combining entropy

2008-10-24 Thread IanG
If I have N pools of entropy (all same size X) and I pool them
together with XOR, is that as good as it gets?

My assumptions are:

 * I trust no single source of Random Numbers.
 * I trust at least one source of all the sources.
 * no particular difficulty with lossy combination.

iang

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Fwd: [announce] THC releases video and tool to backup/modify ePassports]

2008-10-24 Thread Allen

We knew it was coming, right?

 Original Message 
Subject: [announce] THC releases video and tool to backup/modify 
ePassports

Date: Mon, 29 Sep 2008 10:00:26 +
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]


http://freeworld.thc.org/thc-epassport/

29th September 2008

THC/vonJeek proudly presents an ePassport emulator. This emulator 
applet

allows you to create a backup of your own passport chip(s).

A video demonstrating the weakness is available at
http://freeworld.thc.org/thc-epassport/

The government plans to use ePassports at Immigration and Border
Control. The information is electronically read from the Passport
and displayed to a Border Control Officer or used by an automated
setup. THC has discovered weaknesses in the system to (by)pass the
security checks. The detection of fake passport chips is no longer
working. Test setups do not raise alerts when a modified chip
is used. This enables an attacker to create a Passport with an
altered Picture, Name, DoB, Nationality and other credentials.

This manipulated information is displayed without any alarms 
going off.
The exploitation of this loophole is trivial and can be verified 
using

thc-epassport.

Regardless how good the intention of the government might have 
been, the
facts are that tested implementations of the ePassports 
Inspection System

are not secure.

ePassports give us a false sense of security: We are made to believe
that they make use more secure. I'm afraid that's not true: current
ePassport implementations don't add security at all.

Yours sincerely,

vonjeek [at] thc dot org
The Hackers Choice
http://www.thc.org


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


TLS Server Name Indication and IDNA?

2008-10-24 Thread Victor Duchovni

I am considering adding TLS Server Name Indication support in the Postfix
SMTP server and client. I am puzzled by the exceedingly terse description
of the semantics of the HostName sent in the SNI extension:

http://tools.ietf.org/html/rfc4366#section-3.1

   If the hostname labels contain only US-ASCII characters, then the
   client MUST ensure that labels are separated only by the byte 0x2E,
   representing the dot character U+002E (requirement 1 in Section 3.1
   of [IDNA] notwithstanding).  If the server needs to match the
   HostName against names that contain non-US-ASCII characters, it MUST
   perform the conversion operation described in Section 4 of [IDNA],
   treating the HostName as a query string (i.e., the AllowUnassigned
   flag MUST be set).  Note that IDNA allows labels to be separated by
   any of the Unicode characters U+002E, U+3002, U+FF0E, and U+FF61;
   therefore, servers MUST accept any of these characters as a label
   separator.  If the server only needs to match the HostName against
   names containing exclusively ASCII characters, it MUST compare ASCII
   names case-insensitively.

At least the Postfix SMTP client does not normally work with IDNA domains
directly. In queued email messages the recipient domain is already ACE
encoded, e.g. [EMAIL PROTECTED]. Suppose Postfix is configured
to establish a TLS secure-channel with a mail server for this domain, and
now wants to signal the required certificate name to the receiving SMTP
server.

What should the SMTP client put in the RFC 4366 section 3.1 HostName:

- The ACE domain it is working with (xn--exmple-cua.com)?
- The underlying UTF8 domain name? (exämple.com)?

What should the server do when it receives the client's HostName?

- Convert ACE to UTF8?
- Convert UTF8 to ACE?

When searching for certificates with matching domain names, the receiving
server may need to look at:

http://tools.ietf.org/html/rfc5280#section-7.1:
subject CommonName rDNs, which may contain UTF8 strings

http://tools.ietf.org/html/rfc5280#section-7.2:
subject Alternative Name v3 extensions which contain IA5 (ASCII)
domain names.

What type of comparison is the server expected to perform?

- Convert UTF8 CommanName to ACE (also leave IA5 alone) and then compare?
- Convert ACE names in either subjectAltName or CN to UTF8 and then
  compare UTF8 strings (with NAMEPREP, STRINGPREP and all that jazz)?

This can be (to say the least) rather unpleasant. If IDNA is only between
the user and the UI, with everything on the wire in ACE form, then all
the pain is avoided:

- 4366 client sends ACE
- 4366 server uses received string uninterpreted
- Certificates contain ACE names in subjectAltName AND also in
  the CommonName where the name in question is a domain name.
- Server just does case insensitive search on ASCII strings.

If instead, client and server have to jump through hoops doing (tersely
specified, and unlikely IMHO to inter-operate) IDNA conversions, then I
may just bag the whole idea and do something more useful.

Anyone have any insight on what implementations are supposed to do?

-- 
Viktor.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: TLS Server Name Indication and IDNA?

2008-10-24 Thread Paul Hoffman
RFC 4366 is somewhat of a mess. I do not remember the authors asking 
the authors of IDNA (of which I am one) about what they should do.


FWIW, I'm not sure why this would be on the cryptography list, but 
I'm not sure of that for most of the we can design a better UI 
threads either.



What should the SMTP client put in the RFC 4366 section 3.1 HostName:

- The ACE domain it is working with (xn--exmple-cua.com)?
- The underlying UTF8 domain name? (exämple.com)?


Hopefully, the former. But if that doesn't work, try the latter.


What should the server do when it receives the client's HostName?

- Convert ACE to UTF8?
- Convert UTF8 to ACE?


Hopefully, neither: leave it as an ACE.


What type of comparison is the server expected to perform?

- Convert UTF8 CommanName to ACE (also leave IA5 alone) and then compare?
- Convert ACE names in either subjectAltName or CN to UTF8 and then
  compare UTF8 strings (with NAMEPREP, STRINGPREP and all that jazz)?


Hopefully, neither: leave it as an ACE.


This can be (to say the least) rather unpleasant. If IDNA is only between
the user and the UI, with everything on the wire in ACE form,


Yes.


then all
the pain is avoided:


Yes+. That's why we designed IDNA that way.

--Paul Hoffman, Director
--VPN Consortium

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: EV certs: Doing more of what we already know doesn't work

2008-10-24 Thread Stefan Kelm
Cool!  ;-)

Verisign's CPS has been an inspiration for me for quite
a few years now. E.g., this statement has been in there
for a number of years:

  The Certificate, however, provides no proof of the identity
  of the Subscriber.

Taken from page 12 of the current version, obviously (?)
referring to so-called Class 3 certificates.

Cheers,

Stefan.

-
Stefan Kelm
Security Consulting

Secorvo Security Consulting GmbH
Ettlinger Strasse 12-14, D-76137 Karlsruhe
Tel. +49 721 255171-304, Fax +49 721 255171-100
[EMAIL PROTECTED], http://www.secorvo.de/
PGP: 87AE E858 CCBC C3A2 E633 D139 B0D9 212B

Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


unbreakable quantum crypto cracked by a laser

2008-10-24 Thread Steven M. Bellovin
http://technology.newscientist.com/channel/tech/dn14866-laser-cracks-unbreakable-quantum-communications.html?feedId=online-news_rss20

Not surprisingly, it's attacking the implementation, not the physics --
but of course we use implementations to communicate, rather than
theories.



--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


What does knot theory have to do with P^#P != NP ?

2008-10-24 Thread R.A. Hettinga

http://ephermata.livejournal.com/190880.html?mode=reply


David Molnar (ephermata) wrote,
@ 2008-10-04 01:59:00



Current music:
Crystal Castles - Air War
What does knot theory have to do with P^#P != NP ?
I didn't know, but Michael H. Freedman has an answer - by assuming  
that the complexity class P^#P is not equal to NP, you can prove a new  
theorem in knot theory!


Complexity Classes as Mathematical Axioms

M. Freedman
(Submitted on 30 Sep 2008)

Abstract: Treating a conjecture, P^#P != NP, on the separation of  
complexity classes as an axiom, an implication is found in three  
manifold topology with little obvious connection to complexity theory.  
This is reminiscent of Harvey Friedman's work on finitistic  
interpretations of large cardinal axioms.


http://arxiv.org/abs/0810.0033



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Quantum Crypto broken again

2008-10-24 Thread [EMAIL PROTECTED]
A failure in implementation leads to the ability to eavesdrop on a
quantum-secrecy based key exchange on 2/3 of the types of quantum
equipment used.

From: 
http://technology.newscientist.com/article/dn14866-laser-cracks-unbreakable-quantum-communications.html

Makarov and colleagues from Sweden and Russia have shown that Eve
could control
Bob's equipment, so that they both decode exactly the same digits
from Alice's
transmission...The method exploits the way a common type of photon
counter can have
its sensitivity reduced by a very bright flash of light. The
attack begins when Eve fires a
pulse of laser light to all four detectors in Bob's
equipment...[Eve leverages this into
getting the key] by sending on a sequence of encoded photons that
are identical to the
ones she receives from Alice, Eve can safely intercept a message
without leaving the
tell-tale quantum errors...Makarov and colleagues have now uncovered such
vulnerabilities in two of the three types of quantum equipment
commonly used. They
are now investigating ways to solve the flaw without introducing
more weaknesses.

A paper, Can Eve control PerkinElmer actively-quenched single-photon
detector? is available at
http://arxiv.org/ftp/arxiv/papers/0809/0809.3408.pdf.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Cube cryptanalysis?

2008-10-24 Thread James Muir

Paul Hoffman wrote:

At 11:08 AM -0700 8/21/08, Greg Rose wrote:
Adi mentioned that the slides and paper will go online around the 
deadline for Eurocrypt submission; it will all become much clearer 
than my wounded explanations then.


There now: http://eprint.iacr.org/2008/385



Given all the excitement over the Cube attack, readers may be interested 
to have a closer look at an earlier paper by Vielhaber:


Breaking ONE.FIVIUM by AIDA (an Algebraic IV Differential Attack)
Michael Vielhaber
http://eprint.iacr.org/2007/413

Vielhaber claims that AIDA anticipates the Cube attack; see his post on 
the iacr eprint forum:


http://eprint.iacr.org/forum/read.php?8,59

-James

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: once more, with feeling.

2008-10-24 Thread Ben Laurie
Peter Gutmann wrote:
 If this had been done in the beginning, before users -- and web site
 designers, and browser vendors -- were mistrained, it might have worked.
 Now, though?  I'm skeptical.
 
 For existing apps with habituated users, so am I.  So how about the following
 strawman: Take an existing browser (say Firefox), brand it as some special-
 case secure online banking browser, and use the new developments solution
 above, i.e. it only talks mutual-auth challenge-response crypto and nothing
 else.  At that point you've reduced Reformat user and reinstall browsing
 habits to Train users to only use safe-browser when they do their banking,
 i.e. 'Never enter banking details using anything other than safe-browser'.
 Even if you only get a subset of users doing this, it's still a massive attack
 surface reduction because you've raised the bar from any idiot who buys a
 phishing kit to having to perform a man-in-the-browser attack.

We've been debating this a lot at Google lately. One argument that I
have increasing sympathy with is that SSO (or if you want to be modern,
federated login) provides an opportunity to change the playing field
sufficiently that we can reprogram users to be less vulnerable to
phishing - or just switch them to protocols that make phishing irrelevant.

To that end, we've released some usability research...

http://google-code-updates.blogspot.com/2008/09/usability-research-on-federated-login.html

Obviously the end game here is that the user only has to protect his
login to a small number of sites - i.e. those that provide the IdP. Once
we get there, perhaps users can be persuaded to authenticate to those
sites using something stronger than username/password.

A sidenote that provides me with some amusement: although the modern
trend is towards using OpenID, no-one wants to use it in the mode it is
designed for, i.e. where the user can pick any old IdP and the RP will
just trust it. In practice where we seem to be headed is that RPs will
trust some smallish number of trusted IdPs. This is, of course, exactly
what the Liberty guys have been working on all along. I predict that
over time, most of the elements of Liberty will be incorporated into OpenID.

Which makes me think that if Liberty had done what it claimed to be
doing when it started, i.e. be a community-based, open-source-friendly
protocol suite, it would have worked much better.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Using GPUs to crack crypto

2008-10-24 Thread Steven M. Bellovin
Elcomsoft has a product that uses GPUs to do password-cracking on a
variety of media.  They claim a speed-up of up to 67x, depending on the
application being attacked.

http://www.elcomsoft.com/edpr.html?r1=prr2=wpa

(This has led to a variety of stories (see, for example,
http://www.scmagazineuk.com/WiFi-is-no-longer-a-viable-secure-connection/article/119294/)
claiming that WPA is dead. The correct answer, though, is that
passwords are dead, especially bad ones.)


--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Snatching defeat from the jaws of victory

2008-10-24 Thread Peter Gutmann
The DailyWTF has an entertainnig writeup on how not to use strong crypto to 
protect an embedded device, in this case a Wii, at 
http://thedailywtf.com/Articles/Anatomii-of-a-Hack.aspx.  The 
signature-verification function was particularly entertaining:

  decrypt_rsa(signature, public_key, decrypted_signature);
  if(strncmp(content_sha1, decrypted_signature + 236, 20) == 0)
  [...]

(And before you burst out laughing, Apple did something only slightly less bad
in the iPhone).

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Chip-and-pin card reader supply-chain subversion 'has netted millions from British shoppers'

2008-10-24 Thread John Gilmore
[British shoppers were promised high security by switching from credit
cards to cards that have a chip in them and require that a PIN be entered
for each transaction.  That was the reason for changing everything over,
at high cost in both money and inconvenience to shops and shoppers.  Perhaps
chip-and-pin HAS reduced overall fraud -- but check out this elaborate 
scheme that beat their security for tens of millions of UK pounds.  

Now, why is this being announced by the US National Counter-
intelligence Executive, Joel Brenner?  Because none of the banks or
stores is willing to admit it?  Still, why publicize it at all?  I
find his quote very telling: Previously only a nation state's
intelligence service would have been capable of pulling off this type
of operation.  How would he know this?  Which nation-states have done
similar types of operation, and why isn't he telling the public about
THEM instead of about these other criminals?

I've long suspected that NSA's (still secret) budget (approved by a
tiny number of manipulated Congressmen) has been, uh, augmented, by
its ability to manipulate financial markets using inside information
obtained from domestic and global mass wiretaps.  You don't suppose
NSA is behind the recent market volatility, do you?  It's easiest to
skim off billions when trillions are hurriedly sloshing around in a
panic.  --gnu]

Forwarded-By: Kurt Albershardt [EMAIL PROTECTED]

Clever (and a tad frightening)

http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html

http://www.telegraph.co.uk/news/worldnews/asia/pakistan/3173161/Credit-card-scam-How-it-works.html

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


German data rentention law

2008-10-24 Thread R.A. Hettinga



Begin forwarded message:

From: Eugen Leitl [EMAIL PROTECTED]
Date: October 18, 2008 7:08:22 AM GMT-04:00
To: [EMAIL PROTECTED]
Subject: German data rentention law

- Forwarded message from Karsten N. [EMAIL PROTECTED] 
 -


From: Karsten N. [EMAIL PROTECTED]
Date: Sat, 18 Oct 2008 10:49:08 +0200
To: [EMAIL PROTECTED]
Subject: German data rentention law
User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728)
Reply-To: [EMAIL PROTECTED]

Hi,

I. part: A short overview about the data rentention law in Germany.

 1: ISPs have to log the start and end of a user dial-in with
time stamp and IP address. They have not to log any content.

 2: Public provider of electronic mail have to log all connections of
users with time stamp, IP address, login account and the email
addresses of sender and recipient for every mail (send and
receive).

 3: VoIP provider have to log all connections with timestamp,
IP address and phone number of caller and recipient.

 4: Fon and mobile fon provider have to log all connections and
tries with timestamp, phone number and location.

 5: Anon services have to log the rewrite of any information, which
will be logged by a third party. (Thats all, not very clear.)


At the moment, it seems not clear, how tor is affected by this law.
I read some papers from the gouverment: An anon service (like tor or
JAP) has to log, because the law will be useless otherwise.

Some papers of non-gouverment organizations like ULD: Tor and JAP are
not affected by the telecommunication law, because it is not a
telecommunication service (in the case of law) and tor nodes have NOT
to log.

Together with the JonDos GmbH (JAP) the GPF try to get a legal
non-logging solution for tor, but the result is open and we are late.
(May be too late?)


II. part: suggestion of a technical solution

May be, tor can use geoip and divide the world in a logging area and a
non-logging area. If the target host is inside the logging area
(Germany), the exit node has to be outside. Otherwise a german node
can be an exit too.

In this case, we have two possibilities:

 1: the target host is outside the logging area - no logging

 2: the target host is inside the logging area - the exit is
outside and writes no logs - an german entry or middle man
has to log nothing, because it routes to a not logging exit.

Because not all clients will update to a new version very quickly,
we need a feature for german exit nodes to reject all routes from old
clients, when the node is the exit of the route.

Or, if it was more simple for the developer, a feature for exit nodes
to define a country (based on geoip) to reject all exit routes. If all
german relays used this feature, it may work.

Otherwise, all german nodes have to switch to middle man.

It is only one suggestion, not the really best solution.

Karsten N.

- End forwarded message -
--
Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Pulling Keystrokes Out of the Air

2008-10-24 Thread Arshad Noor
Computer keyboards are often used to transmit sensitive information such as 
username/password (e.g. to log into computers, to do e-banking money transfer, 
etc.). A vulnerability on these devices will definitely kill the security of 
any computer or ATM.

http://lasecwww.epfl.ch/keyboard/

Arshad Noor
StrongAuth, Inc.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: combining entropy

2008-10-24 Thread John Denker
On 09/29/2008 05:13 AM, IanG wrote:
 My assumptions are:
 
  * I trust no single source of Random Numbers.
  * I trust at least one source of all the sources.
  * no particular difficulty with lossy combination.


 If I have N pools of entropy (all same size X) and I pool them
 together with XOR, is that as good as it gets?

Yes.

The second assumption suffices to prove the result,
since (random bit) XOR (anything) is random.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


ADMIN: backlog cleared

2008-10-24 Thread Perry E. Metzger

Moderator's note: Yes, I'm alive. I've just been insanely busy. I'm
planning on adding a system so I can turn the list over to guest
moderators before this happens again (in about a month, I'm
anticipating.)

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: combining entropy

2008-10-24 Thread Jonathan Katz

[Moderator's note: top posting is not tasteful. --Perry]

I think it depends on what you mean by N pools of entropy.

Are you assuming that one of these is sources is (pseudo)random, but you 
don't know which one? Are you assuming independence of these difference 
sources? If both these assumptions hold, then XOR will do the trick.


If your only assumption is that one of the sources has high min-entropy 
(but may not necessarily be uniform), or if the independence assumption 
does not hold, then you may need to use some form of randomness 
extraction.


On Mon, 29 Sep 2008, IanG wrote:


If I have N pools of entropy (all same size X) and I pool them
together with XOR, is that as good as it gets?

My assumptions are:

* I trust no single source of Random Numbers.
* I trust at least one source of all the sources.
* no particular difficulty with lossy combination.

iang

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: combining entropy

2008-10-24 Thread Ben Laurie
On Mon, Sep 29, 2008 at 1:13 PM, IanG [EMAIL PROTECTED] wrote:
 If I have N pools of entropy (all same size X) and I pool them
 together with XOR, is that as good as it gets?

Surely not. Consider N pools each of size 1 bit. Clearly you can do
better than the 1 bit your suggestion would yield.

More concretely, concatenation would seem better than XOR.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: combining entropy

2008-10-24 Thread Stephan Neuhaus


On Oct 24, 2008, at 14:29, John Denker wrote:


On 09/29/2008 05:13 AM, IanG wrote:

My assumptions are:

* I trust no single source of Random Numbers.
* I trust at least one source of all the sources.
* no particular difficulty with lossy combination.




If I have N pools of entropy (all same size X) and I pool them
together with XOR, is that as good as it gets?


Yes.

The second assumption suffices to prove the result,
since (random bit) XOR (anything) is random.


Ah, but for this to hold, you will also have to assume that the N  
pools are all independent.  If they are not, you cannot even guarantee  
one single bit of entropy (whatever that is).  For example, if N =  
2, your trusted source is pool 1, and I can read pool 1 and control  
pool 2, I set pool 2 = pool 1, and all you get is zeros. And that  
surely does not contain X bits of entropy for any reasonable  
definition of entropy.


Fun,

Stephan

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: combining entropy

2008-10-24 Thread Wouter Slegers
L.S.,

 If I have N pools of entropy (all same size X) and I pool them
 together with XOR, is that as good as it gets?
 
 My assumptions are:
 
  * I trust no single source of Random Numbers.
  * I trust at least one source of all the sources.
  * no particular difficulty with lossy combination.
I take the last item to mean that you do not mind wasting entropy but
want to be sure the resulting random number is unpredictable.

If you add one additional assumption:
* The sources are independent of each other
then the XOR of the random sources will be at least as unpredictable as
the most unpredictable individual random source (to keep away from the
entropy discussion). As far as I can se, this the if at least one
source is unpredictable for a workload of x, the resulting random is
also at least that unpredictable property that you seem to be looking
for.

If the sources are not independent, in the most extreme case: the sources
are the same, the result is not so good. XORing in the same RNG stream
twice, however good the RNG, is not so useful ;-)

Without the threatmodel, I am not sure if this is a problem for you, but 
if the attacker has control or knowledge of some of the sources, he 
also knows the XOR of the remaining ones. In the case he knows all but
one sources, and the remaining source is not so unpredictable (LFSR,
poorly biased noise source), the result can be quite predictable (and in
weak RNG designs, the remaining source might be compromised).
Note that this could also be used to force the combined RNG to more
likely generate a chosen output.

Using hashfunctions to combine the randoms makes it computationally
harder for such chosen results to be generated, it quickly becomes
effectively a search problem for hash-collisions where you have only
limited choice on the input. Also temporary lulls in the quality of the
random sources are much better handled. Peter Gutmann's dissertation
has a very good description of what he did for hardening his cryptolib's
the random generation from many such attacks/mistakes.

With kind regards,
Wouter Slegers

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: combining entropy

2008-10-24 Thread Stephan Neuhaus

On Oct 24, 2008, at 15:37, Stephan Neuhaus wrote:

Ah, but for this to hold, you will also have to assume that the N  
pools are all independent.


Slight correction: You will have to assume that one of the trusted  
pools is independent from the others.


Best,

Stephan

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: combining entropy

2008-10-24 Thread Thierry Moreau



IanG wrote:


If I have N pools of entropy (all same size X) and I pool them
together with XOR, is that as good as it gets?

My assumptions are:

 * I trust no single source of Random Numbers.
 * I trust at least one source of all the sources.
 * no particular difficulty with lossy combination.



Do you really trust that no single source of entropy can have knowledge 
of the other source's output, so it can surreptitiously correlate its own?


I.e, you are are also assuming that these sources are *independent*.


--

- Thierry Moreau

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: once more, with feeling.

2008-10-24 Thread Tom Scavo
On Sun, Oct 12, 2008 at 7:39 AM, Ben Laurie [EMAIL PROTECTED] wrote:

 One argument that I
 have increasing sympathy with is that SSO (or if you want to be modern,
 federated login)

Federated identity is the fancy modern term for cross-domain SSO.

 Obviously the end game here is that the user only has to protect his
 login to a small number of sites - i.e. those that provide the IdP. Once
 we get there, perhaps users can be persuaded to authenticate to those
 sites using something stronger than username/password.

I think this is putting the cart before the horse.  Today I don't see
many IdPs (OpenID, SAML, or otherwise) that support more than
username/password.  Until that happens, the relying party will
continue to maintain its own username/passwords since there's little
incentive to federate.

 A sidenote that provides me with some amusement: although the modern
 trend is towards using OpenID, no-one wants to use it in the mode it is
 designed for, i.e. where the user can pick any old IdP and the RP will
 just trust it. In practice where we seem to be headed is that RPs will
 trust some smallish number of trusted IdPs. This is, of course, exactly
 what the Liberty guys have been working on all along. I predict that
 over time, most of the elements of Liberty will be incorporated into OpenID.

I mostly agree with this observation, but I'd replace the word
Liberty with SAML throughout the above paragraph.  The Liberty
Identity Federation Framework (ID-FF) was donated to the OASIS
Security Services Technical Committee in late 2003.  This gave rise to
SAML V2.0 in March 2005.  For all practical purposes, Liberty ID-FF is
dead.

If RPs end up trusting a small number of IdPs, then there is much to
be gained (obviously) by being one of those IdPs.  Thus there are
strong forces at work to *prevent* federated identity from taking hold
since everyone is competing to be one of those IdPs.  I wonder what it
will take to break the log-jam that holds back the anticipated rise of
federated identity?

 Which makes me think that if Liberty had done what it claimed to be
 doing when it started, i.e. be a community-based, open-source-friendly
 protocol suite, it would have worked much better.

I'm not sure I follow that line of reasoning.  Are you referring to
Liberty the specification or Liberty the implementation?  In any
event, it is better to talk about SAML, not Liberty, since the latter
is history with respect to browser-based federated identity.

I agree with you that the goal is to replace username/password with
something stronger, but evidently neither OpenID nor SAML are helping
us get there.  I still have some hope that information cards will make
a dent in this problem, but who knows.

Tom

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Who cares about side-channel attacks?

2008-10-24 Thread Jack Lloyd
On Mon, Oct 06, 2008 at 05:51:50PM +1300, Peter Gutmann wrote:
 For the past several years I've been making a point of asking users of crypto
 on embedded systems (which would be particularly good targets for side-channel
 attacks, particularly ones that provide content-protection capabilities)
 whether they'd consider enabling side-channel attack (SCA - no, not that SCA)
 protection in their use of crypto.  So far I've never found anyone who's made
[...]

 In other words the user has to make a conscious decision that SCA protection
 is important enough that performance/power consumption can be sacrificed for
 it.  Can anyone provide any data on users making this tradeoff?  And since
 negative results are also results, a response of I've never found anyone who
 cares either is also useful.  Since the information may be commercially

I have little experience on the embedded crypto side but I do maintain
a crypto library that has some non-zero number of users on general
desktop and server machines.

Basic protections ala your point 2 are provided and enabled by default
(blinding, and checking private key operations for consistency with
the public, to prevent the really easy attacks). There used to be a
toggle to disable blinding, which as far as I know was never used - or
at least nobody complained when I removed the toggle.

To my memory nobody has ever asked about what SCA measures are or are
not enabled, or how to toggle them, though I do have a FAQ entry about
it, so perhaps people who really wanted serious side-channel
resistence just read that FAQ and moved on to another implementation
without ever bothering to contact me - certainly there are some
self-selection problems with my sampling.

When FlexSecure wrote Botan's ECC implementation for BSI, they
implemented a number of anti-timing attack countermeasures - but they
were being paid to care about that, so this is probably not a valid
datapoint.

-Jack

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


26 historic Enigmas found in Spain

2008-10-24 Thread Eugen Leitl

http://www.theregister.co.uk/2008/10/24/spanish_enigmas/

Spanish discover cache of 26 Enigma machines

Franco's 'secret weapon' tracked to army HQ

By Lester Haines 

Posted in Science, 24th October 2008 10:03 GMT

Spanish newspaper El Pa�s last week tracked down 26 examples of Franco's
secret weapon against Republican forces in the country's civil war - a
cache of perfectly-preserved Enigma machines hidden for years in a gloomy
office in the army's main headquarters in Madrid.

Nationalist forces led by Franco acquired their first ten Enigma machines
from Germany in 1936. While Hitler had already decided to offer Franco his
full support in the Spanish civil war, this didn't actually extend to the
full-fat military versions of Enigma, and his Iberian ally had to make do
with the vastly inferior commercial D model.

The German High Command was apparently concerned that careless Spaniards
might let the Republicans get their hands on an Enigma. Indeed, even
Germany's Condor Legion - dispatched to Spain to aid the Nationalist cause -
also reportedly used commercial Enigmas in the field.

Nonetheless, the Republicans were never able to decipher Enigma
communications between Franco and his top brass, and the machines' success
led to further acquisitions. Commander Antonio Sarmiento, charged with
training operators in Franco's Salamanca headquarters, enthusiastically
reported in 1936: ?To give some idea of the level of security these machines
offer, it's suffice to say that the number of possible combinations is an
astounding 1,252,962,387,456.?

The total number of machines eventually bought by Spain is unknown, although
estimates vary from 30 to 50. They were not withdrawn from service until the
early 1950s, which offers the rather agreeable possibility that the British
were able to read the Spanish dictatorship's military communications while
Franco remained blissfully unaware that his Nazi sponsors' device had been
laid bare by Bletchley Park years before. 

Bootnote

El Reg is, of course, supporting Bletchley Park and the National Museum of
Computing with our splendid Enigma t-shirt. Get it before Cash'n'Carrion's
free shipping offer ends on 31 October.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: combining entropy

2008-10-24 Thread Jon Callas


On Sep 29, 2008, at 5:13 AM, IanG wrote:


If I have N pools of entropy (all same size X) and I pool them
together with XOR, is that as good as it gets?

My assumptions are:

* I trust no single source of Random Numbers.
* I trust at least one source of all the sources.
* no particular difficulty with lossy combination.


It's within epsilon for a good many epsilon.

I'm presuming you want the resultant size to be X, as well. Otherwise,  
the suggestion that Ben has, concatenation is obviously better, and  
you can solve obvious problems.


Another solution is to hash the N pools together with a suitably  
secure function. (Most the available algorithms are suitably secure  
for this purpose.) The downside of this is that you are capping your  
entropy at the size of the hash function. It's better than XOR because  
it's not linear, blah, blah, blah.


However, if you had three pools, each relatively large, it doesn't  
hurt anything to XOR them together. It's pretty easy to prove that the  
result does not decrease entropy, but I think it's impossible to prove  
that it increases it. XORing is really taking the max of the N pools.


You have to realize that XOR is bad if there's a chance to leak the  
entropy pool, XOR is a bad function. If whoever produced pool X sees  
X^Y, then they know Y. But you know that, too.


Jon


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: combining entropy

2008-10-24 Thread Jack Lloyd
On Fri, Oct 24, 2008 at 10:23:07AM -0500, Thierry Moreau wrote:

 Do you really trust that no single source of entropy can have knowledge of 
 the other source's output, so it can surreptitiously correlate its own?

 I.e, you are are also assuming that these sources are *independent*.

I do not think one means the other here.

An omniscient malicious RNG source seems quite unlikely in most threat
models. However that is a very different statement from saying that
lacking such an attacker, you can safely assume your 'pools of
entropy' (to quote the original question) are independent in the
information-theoretic sense.

Say you execute (on a Linux machine) two commands, like ifconfig -a
and netstat -s (which print ASCII text with statistics about network
interfaces and network protocols, resp), capturing the output as two
of your entropy sources.

Both have some amount of entropy (perhaps zero if an attacker is on
the machine and runs his commands at the same time as yours - and
perhaps quite a bit more if the local machine happens to be safe). But
they are certainly not statistically independent!  Information in one
will be somewhat reflected in the other (packet counters), and of
course at the macro level all your inputs have high bit unset, so if
you combined via XOR your output will have at best .875 bits of
entropy per bit.

To address IanG's question more directly, my first thought would be to
use something like the design Hugo Krawczyk describes in On
Extract-then-Expand Key Derivation Functions and an HMAC-based KDF
(http://www.ee.technion.ac.il/~hugo/kdf/kdf.pdf) or one of the related
PRNG designs he references. Then use the output of the HMAC PRF to
feed the DT vector of an X9.31 PRNG (using block cipher du jour), a
trick AFAIK invented by Peter Gutmann which has always seemed like a
good worst-case-scenario trick to me (for instance, if the code for
the hash's compression function is miscompiled), though at the cost of
extra code/design complexity (and thus points of failure) - as always
there are tradeoffs to make.

-Jack (IANAC)

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: combining entropy

2008-10-24 Thread John Denker
On 10/24/2008 01:12 PM, Jack Lloyd wrote:

  is a very different statement from saying that
 lacking such an attacker, you can safely assume your 'pools of
 entropy' (to quote the original question) are independent in the
 information-theoretic sense.

The question, according to the original poster, is not 
whether it is safe to assume that one of the entropy
sources can be trusted.  Safe or not, the question explicitly 
assumed that one of the sources was trusted ... and asked 
what the consequences of that assumption would be.

In particular, evidently the scenario was that we started
with N high-entropy randomness generators, but N-1 of
them have failed.  One of them is still working, but we
don't know which one.

In that scenario, XOR is a good-enough combining function,
and nothing else would be any better.

If somebody wants to discuss a different scenario, please
clarify what the new scenario is.

Suggesting that the trusted source is correlated with one
of the other sources is quite contrary to the requirements
expressed in the original question.

That is to say, if the source is not independent, it was
never eligible to be a trusted entropy source.

If you want to quantify this, write down the _joint_ probability
distribution for all the sources, and calculate the entropy
of that distribution in the usual way.

1) There is _one_ very precise meaning for entropy that is 
well-established and conventional across a wide range of 
fields ... everything from kitchen appliances to cosmology.
  http://www.av8n.com/physics/thermo-laws.htm#sec-relevance

2) Authors are allowed to define and redefine terms however
they please ... _provided_ they define any nonstandard terms
that they use.  Anybody who takes a well-established standard
term and uses it in a nonstandard way has a double-extra-special
duty to explain what he's doing.

I assume the original poster was using the term entropy
in the conventional, precise sense ... and until I hear
otherwise I will continue to do so.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: combining entropy

2008-10-24 Thread Jack Lloyd
On Fri, Oct 24, 2008 at 03:20:24PM -0700, John Denker wrote:
 On 10/24/2008 01:12 PM, Jack Lloyd wrote:
 
   is a very different statement from saying that
  lacking such an attacker, you can safely assume your 'pools of
  entropy' (to quote the original question) are independent in the
  information-theoretic sense.
 
 The question, according to the original poster, is not 
 whether it is safe to assume that one of the entropy
 sources can be trusted.  Safe or not, the question explicitly 
 assumed that one of the sources was trusted ... and asked 
 what the consequences of that assumption would be.

Perhaps our seeming disagreement is due to a differing interpretation
of 'trusted'. I took it to mean that at least one pool had a
min-entropy above some security bound. You appear to have taken it to
mean that it will be uniform random?

-Jack

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]