Re: Kaminsky finds DNS exploit

2008-07-10 Thread Sidney Markowitz

Udhay Shankar N wrote, On 9/7/08 5:52 PM:
I think Dan Kaminsky is on this list. Any other tidbits you can add 
prior to Black Hat?


He's posted a quite long article on his blog

 http://www.doxpara.com/?p=1162

that looks like all the details he is likely to provide for the next 30 
days. It does seem to address the speculation on this list about how the 
patch relates to stuff that has been known for years, Dan Bernstein's 
code, who knew what when, etc.



  -- sidney

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Explaining DNSSEC

2008-07-10 Thread Ben Laurie
I was asked off-list for a pointer to an explanation of DNSSEC. I guess 
there may be other readers who'd like that, so here's a pointer to 
Matasano Chargen's rather beautiful exposition:


http://www.matasano.com/log/case-against-dnssec/

Unfinished, but good enough. In particular, part 2 explains DNSSEC

http://www.matasano.com/log/772/a-case-against-dnssec-count-2-too-complicated-to-deploy/

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Dutch chipmaker sues to silence security researchers

2008-07-10 Thread Ali, Saqib
Dutch chipmaker NXP Semiconductors has sued a university in The
Netherlands to block publication of research that details security
flaws in NXP's Mifare Classic wireless smart cards, which are used in
transit and building entry systems around the world.

More at:
http://news.cnet.com/8301-10784_3-9985886-7.html?hhTest=1

saqib
http://doctrina.wordpress.com/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Kaminsky finds DNS exploit

2008-07-10 Thread Florian Weimer
* Paul Hoffman:

 The take-away here is not that Dan didn't discover the problem, but
 Dan got it fixed.

I haven't seen credible claims that the underlying issue can actually be
fixed in the classic DNS protocol.  There are workarounds on top of
workarounds.  A real fix requires more or less incompatible protocol
changes, and at that point, it might be easier to deploy DNSSEC instead.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: how bad is IPETEE?

2008-07-10 Thread Eric Rescorla
At Thu, 10 Jul 2008 18:10:27 +0200,
Eugen Leitl wrote:
 
 
 In case somebody missed it, 
 
 http://www.tfr.org/wiki/index.php?title=Technical_Proposal_(IPETEE)

 I'm not sure what the status of http://postel.org/anonsec/
 is, the mailing list traffic dried up a while back.

This is the first I have heard of this.

That said, some initial observations:

- It's worth asking why, if you're doing per-connection keying,
  it makes sense to do this at the IP layer rather than the
  TCP/UDP layer. 

- Why not simply use TLS or DTLS?

- The uh, novel nature of the cryptographic mechanisms is
  pretty scary. Salsa-20? AES-CBC with implicit IV?
  A completely new cryptographic handshake? Why not use
  IPsec?

- A related idea was proposed a while back (by Lars Eggert,
  I believe). See S 6.2.3.1 of:

  
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tcp-auth-arch.txt

-Ekr



  

  

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Dutch chipmaker sues to silence security researchers

2008-07-10 Thread Allen



Ali, Saqib wrote:

Dutch chipmaker NXP Semiconductors has sued a university in The
Netherlands to block publication of research that details security
flaws in NXP's Mifare Classic wireless smart cards, which are used in
transit and building entry systems around the world.


Ah, more 3 monkeys syndrome? If a flaw exists but nobody knows about 
the details, it no longer exists? If we don't publish the evidence 
about the Earth being round, then it will stay flat, right? Perhaps 
NXP merely wants to secure the job continuity of sys admins, 
compliance, and security people, do you think?


Given that those in charge rarely listen in any case, perhaps they 
are trying to promote stress related health problems in a secret 
conspiracy with doctors. ;-


Best,

Allen

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: how bad is IPETEE?

2008-07-10 Thread Nicolas Williams
On Thu, Jul 10, 2008 at 06:10:27PM +0200, Eugen Leitl wrote:
 In case somebody missed it, 
 
 http://www.tfr.org/wiki/index.php?title=Technical_Proposal_(IPETEE)

I did miss it.  Thanks for the link.  I don't think in-band key exchange
is desirable here, but, you never know what will triumph in the
marketplace.

 I'm not sure what the status of http://postel.org/anonsec/
 is, the mailing list traffic dried up a while back.

Connection latching, which is the BTNS WG equivalent of 'IPETEE', but
much simpler, is in the IESG's hands now.

Nico
-- 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: how bad is IPETEE?

2008-07-10 Thread James Cloos
 Eugen == Eugen Leitl [EMAIL PROTECTED] writes:

Eugen I'm not sure what the status of http://postel.org/anonsec/

The IETF just created a new list and subscribed all anonsec subscribers:

https://www.ietf.org/mailman/listinfo/btns

-JimC
-- 
James Cloos [EMAIL PROTECTED] OpenPGP: 1024D/ED7DAEA6

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Permanent Privacy - Are Snake Oil Patents a threat?

2008-07-10 Thread Brecht Wyseur
On Wed, 2008-07-09 at 13:02 +1200, David G. Koontz wrote:
 
 I did a quick check to look for patent applications or patents by them and
 didn't find any.  This isn't definitive if a patent application isn't
 published.  The newest published patent application I found on encryption
 had an application date of 11 Dec 2007.  Some recently published patent
 applications are 6 or 7 years old, too.

This is the patent you're searching for:
Secure encryption system, device and method - Patent 20060193472

--
Brecht Wyseur
Katholieke Universiteit Leuven tel. +32 16 32 17 21
Dept. Electrical Engineering-ESAT / COSIC fax. +32 16 32 19 69
Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, BELGIUM office 01.53

 [EMAIL PROTECTED]
 http://homes.esat.kuleuven.be/~bwyseur

 P=NP if (P=0 or N=1)
GPG Pub key: https://homes.esat.kuleuven.be/~bwyseur/pubkey
GPG Fingerprint: 890C 7C0B F1D9 597E F205 87C8 B716 D7D3 20F8 353F


Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: how bad is IPETEE?

2008-07-10 Thread Nicolas Williams
On Thu, Jul 10, 2008 at 02:31:12PM -0400, James Cloos wrote:
  Eugen == Eugen Leitl [EMAIL PROTECTED] writes:
 
 Eugen I'm not sure what the status of http://postel.org/anonsec/
 
 The IETF just created a new list and subscribed all anonsec subscribers:
 
 https://www.ietf.org/mailman/listinfo/btns

Indeed.  But it's as quiet as the old list :/

Seriously, the work of the BTNS WG is, IMO, crucial to the use of IPsec
as an end-to-end solution (as opposed to as a VPN solution, for which
IPsec is already pretty darned good).  If you care, then please
participate, or even better, implement.

That anyone is working on IPETEE indicates that end-to-end IPsec
solutions are desired.  The in-band nature of the IPETEE key exchange
indicates, to me, a dislike of IKE, or perhaps unawareness of BTNS WG
(man, the WG's name doesn't reflect very well what it does), or perhaps
a misunderstanding of IPsec.

Nico
-- 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]