Re: once more, with feeling.
On Sun, 21 Sep 2008, Eric Rescorla wrote: | - Use TLS-PSK, which performs mutual auth of client and server | without ever communicating the password | Once upon a time, this would have been possible, I think. Today, | though, the problem is the user entering their key in a box that is | (a) not remotely forgeable by a web site that isn't using the | browser's TLS-PSK mechanism; and (b) will *always* be recognized by | users, even dumb ones. Today, sites want *pretty* login screens, | with *friendly* ways to recover your (or Palin's) password, and not | just generic grey boxes. Then imagine the phishing page that | displays an artistic but purely imaginary login screen, with a | message about NEW! Better naviation on our login page! | | This is precisely the issue. | | There are any number of cryptographic techniques that would allow | clients and servers to authenticate to each other in a phishing | resistant fashion, but they all depend on ensuring that the | *client* has access to the password and that the attacker can't | convince the user to type their password into some dialog | that the attacker controls. That's the challenging technical | issue, but it's UI, not cryptographic. The sitation today is (a) the decreasing usefulness of passwords - those anyone has a chance of remembering are just to guessable in the face of the kinds of massive intelligent brute force that's possible today and (b) the inherently insecure password entry mechanisms that we've trained people to use. Perhaps the only solution is to attack both problems at the same time: Replace passwords with something else, and use a different, more secure input mechanism at the same time. The problem is what that something else should be. Keyfobs with one-time passwords are a good solution from the pure security point of view, but (a) people find them annoying; (b) when used with existing input mechanisms, as they pretty much universally are, are subject to MITM attacks. The equivalent technology on a USB plugin is much easier on the user in some circumstances, but is subject to some bad semantic attacks, as discussed here previously. Also, it's not a great solution for mobile devices. DoD/government uses smartcards, but that's probably not acceptable to the broad population. There's been some playing around with cellphones playing the role of smartcard, but cellphones are not inherently secure either. There's also the related problem of scalability to multiple providers: I only need one DoD card, which might be acceptable, but if every secure web site wants to give me their own, I have a problem. Of course, various federated identity standards are already battling it out, but uptake seems limited. Besides, that can only be one element of the solution - if I use a traditional password to get to my federated identity token, I've made the old problem much worse, not better. Some laptops and keyboards and even encrypted USB memory sticks are getting fingerprint scanners as standard hardware. *If* these actually work as advertised - not a good bet, based on history so far - these could be an interesting input mechanism. Since there are no expectations today that the fingerprint data will be available to any web site that asks, one could perhaps establish a standard for controlling this in an appropriate way, with a built-in, unforgeable display. With microphones and, increasingly, cameras as widely-available components, one might define a similar special input mode around them and look to voice or face recognition. Or maybe we could even leverage the increasing interest in special outside-the-main-OS basic displays one sees on laptops. (I'm sure it just thrills Microsoft to see Dell putting a tiny Linux implementation in each laptop) These are all just possibilities, and whether any of them (or some other approach) actually gains broad acceptance is, of course, totally up in the air. Right now, while in the aggregate the problems with ID theft are bad and getting worse, relatively few individuals feel the pain, nor is there much in the way to offer them. Until one or the other of these changes - and most likely, both - the old password in some window or another model will likely stick around. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lava lamp random number generator made useful?
On Sun, Sep 21, 2008 at 01:20:22PM -0400, James Cloos wrote: IanG == IanG [EMAIL PROTECTED] writes: IanG Nope, sorry, didn't follow it. What is BOM, SoC, A plug, gerber? Bill Of Materials -- cost of the raw hardware System on (a) Chip -- microchip with CPU, RAM, FLASH, etc USB A Plug -- physical flat-four interface; think USB key drive gerber -- file format for hardware designs A system-on-a-chip which has rng and usb-client hardware on board (aka on chip) should fit in a package which looks just like a USB key drive. I looked into this at moderate length about two years ago. One very attractive choice was the cheapest Motorola Coldfire with their onboard crypto block, because you get the hashing for free and don't waste host resources transferring in data you'll then distill by hash -- or hashing it. As a source of random numbers, I was figuring to use one of the publically available thermal noise designs plus the cheapest HiFn PCI crypto chip (which features a multi-oscillator RNG I'm reasonably familiar with) since the Coldfire with crypto has both USB and PCI on it. Thor - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Cube cryptanalysis?
Paul Hoffman wrote: At 11:08 AM -0700 8/21/08, Greg Rose wrote: Adi mentioned that the slides and paper will go online around the deadline for Eurocrypt submission; it will all become much clearer than my wounded explanations then. There now: http://eprint.iacr.org/2008/385 I just noticed the following comment from Michael Vielhaber on the iacr eprint discussion forum: http://eprint.iacr.org/forum/read.php?8,59 Vielhaber states that the cube attack is anticipated by his 2007 paper: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack Michael Vielhaber http://eprint.iacr.org/2007/413 -James - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
More on Blackberry interception in India
(I saw this on another mailing list -- a follow-on to earlier discussions about Blackberry in India. No idea how believable any of it is because there is a great deal of difference between the way Blackberries work in a corporate and non-corporate context -- this could just be interception at the mail server provided by the cellphone company. --Perry) http://economictimes.indiatimes.com/At_last_govt_cracks_BlackBerry_code/articleshow/3510719.cms At last, govt cracks BlackBerry code 22 Sep, 2008, 0121 hrs IST,Niranjan Bharati, ET Bureau NEW DELHI: The government has decrypted the data on Research In Motion's (RIM) BlackBerry networks. The department of telecommunication (DoT), Intelligence Bureau and security agency National Technical Research Organisation (NTRO) have done tests on service providers such as Bharti Airtel, BPL Mobile, Reliance Communications and Vodafone-Essar networks for interception of Internet messages from BlackBerry to non-BlackBerry devices. Initially, there were difficulties in cracking the same on Vodafone-Essar network but that has also been solved. This means that the e-mail messages sent on Internet through your BlackBerry sets would no longer be exclusive and government would be able to track them. Decompression is being tested in operator's network with three successful testing on Bharti Airtel, Reliance Communication and BPL Mobile, a source in DoT said. He, however, added that the solution reached upon would not be shared with anybody including the national telecom service providers like BSNL or MTNL. The test is being conducted wholly for non-enterprise solutions, he said. The Union cabinet has also been apprised of the recent developments by the DoT. Makers of BlackBerry set, RIM, could not be contacted for comment. An e-mail sent in this regard the company did not elicit any response till the time of going for press. An official in Vodafone-Essar, however, on conditions of anonymity said that there has been substantial progress in decoding the BlackBerry encryptions and DoT has got success on decompressing the data on the networks of all the major service providers. The test would be conducted on all the network of all the BlackBerry service providers and the service providers, on whose network the interception does not happen smoothly, would be asked to make technical changes in their services to make them compatible for decompression. Decompression is the process of decoding information with an aim to transfer the data to a different medium like data to voice, data to video or data to text. The DoT had earlier asked RIM to provide the master key to allow access to contents transferred over their handsets. RIM had, however, said that it could not handover the message encryption key to the government as its security structure does not allow any third party or even the company to read the information transferred over its network. The BlackBerry issue surfaced earlier this year when DoT asked Tata Tele-services to delay the launch of the service till appropriate security mechanisms were in place. Currently, there are over one lakh BlackBerry users in the country. Bharti Airtel, Reliance Communications, Vodafone Essar and BPL Mobile are offering this service in the country. Tata Teleservices has also been allowed to offer the BlackBerry services recently. Incidentally, Tata Teleservices launched the service after telecom secretary Siddhartha Behura said that the government has no role in stopping the company from offering the service. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]