Re: Lava lamp random number generator made useful?

2008-09-21 Thread John Denker
On 09/20/2008 12:09 AM, IanG wrote:

 Does anyone know of a cheap USB random number source?

Is $7.59 cheap enough?  
  http://www.geeks.com/details.asp?invtid=HE-280Bcat=GDT

For that you get a USB audio adapter with mike jack, and
then you can run turbid(tm) to produce high-quality randomness.

Reference, including analytical paper plus code:
  http://www.av8n.com/turbid/


 As a meandering comment, it would be extremely good for us if we had
 cheap pocket random number sources of arguable quality [1].

If the above is not good enough, please explain.

 I've often thought that if we had an open source hardware design of
 a USB random number generator ... that cost a few pennies to add
 onto any other USB toy ... then we could ask the manufacturers to
 throw it in for laughs.  Something like a small mountable disk that
 returns randoms on every block read, so the interface is trivial.

I think the turbid solution is much better than a disk.
 -- Unlimited long-term capacity.
 -- Perfect forward secrecy, unlike a disk, unless you do a 
  really good job of erasing each block after use.
 -- Perfect secrecy in the other direction, period.
 
 Then, when it comes time to generate those special keys, we could
 simply plug it in, run it, clean up the output in software and use
 it.  Hey presto, all those nasty software and theoretical
 difficulties evaporate.

If the above is not good enough, please explain.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lava lamp random number generator made useful?

2008-09-21 Thread Jon Callas


Does anyone know of a cheap USB random number source?

As a meandering comment, it would be extremely good for us if we had
cheap pocket random number sources of arguable quality [1].

I've often thought that if we had an open source hardware design of
a USB random number generator ... that cost a few pennies to add
onto any other USB toy ... then we could ask the manufacturers to
throw it in for laughs.  Something like a small mountable disk that
returns randoms on every block read, so the interface is trivial.

Then, when it comes time to generate those special keys, we could
simply plug it in, run it, clean up the output in software and use
it.  Hey presto, all those nasty software and theoretical
difficulties evaporate.


A TPM has random numbers of arguable quality. I'm happy to argue  
either side of it, but that's not what you asked.


A cheap USB camera would make a good source. The cheaper the better,  
too. Pull a frame off, hash it, and it's got entropy, even against a  
white background. No lava lamp needed.


Jon




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: once more, with feeling.

2008-09-21 Thread Steven M. Bellovin
On Thu, 18 Sep 2008 17:18:00 +1200
[EMAIL PROTECTED] (Peter Gutmann) wrote:

 - Use TLS-PSK, which performs mutual auth of client and server
 without ever communicating the password.  This vastly complicated
 phishing since the phisher has to prove advance knowledge of your
 credentials in order to obtain your credentials (there are a pile of
 nitpicks that people will come up with for this, I can send you a
 link to a longer writeup that addresses them if you insist, I just
 don't want to type in pages of stuff here).
 
Once upon a time, this would have been possible, I think.  Today,
though, the problem is the user entering their key in a box that is (a)
not remotely forgeable by a web site that isn't using the browser's
TLS-PSK mechanism; and (b) will *always* be recognized by users, even
dumb ones.  Today, sites want *pretty* login screens, with *friendly*
ways to recover your (or Palin's) password, and not just generic grey
boxes.  Then imagine the phishing page that displays an artistic but
purely imaginary login screen, with a message about NEW!  Better
naviation on our login page!

If this had been done in the beginning, before users -- and web site
designers, and browser vendors -- were mistrained, it might have
worked.  Now, though?  I'm skeptical.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lava lamp random number generator made useful?

2008-09-21 Thread James Cloos
 IanG == IanG  [EMAIL PROTECTED] writes:

IanG I've often thought that if we had an open source hardware design
IanG of a USB random number generator

It should be doable as just a RNG device for a BOM of a few tens of USD.

There are at least of couple of SoCs on the market which advertise USB
client hw and at least some onboard crypto.  Put one of those in a key-
sized container with just enough glue for an A plug and the hw is done.

The software should be easy enough.  Linux's gadget driver can claim to
be pretty much anything -- serial, storage, ethernet.  I presume the
various BSD's can do so as well.  So the software end should be easy.

Are there any HW engineers here who can flesh out the above into a
gerber file or similar?

-JimC
-- 
James Cloos [EMAIL PROTECTED] OpenPGP: 1024D/ED7DAEA6

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Password Recovery Attack

2008-09-21 Thread Bill Frantz
One attack on services, which use personal questions as a backup
form of user verification, works well for high-profile users of
these systems. The attack is very simple. Go into the password
recovery page, and use Google to look up the answers to the
personal questions asked. There is enough Googleable data around
for high-profile people, and perhaps not so high profile people,
that the attack can be successful often enough to be useful. My
sources say Sarah Palin's email account was breached using this
attack.

Cheers - Bill

---
Bill Frantz|We used to quip that password is the most common
408-356-8506   | password. Now it's 'password1.' Who said users haven't
www.periwinkle.com | learned anything about security? -- Bruce Schneier

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Lava lamp random number generator made useful?

2008-09-21 Thread James Cloos
 IanG == IanG  [EMAIL PROTECTED] writes:

IanG Nope, sorry, didn't follow it.  What is BOM, SoC, A plug, gerber?

Bill Of Materials  -- cost of the raw hardware
System on (a) Chip -- microchip with CPU, RAM, FLASH, etc
USB A Plug -- physical flat-four interface; think USB key drive
gerber -- file format for hardware designs

A system-on-a-chip which has rng and usb-client hardware on board (aka
on chip) should fit in a package which looks just like a USB key drive.

The software load could make it look like any USB device, including a
USB storage device where every read produces blocks of entropy, as you
suggested.

A search for site:linuxdevices.com SoC RNG USB shows some useful
SoCs, such as:

  http://www.linuxdevices.com/news/NS9265554097.html
  http://www.linuxdevices.com/news/NS6958318931.html
  http://www.linuxdevices.com/news/NS6020408561.html
  http://www.linuxdevices.com/news/NS4943322251.html
  http://www.linuxdevices.com/news/NS4469294424.html

There seems to be significant interest in the industry for SoCs for Point
of Sale smartcard readers which would also work for your proposed design.

You did suggest an open hardware design


As for using a camera, shots with a lens cover on and with the gain
turned up (ie, tell people to set the camera to its highest ISO setting)
should maximize the recorded entropy w/o using their candids, eh?

-JimC
-- 
James Cloos [EMAIL PROTECTED] OpenPGP: 1024D/ED7DAEA6

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: once more, with feeling.

2008-09-21 Thread Eric Rescorla
At Sat, 20 Sep 2008 15:55:12 -0400,
Steven M. Bellovin wrote:
 
 On Thu, 18 Sep 2008 17:18:00 +1200
 [EMAIL PROTECTED] (Peter Gutmann) wrote:
 
  - Use TLS-PSK, which performs mutual auth of client and server
  without ever communicating the password.  This vastly complicated
  phishing since the phisher has to prove advance knowledge of your
  credentials in order to obtain your credentials (there are a pile of
  nitpicks that people will come up with for this, I can send you a
  link to a longer writeup that addresses them if you insist, I just
  don't want to type in pages of stuff here).
  
 Once upon a time, this would have been possible, I think.  Today,
 though, the problem is the user entering their key in a box that is (a)
 not remotely forgeable by a web site that isn't using the browser's
 TLS-PSK mechanism; and (b) will *always* be recognized by users, even
 dumb ones.  Today, sites want *pretty* login screens, with *friendly*
 ways to recover your (or Palin's) password, and not just generic grey
 boxes.  Then imagine the phishing page that displays an artistic but
 purely imaginary login screen, with a message about NEW!  Better
 naviation on our login page!

This is precisely the issue.

There are any number of cryptographic techniques that would allow
clients and servers to authenticate to each other in a phishing
resistant fashion, but they all depend on ensuring that the
*client* has access to the password and that the attacker can't
convince the user to type their password into some dialog
that the attacker controls. That's the challenging technical
issue, but it's UI, not cryptographic.

-Ekr

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]