by design, which concerns some encryption purists who prefer more
> complex protocols, on the logic that they're more difficult to break
> into."
> 
> In light of the recent discussions about experts in cryptography,
> I thought I'd ask this forum to comment on the above author's
> statement: is this true?
> 
> Do cryptography experts deliberately choose complexity over simplicity
> when the latter might provide the same strength of protection?  Since
> I do not consider myself a cryptography expert, and have instinctively
> preferred simpler - but strong - technical solutions, have my
> instincts been wrong all along?  TIA.
> 
No, no one competent would deliberately opt for complexity.  However,
there's a quote I've seen attributed to Einstein to remember:
"Everything should be as simple as possible, but no simpler."
Sometimes, extra complexity is due to the need to deflect certain
attacks, such as replays and cut-and-paste.  It's quite possible that
the original, simpler design isn't resistant to some threats, either
because the designers weren't aware of them or because they felt that
they weren't credible in their environment.  Without more details than
are in the article (and I don't have the time or energy to read through
those documents), it's hard to say.  I did see one possible red flag in
the article: "the key server verifies the client request, then
encrypts, digitally signs, and escrows the key in a database".
Escrowed keys are potentially *very* dangerous, but without knowing
just what's being stored and how it's being protected, I can't say more.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Strength in Complexity?

[Perry E. Metzger]

Arshad Noor <[EMAIL PROTECTED]> writes:
> "There are, of course, obstacles that must still be overcome by EKMI
> proponents. For example, the proposed components are somewhat simple
> by design, which concerns some encryption purists who prefer more
> complex protocols, on the logic that they're more difficult to break
> into."
>
> In light of the recent discussions about experts in cryptography,
> I thought I'd ask this forum to comment on the above author's
> statement: is this true?
>
> Do cryptography experts deliberately choose complexity over simplicity
> when the latter might provide the same strength of protection?

No. In fact, it is about as far from the truth as I've ever
seen. No real expert would choose to deliberately make a protocol more
complicated.

Complexity makes a protocol hard to analyze, and thus makes it hard to
know if the protocol is secure. The author of the quoted article, one
Dan Brown, clearly does not know how cryptographic protocol experts
analyze a protocol. (I've CCed him on this message to give him a
chance to reply, and I'll forward his replies if they're interesting.)

Indeed, I've often seen people forced to alter a protocol specifically
to make it analyzable -- see, for example, the JFK protocol that was
proposed in the IETF as an IKE replacement, which was formally
verified only after it had been changed specifically to improve the
ability to analyze it.

Complexity also makes secure implementation of a protocol much
harder. Indeed, it often makes it impossible to really know that an
implementation is secure even if it appears to meet the
specification. For example, see the numerous encoder flaws that have
been found over the years in protocols like SNMP specifically because
producing a safe ASN.1 compiler is so hard. For another example, see
the enormous interoperability challenges that people have had with
X.509 certificates, many of which have had security implications,
because the complexity has made proper operation in all instances
extremely difficult to implement.

Complexity also does not make something "harder to break
into". Indeed, it is usually the complexity of a system that provides
the unintended edge conditions necessary to find a hole. If anything,
simple systems are (usually) harder to find flaws in.

In general, complexity is the enemy of security, and any real security
professional could tell you that. Simple and tractable is always
better than complicated, all things being equal -- certainly NOT
the other way around.

> Since I do not consider myself a cryptography expert, and have
> instinctively preferred simpler - but strong - technical solutions,
> have my instincts been wrong all along?

Your instincts are not wrong. The details of what is simple yet secure
are, of course, not trivial. You can make things *too* simple. A
Caesar cipher isn't secure, even though it is much simpler than
AES. That said, complexity is never something people deliberately
seek.


Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Strength in Complexity?

[Arshad Noor]

The author of an article that appeared in InformationWeek this week
(June 30, 2008) on Enterprise Key Management Infrastructure (EKMI):

http://www.informationweek.com/shared/printableArticle.jhtml?articleID=208800937

states the following:

"There are, of course, obstacles that must still be overcome by EKMI 
proponents. For example, the proposed components are somewhat simple by 
design, which concerns some encryption purists who prefer more complex 
protocols, on the logic that they're more difficult to break into."


In light of the recent discussions about experts in cryptography,
I thought I'd ask this forum to comment on the above author's
statement: is this true?

Do cryptography experts deliberately choose complexity over simplicity
when the latter might provide the same strength of protection?  Since I
do not consider myself a cryptography expert, and have instinctively
preferred simpler - but strong - technical solutions, have my instincts
been wrong all along?  TIA.

Arshad Noor
StrongAuth, Inc.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: The wisdom of the ill informed

[Ed Gerck]

[Moderator's note: I'll let Ed have the last word. I'm sure everyone
knows what I'd say anyway. --Perry]

Perry E. Metzger wrote:

Ed Gerck <[EMAIL PROTECTED]> writes:

In any case, there are a large number of reasons US banks don't
(generally) require or even allow anyone to enter PINs for
authentication over the internet. 

Wells Fargo allows PINs for user authentication.


No they don't. 


Since you are not fully aware how Wells Fargo operates, let me 
clarify. What you say below is true for users entering the system /today/:



The new users of their online system get a temporary
password by phone or in the mail, and Wells Fargo requires that they
change it on first log in. The temporaries expire after 30 days,
too. They don't their bank account numbers as account names,
either.

Where did you get the idea that they'd use 4-digit PINS from? It is
totally false.


No. Any Wells Fargo user today that has an /older/ account (eg, opened 
in 2001), can login with their numeric PINs if that is how their 
online access was done then and they did not change it.


So, even though WF /today/ does not accept /new/ users to use only 
numbers for their password, WF is happy to continue to accept /older/ 
rules, including accepting the PIN for online account login.



(Anyone who doesn't believe me can just go through their web site --
it explains all of this to their customers.)


Their website today is what they use today. Older account users that 
have not changed their login can still use their PINs for login. I 
know one company that used way back when their numeric PIN for login, 
because that's what WF told them to do, and that just very recently 
changed to a safer password.


While it is good that WF has improved its rules, it would better if 
they had made it compulsory for all users (not just newer) to renew 
their passwords when the rules started prohibiting using only numbers 
and /not/ requiring the PIN for first login.


I imagine that there are lots of sites out there that have likewise 
improved their front-end password acceptance rules but have not 
bothered to ask all their users to renew their passwords, and thus 
force compliance with newer, safer rules.



The system you propose as "safe" isn't used by anyone that I'm aware
of, and for good reason, too -- people who've done things like that
have been successfully attacked.

BTW, if anyone was this foolish, the fun you could have would be
amazing. You could rent a botnet for a few bucks and lock out half the
customer accounts on the site in a matter of hours. You could ruin
banks at will. It would be great fun -- only it isn't possible. No one
is stupid enough to set themselves up for that.


WF does that, still today, for their most valued customers -- their 
older customers. May our words be a good warning for them!



I suspect that currently invalid accounts are probably even cheaper
than valid ones

we all know that invalid accounts are of no use to attack, so this
issue is not relevant here.


You would use the invalid accounts to reverse engineer the account
number format so you don't have to do exhaustive search. Any
practitioner in this field can tell you how useful intelligence like
that would be. I suggest you consult one.


When you do the math, you will see that knowing a few hundred invalid 
accounts will not considerably reduce your search space for the 
comparison we are talking about. Remember, we are talking about 
4-digit PINs that have a search space of 9,000 choices (before you 
complain about the count, note that all 0xxx combinations are usually 
not accepted as a valid PIN for registration) versus an account number 
that is a sparse space with 12-digits and that (by the sheer number of 
valid users) must have at least /millions/ of valid accounts.



It is easy enough to blacklist all of the cable modems in the world
for SMTP service. ISPs voluntarily list their cable modem and DSL
blocks. It is a lot harder to explain to people that they can't do
their at-home banking from home, though. With half the windows boxes
in the world as part of botnets, and with dynamic address assignment,
it is hard to know who's computer *wouldn't* be on the blacklists
anyway...


Please check with actual banks. Bank users logging in from a static IP 
account are treated differently by the servers than users from a 
dynamic IP account. As they should.


The dialogue disconnect here is classical in cryptography, as we all 
have probably seen in practice. In the extreme, but not too uncommon 
position, a crypto guy cries for a "better" solution (which, more 
often than not, is either not usable or too expensive) while 
dismissing a number of perfectly valid but incomplete solutions that, 
when used together, could mount a good-enough (and affordable) 
defense. Many people have frequently made this point here, including 
yourself with EV certs.


Yes, blocking by IP is not a panacea, and may fail to block, but when 
it works it is mostly corre

Re: The wisdom of the ill informed

[Perry E. Metzger]

Stephan Neuhaus <[EMAIL PROTECTED]> writes:
> On Jul 1, 2008, at 17:39, Perry E. Metzger wrote:
>
>> Ed, there is a reason no one in the US, not even Wells Fargo which you
>> falsely cited, does what you suggest. None of them use 4 digit PINs,
>> none of them use customer account numbers as account names. (It is
>> possible SOMEONE out there does this, but I'm not aware of it.)
>
> Many German savings banks use account numbers as account names (see,
> e.g., https://bankingportal.stadtsparkasse-kaiserslautern.de/banking/)
> http://www.stadtsparkasse-kaiserslautern.de ), as does, for example,
> the Saarländische Landesbank (https://banking.saarlb.de/cgi/anfang.cgi
> ). Most will not use 4-digit PINs, though.

And, Wells Fargo will let you use your PIN as part of a lost password
procedure, although I believe they require a lot of other pieces of
information at the same time like account number, online account name
and SSN.

My experience with European banks is quite limited -- my consulting
practice is pretty much US centric. My general understanding, however,
is that they are doing better, not worse, with login security.

>> I understand some European banks even do stuff like mailing people
>> cards with one time passwords.
>
> Do you mean TANs (TransAction Numbers)? TANs are used to authorize
> transactions that could affect your account balance.  So stealing the
> PIN will let you look at the balance, but will not let you steal money
> (through this channel).
>
> (Or maybe you knew all this already and I just missed the irony.)

I knew part of it, but your additional information was worthwhile.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: The wisdom of the ill informed

[Stephan Neuhaus]

On Jul 1, 2008, at 17:39, Perry E. Metzger wrote:


Ed, there is a reason no one in the US, not even Wells Fargo which you
falsely cited, does what you suggest. None of them use 4 digit PINs,
none of them use customer account numbers as account names. (It is
possible SOMEONE out there does this, but I'm not aware of it.)


Many German savings banks use account numbers as account names (see,  
e.g., https://bankingportal.stadtsparkasse-kaiserslautern.de/banking/) http://www.stadtsparkasse-kaiserslautern.de 
), as does, for example, the Saarländische Landesbank (https://banking.saarlb.de/cgi/anfang.cgi 
). Most will not use 4-digit PINs, though.



I understand
some European banks even do stuff like mailing people cards with one
time passwords.


Do you mean TANs (TransAction Numbers)? TANs are used to authorize  
transactions that could affect your account balance.  So stealing the  
PIN will let you look at the balance, but will not let you steal money  
(through this channel).


(Or maybe you knew all this already and I just missed the irony.)

Fun,

Stephan
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: The wisdom of the ill informed

[Perry E. Metzger]

Ed Gerck <[EMAIL PROTECTED]> writes:
>> In any case, there are a large number of reasons US banks don't
>> (generally) require or even allow anyone to enter PINs for
>> authentication over the internet. 
>
> Wells Fargo allows PINs for user authentication.

No they don't. The new users of their online system get a temporary
password by phone or in the mail, and Wells Fargo requires that they
change it on first log in. The temporaries expire after 30 days,
too. They don't their bank account numbers as account names,
either.

Where did you get the idea that they'd use 4-digit PINS from? It is
totally false.

(Anyone who doesn't believe me can just go through their web site --
it explains all of this to their customers.)

The system you propose as "safe" isn't used by anyone that I'm aware
of, and for good reason, too -- people who've done things like that
have been successfully attacked.

BTW, if anyone was this foolish, the fun you could have would be
amazing. You could rent a botnet for a few bucks and lock out half the
customer accounts on the site in a matter of hours. You could ruin
banks at will. It would be great fun -- only it isn't possible. No one
is stupid enough to set themselves up for that.

>> I suspect that currently invalid accounts are probably even cheaper
>> than valid ones
>
> we all know that invalid accounts are of no use to attack, so this
> issue is not relevant here.

You would use the invalid accounts to reverse engineer the account
number format so you don't have to do exhaustive search. Any
practitioner in this field can tell you how useful intelligence like
that would be. I suggest you consult one.

> Dan's question has to do with how to protect online access from
> multiple tries on the account number for a given PIN. Of course, the
> reverse (repeated use of the same account for different wrong PINs)
> can easily trigger a block.
>
> As I replied to Dan, a counter-measure is for the server to
> selectively block IP numbers for the /same/ browser and /same/ PIN
> after 4 or 3 wrong attempts.

But in an age where an attacker has millions of IP addresses at their
disposal thanks to botnets and IP block hijacking and can fake
anything they like, this is meaningless.

> You present a valid objection in that there are people hijacking huge
> IP blocks for brief periods for spamming. People also hijack vast
> numbers of zombie machines. Either technology is easily used to
> prevent block-by-IP from doing squat for you, you wrote.
>
> Not so fast.  Block-by-IP is not that useless. Many anti-spam
> blacklists use block-by-IP and it works.

It is easy enough to blacklist all of the cable modems in the world
for SMTP service. ISPs voluntarily list their cable modem and DSL
blocks. It is a lot harder to explain to people that they can't do
their at-home banking from home, though. With half the windows boxes
in the world as part of botnets, and with dynamic address assignment,
it is hard to know who's computer *wouldn't* be on the blacklists
anyway...

> Further, if the PIN is held constant (eg, a common PIN such as )
> and the IP as well as the browser identification are changed while
> different account numbers are targeted, this pattern can trigger a
> block by that PIN that repeatedly (3 or more times) causes an access
> error, for any IP number and browser. Excessive errors/minute can
> also trigger inspection and blocks.

You have 10,000 PINs, and 10 million customers logging in a day. Every
PIN that gets attacked means a thousand of those customers can't get
to their account. They call up, which costs you $10 to $100 a pop in
customer service. So for every PIN someone tries hacking, you take a
$10,000 to $100,000 customer service cost. Since there are thousands
of PINs that will be attacked a day, this adds up fast, and you find
more or less none of your customers able to log in and almost all of
them angry as all hell at you.

Ed, there is a reason no one in the US, not even Wells Fargo which you
falsely cited, does what you suggest. None of them use 4 digit PINs,
none of them use customer account numbers as account names. (It is
possible SOMEONE out there does this, but I'm not aware of it.)  You
would impose enormous costs on yourself for almost no advantage. It is
trivial to make people use passwords that are harder to guess than a 4
digit number, so why cost yourself your whole retail operation for no
perceivable benefit?

Banks aren't stupid. They want to minimize their costs, not increase
them. Most banks aren't even happy using PASSWORDS any more -- they're
using "pick the face" systems, issuing Secure IDs, and I understand
some European banks even do stuff like mailing people cards with one
time passwords. The ones still using passwords are seriously looking
at the alternatives, though many of them consider the current losses
sufficiently low that they're not rushing.

I'll give you a chance for one more reply, but you might want to quit
while you're behind. I suspect 

Re: The wisdom of the ill informed

[Leichter, Jerry]

| Hi gang,
| 
| All quiet on the cryptography front lately, I see. However, that does not
| prevent practices that *appear* like protection but are not even as strong as
| wet toilet paper.
| 
| I had to order a medical device today and they need a signed authorization for
| payment by my insurance carrier. No biggie. So they ask how I want it set to
| me and I said via e-mail. Okay. /Then/ they said it was an encrypted file and
| I thought, cool. How wrong could I be?
| 
| Very. The (I hate to use this term for something so pathetic) password for the
| file is 6 (yes, six) numeric characters!
| 
| My 6 year old K6-II can crack this in less than one minute as there are only
| 1.11*10^6 possible.
| 
| You can lead a horse to water
Let's think about the economics here.  What's the value of the information 
they are sending you to someone else?  What could they do with it?  Apply for 
your insurance payment?  You'll discover that rather rapidly when you try to 
apply.  Discover what medical equipment you're ordering?  Is cracking the 
cryptography here anything like the easiest way to to get that information?  
It's a myth that medical information is private - too many different parties 
have access to it in the normal course of things.

On the flip side, how many people will have trouble remembering even a 
six-digit password?  (Keep in mind that, by the nature of the business you're 
talking about - medical supplies - many of the customers will be ill/old.)

Frankly, I find it rather impressive that they provide *any* degree of 
security.  Six digits may in fact be more than is justified, given the 
value-of-information/usability tradeoffs.

-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: The wisdom of the ill informed

[Peter Gutmann]

Ed Gerck <[EMAIL PROTECTED]> writes:
>[EMAIL PROTECTED] wrote:
>> So I hold the PIN constant and vary the bank account number.
>
>This is, indeed, a possible attack considering that the same IP may be
>legitimately used by different users behind NAT firewalls and/or with dynamic
>IPs. However, there are a number of reasons, and evidence, why this attack
>can be (and has been) prevented even for a short PIN:

It's a pity that Kjell Hole et al didn't know this was impossible when they
mounted exactly this attack against the Norwegian banking system :-).

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: The wisdom of the ill informed

[Ed Gerck]

Perry,

You may well think that "You're completely wrong here," as you wrote. 
However, a first evidence that I'm correct is that the online banking 
system has /not/ collapsed under this attack (Dan's point) in many 
years... even though bad guys do have access to large blocks of 
different IP numbers, etc.



In any case, there are a large number of reasons US banks don't
(generally) require or even allow anyone to enter PINs for
authentication over the internet. 


Wells Fargo allows PINs for user authentication. Passwords are 
optional and PINs are used for password setting. This is just to name 
one key US bank.


Further, when you wrote:

> I suspect that currently invalid accounts are probably even cheaper
> than valid ones

we all know that invalid accounts are of no use to attack, so this 
issue is not relevant here.


But let me address your other points.

> I'm sure you will now go on about some other way to evade Dan's
> crucial point, but it should be obvious to almost anyone that you're
> not thinking like the bad guys. If you really want to go on about
> this, though, I'll let you have as much rope as you like, though
> only for a post or two as I don't want to bore people.

(don't worry, you never bore people)

Dan's question has to do with how to protect online access from 
multiple tries on the account number for a given PIN. Of course, the 
reverse (repeated use of the same account for different wrong PINs) 
can easily trigger a block.


As I replied to Dan, a counter-measure is for the server to 
selectively block IP numbers for the /same/ browser and /same/ PIN 
after 4 or 3 wrong attempts.


You present a valid objection in that there are people hijacking huge 
IP blocks for brief periods for spamming. People also hijack vast 
numbers of zombie machines. Either technology is easily used to 
prevent block-by-IP from doing squat for you, you wrote.


Not so fast.  Block-by-IP is not that useless. Many anti-spam 
blacklists use block-by-IP and it works. Further, if the PIN is held 
constant (eg, a common PIN such as ) and the IP as well as the 
browser identification are changed while different account numbers are 
targeted, this pattern can trigger a block by that PIN that repeatedly 
(3 or more times) causes an access error, for any IP number and 
browser. Excessive errors/minute can also trigger inspection and blocks.


You can find many other ways to try to trick the system. For example, 
you can space out the attacks and rotate the trivial PINs to reduce 
suspicion -- but you will also reduce the number of tries per hour 
that you can perform for each account.


What makes a good difference in preventing an attack as mentioned by 
Dan is to /not/ allow weak passwords in the first place! But, because 
this is not really possible with PIN systems (even with 6 digits), the 
security designer can detect attack patterns and use them to trigger a 
block even for an a priori unknown IP.


Cheers,
Ed Gerck

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: The wisdom of the ill informed

[Ivan Krstić]

On Jun 30, 2008, at 7:22 PM, Perry E. Metzger wrote:

One of the most interesting things I find about most fields is the
fact that people who are incompetent very often fancy themselves
experts. There's a great study on this subject -- usually the least
competent people are the ones that feel highly confident in their
skills, while the people who aren't have more doubts. One sees this
very phenomenon on this very list, and not infrequently.



Indeed:




How security non-experts screwed up security in systems like WEP and  
PPTP is no mystery to me. How, on the other hand, a real expert at  
_anything_ feels comfortable entering another hard technical field  
without screaming for assistance is something I don't get at all.


That a roomful of network experts designing 802.11 didn't hold hands  
and all together chant "bring us a good cryptographer" with such  
maniacal monophony as to rival any Gregorian choir makes me highly  
suspicious about their supposed expertise with _networks_.


--
Ivan Krstić <[EMAIL PROTECTED]> | http://radian.org

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: The wisdom of the ill informed

[Bill Frantz]

[EMAIL PROTECTED] (James A. Donald) on Monday, June 30, 2008 wrote:

>The only people who know who the real experts are, are the real 
>experts.   If you knew who to hire, you could do it yourself, and 
>probably should do it yourself.

I would say, even if you can do it yourself, hire another expert to
review your design.

When these systems are announced, we should get in the habit of
asking the people announcing them, "Which recognized crypto protocol
and algorithm experts have reviewed your design?"

Cheers - Bill

-
Bill Frantz| When it comes to the world | Periwinkle
(408)356-8506  | around us, is there any choice | 16345 Englewood Ave
www.pwpconsult.com | but to explore? - Lisa Randall | Los Gatos, CA 95032

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]