Re: once more, with feeling.

2008-09-22 Thread Leichter, Jerry
On Sun, 21 Sep 2008, Eric Rescorla wrote:
|   - Use TLS-PSK, which performs mutual auth of client and server
|   without ever communicating the password
|  Once upon a time, this would have been possible, I think.  Today,
|  though, the problem is the user entering their key in a box that is
|  (a) not remotely forgeable by a web site that isn't using the
|  browser's TLS-PSK mechanism; and (b) will *always* be recognized by
|  users, even dumb ones.  Today, sites want *pretty* login screens,
|  with *friendly* ways to recover your (or Palin's) password, and not
|  just generic grey boxes.  Then imagine the phishing page that
|  displays an artistic but purely imaginary login screen, with a
|  message about NEW!  Better naviation on our login page!
| This is precisely the issue.
| There are any number of cryptographic techniques that would allow
| clients and servers to authenticate to each other in a phishing
| resistant fashion, but they all depend on ensuring that the
| *client* has access to the password and that the attacker can't
| convince the user to type their password into some dialog
| that the attacker controls. That's the challenging technical
| issue, but it's UI, not cryptographic.
The sitation today is (a) the decreasing usefulness of passwords -
those anyone has a chance of remembering are just to guessable in the
face of the kinds of massive intelligent brute force that's possible
today and (b) the inherently insecure password entry mechanisms that
we've trained people to use.  Perhaps the only solution is to attack
both problems at the same time:  Replace passwords with something
else, and use a different, more secure input mechanism at the same

The problem is what that something else should be.  Keyfobs with
one-time passwords are a good solution from the pure security point
of view, but (a) people find them annoying; (b) when used with
existing input mechanisms, as they pretty much universally are, are
subject to MITM attacks.  The equivalent technology on a USB plugin
is much easier on the user in some circumstances, but is subject to
some bad semantic attacks, as discussed here previously.  Also, it's
not a great solution for mobile devices.

DoD/government uses smartcards, but that's probably not acceptable to
the broad population.  There's been some playing around with cellphones
playing the role of smartcard, but cellphones are not inherently secure
either.  There's also the related problem of scalability to multiple
providers:  I only need one DoD card, which might be acceptable, but if
every secure web site wants to give me their own, I have a problem.  Of
course, various federated identity standards are already battling it
out, but uptake seems limited.  Besides, that can only be one element of
the solution - if I use a traditional password to get to my federated
identity token, I've made the old problem much worse, not better.

Some laptops and keyboards and even encrypted USB memory sticks are
getting fingerprint scanners as standard hardware.  *If* these
actually work as advertised - not a good bet, based on history so
far - these could be an interesting input mechanism.  Since there
are no expectations today that the fingerprint data will be
available to any web site that asks, one could perhaps establish
a standard for controlling this in an appropriate way, with a
built-in, unforgeable display.  With microphones and, increasingly,
cameras as widely-available components, one might define a similar
special input mode around them and look to voice or face recognition.

Or maybe we could even leverage the increasing interest in special
outside-the-main-OS basic displays one sees on laptops.  (I'm sure it
just thrills Microsoft to see Dell putting a tiny Linux implementation
in each laptop)

These are all just possibilities, and whether any of them (or some other
approach) actually gains broad acceptance is, of course, totally up in
the air.  Right now, while in the aggregate the problems with ID theft
are bad and getting worse, relatively few individuals feel the pain,
nor is there much in the way to offer them.  Until one or the other
of these changes - and most likely, both - the old password in some
window or another model will likely stick around.

-- Jerry

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Lava lamp random number generator made useful?

2008-09-22 Thread Thor Lancelot Simon
On Sun, Sep 21, 2008 at 01:20:22PM -0400, James Cloos wrote:
  IanG == IanG  [EMAIL PROTECTED] writes:
 IanG Nope, sorry, didn't follow it.  What is BOM, SoC, A plug, gerber?
 Bill Of Materials  -- cost of the raw hardware
 System on (a) Chip -- microchip with CPU, RAM, FLASH, etc
 USB A Plug -- physical flat-four interface; think USB key drive
 gerber -- file format for hardware designs
 A system-on-a-chip which has rng and usb-client hardware on board (aka
 on chip) should fit in a package which looks just like a USB key drive.

I looked into this at moderate length about two years ago.  One very
attractive choice was the cheapest Motorola Coldfire with their onboard
crypto block, because you get the hashing for free and don't waste host
resources transferring in data you'll then distill by hash -- or hashing

As a source of random numbers, I was figuring to use one of the publically
available thermal noise designs plus the cheapest HiFn PCI crypto chip
(which features a multi-oscillator RNG I'm reasonably familiar with) since
the Coldfire with crypto has both USB and PCI on it.


The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Cube cryptanalysis?

2008-09-22 Thread James Muir

Paul Hoffman wrote:

At 11:08 AM -0700 8/21/08, Greg Rose wrote:
Adi mentioned that the slides and paper will go online around the 
deadline for Eurocrypt submission; it will all become much clearer 
than my wounded explanations then.

There now:

I just noticed the following comment from Michael Vielhaber on the iacr 
eprint discussion forum:,59

Vielhaber states that the cube attack is anticipated by his 2007 paper:

Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack
Michael Vielhaber


The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

More on Blackberry interception in India

2008-09-22 Thread Perry E. Metzger

(I saw this on another mailing list -- a follow-on to earlier
discussions about Blackberry in India. No idea how believable any of
it is because there is a great deal of difference between the way
Blackberries work in a corporate and non-corporate context -- this
could just be interception at the mail server provided by the
cellphone company. --Perry)

At last, govt cracks BlackBerry code
22 Sep, 2008, 0121 hrs IST,Niranjan Bharati, ET Bureau

NEW DELHI: The government has decrypted the data on Research In
Motion's (RIM) BlackBerry networks. The department of
telecommunication (DoT), Intelligence Bureau and security agency
National Technical Research Organisation (NTRO) have done tests on
service providers such as Bharti Airtel, BPL Mobile, Reliance
Communications and Vodafone-Essar networks for interception of
Internet messages from BlackBerry to non-BlackBerry devices.

Initially, there were difficulties in cracking the same on
Vodafone-Essar network but that has also been solved. This means that
the e-mail messages sent on Internet through your BlackBerry sets
would no longer be exclusive and government would be able to track

Decompression is being tested in operator's network with three
successful testing on Bharti Airtel, Reliance Communication and BPL
Mobile, a source in DoT said. He, however, added that the solution
reached upon would not be shared with anybody including the national
telecom service providers like BSNL or MTNL. The test is being
conducted wholly for non-enterprise solutions, he said. The Union
cabinet has also been apprised of the recent developments by the DoT.

Makers of BlackBerry set, RIM, could not be contacted for comment. An
e-mail sent in this regard the company did not elicit any response
till the time of going for press. An official in Vodafone-Essar,
however, on conditions of anonymity said that there has been
substantial progress in decoding the BlackBerry encryptions and DoT
has got success on decompressing the data on the networks of all the
major service providers.

The test would be conducted on all the network of all the BlackBerry
service providers and the service providers, on whose network the
interception does not happen smoothly, would be asked to make
technical changes in their services to make them compatible for
decompression. Decompression is the process of decoding information
with an aim to transfer the data to a different medium like data to
voice, data to video or data to text.

The DoT had earlier asked RIM to provide the master key to allow
access to contents transferred over their handsets. RIM had, however,
said that it could not handover the message encryption key to the
government as its security structure does not allow any third party or
even the company to read the information transferred over its network.

The BlackBerry issue surfaced earlier this year when DoT asked Tata
Tele-services to delay the launch of the service till appropriate
security mechanisms were in place. Currently, there are over one lakh
BlackBerry users in the country.

Bharti Airtel, Reliance Communications, Vodafone Essar and BPL Mobile
are offering this service in the country. Tata Teleservices has also
been allowed to offer the BlackBerry services recently.

Incidentally, Tata Teleservices launched the service after telecom
secretary Siddhartha Behura said that the government has no role in
stopping the company from offering the service.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]