EFF Warns Texas Instruments to Stop Harassing Calculator Hobbyists (for cracking public keys)

2009-10-14 Thread John Gilmore
FYI.  As I understand it, TI calculator boot ROMs use a 512 bit RSA
public key to check the signature of the software they're loading.
When hobbyists who wanted to run their own alternative OS software on
their calculator calculated the corresponding private key and were
thus able to sign their own software, TI sent them DMCA takedowns
claiming they had cracked TI's DRM.  As with the CSS keys, a
publish/takedown chase ensued.  Wikileaks has had the censored keys up
since August.  EFF is now representing the hobbyists, and may stand to
collect legal fees from TI.  Here's Schneier's take:

  http://www.schneier.com/blog/archives/2009/09/texas_instrumen.html

John

Electronic Frontier Foundation Media Release

For Immediate Release: Tuesday, October 13, 2009

Contact:

Jennifer Stisa Granick
   Civil Liberties Director
   Electronic Frontier Foundation
   jenni...@eff.org
   +1 415 436-9333 x134

EFF Warns Texas Instruments to Stop Harassing Calculator
Hobbyists

Baseless Legal Threats Squash Free Speech, Innovation

San Francisco - The Electronic Frontier Foundation (EFF)
warned Texas Instruments (TI) today not to pursue its
baseless legal threats against calculator hobbyists who
blogged about potential modifications to the company's
programmable graphing calculators.

TI's calculators perform a signature check that allows
only approved operating systems to be loaded onto the
hardware.  But researchers were able to reverse-engineer
signing keys, allowing tinkers to install custom operating
systems and unlock new functionality in the calculators'
hardware.  In response to this discovery, TI unleashed a
torrent of demand letters claiming that the
anti-circumvention provisions of the Digital Millennium
Copyright Act (DMCA) required the hobbyists to take down
commentary about and links to the keys.  EFF represents
three men who received such letters.

The DMCA should not be abused to censor online discussion
by people who are behaving perfectly legally, said Tom
Cross, who blogs at memestreams.net. It's legal to engage
in reverse engineering, and its legal to talk about reverse
engineering.

In fact, the DMCA explicitly allows reverse
engineering to create interoperable custom software like
the programs the hobbyists are using.  Additionally, TI
makes its software freely available on its website, so
there is no connection between the use of the keys and
unauthorized distribution of the code.

This is not about copyright infringement.  This is about
running your own software on your own device -- a
calculator you legally bought, said EFF Civil Liberties
Director Jennifer Granick.  Yet TI still issued empty
legal threats in an attempt to shut down discussion of this
legitimate tinkering.  Hobbyists are taking their own tools
and making them better, in the best tradition of American
innovation.

For the full letters sent to Texas Instruments by EFF on
behalf of their clients:
http://www.eff.org/files/filenode/coders/TI%20Claim%20Ltr%20101309.pdf

For this release:
http://www.eff.org/press/archives/2009/10/13

About EFF

The Electronic Frontier Foundation is the leading civil
liberties organization working to protect rights in the
digital world. Founded in 1990, EFF actively encourages and
challenges industry and government to support free
expression and privacy online. EFF is a member-supported
organization and maintains one of the most linked-to
websites in the world at http://www.eff.org/


 -end-

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Possibly questionable security decisions in DNS root management

2009-10-14 Thread Perry E. Metzger

Ekr has a very good blog posting on what seems like a bad security
decision being made by Verisign on management of the DNS root key.

http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html

In summary, a decision is being made to use a short lived 1024 bit key
for the signature because longer keys would result in excessively large
DNS packets. However, such short keys are very likely crackable in short
periods of time if the stakes are high enough -- and few keys in
existence are this valuable.

Perry
-- 
Perry E. Metzgerpe...@piermont.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Possibly questionable security decisions in DNS root management

2009-10-14 Thread bmanning
On Wed, Oct 14, 2009 at 06:24:06PM -0400, Perry E. Metzger wrote:
 
 Ekr has a very good blog posting on what seems like a bad security
 decision being made by Verisign on management of the DNS root key.
 
 http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html
 
 In summary, a decision is being made to use a short lived 1024 bit key
 for the signature because longer keys would result in excessively large
 DNS packets. However, such short keys are very likely crackable in short
 periods of time if the stakes are high enough -- and few keys in
 existence are this valuable.


however - the VSGN proposal meets current NIST guidelines.

--bill


 
 Perry
 -- 
 Perry E. Metzger  pe...@piermont.com
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Possibly questionable security decisions in DNS root management

2009-10-14 Thread Perry E. Metzger

bmann...@vacation.karoshi.com writes:
 On Wed, Oct 14, 2009 at 06:24:06PM -0400, Perry E. Metzger wrote:
 Ekr has a very good blog posting on what seems like a bad security
 decision being made by Verisign on management of the DNS root key.

 http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html

 In summary, a decision is being made to use a short lived 1024 bit key
 for the signature because longer keys would result in excessively large
 DNS packets. However, such short keys are very likely crackable in short
 periods of time if the stakes are high enough -- and few keys in
 existence are this valuable.

   however - the VSGN proposal meets current NIST guidelines.

That doesn't say anything about how good an idea it is, any more than an
architect can make a building remain standing in an earthquake by
invoking the construction code.

We are the sort of people who write these sorts of guidelines, and if
they're flawed, we can't use them as a justification for designs.

(Well, a bureaucrat certainly can use such documents as a form of CYA,
but we're discussing technology here, not means of evading blame.)

The fact is, the DNS root key is one of the few instances where it is
actually worth someone's time to crack a key because it provides
enormous opportunities for mischief, especially if people start trusting
it more because it is authenticated. Unlike your https session to view
your calendar or the password for your home router, the secret involved
here are worth an insane amount of money.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Possibly questionable security decisions in DNS root management

2009-10-14 Thread bmanning
On Wed, Oct 14, 2009 at 07:22:27PM -0400, Perry E. Metzger wrote:
 
 bmann...@vacation.karoshi.com writes:
  On Wed, Oct 14, 2009 at 06:24:06PM -0400, Perry E. Metzger wrote:
  Ekr has a very good blog posting on what seems like a bad security
  decision being made by Verisign on management of the DNS root key.
 
  http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html
 
  In summary, a decision is being made to use a short lived 1024 bit key
  for the signature because longer keys would result in excessively large
  DNS packets. However, such short keys are very likely crackable in short
  periods of time if the stakes are high enough -- and few keys in
  existence are this valuable.
 
  however - the VSGN proposal meets current NIST guidelines.
 
 That doesn't say anything about how good an idea it is, any more than an
 architect can make a building remain standing in an earthquake by
 invoking the construction code.
 
 We are the sort of people who write these sorts of guidelines, and if
 they're flawed, we can't use them as a justification for designs.
 
 (Well, a bureaucrat certainly can use such documents as a form of CYA,
 but we're discussing technology here, not means of evading blame.)
 
 The fact is, the DNS root key is one of the few instances where it is
 actually worth someone's time to crack a key because it provides
 enormous opportunities for mischief, especially if people start trusting
 it more because it is authenticated. Unlike your https session to view
 your calendar or the password for your home router, the secret involved
 here are worth an insane amount of money.


er... there is the root key and there is the ROOT KEY.
the zsk only has a 90 day validity period.  ... meets the
spec and -ought- to be good enough.   that said, it is
currently a -proposal- and if credible arguments can be made
to modify the proposal, I'm persuaded that VSGN will do so.



 Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Possibly questionable security decisions in DNS root management

2009-10-14 Thread Perry E. Metzger

bmann...@vacation.karoshi.com writes:
 er... there is the root key and there is the ROOT KEY.
 the zsk only has a 90 day validity period.  ... meets the
 spec and -ought- to be good enough.   that said, it is
 currently a -proposal- and if credible arguments can be made
 to modify the proposal, I'm persuaded that VSGN will do so.

Well, you might look at Ekr's argument, which I largely agree with. I
think the two key observations are that 1024 bit keys are already
considered iffy, large (perhaps hundreds of millions of dollars or even
more) may be thrown by opponents at this particular key, and that
technology for factoring will only get better. Given the sums that could
be spent, very specialized hardware could be built -- far more
specialized than ordinary PCs on which the problem doesn't scale that
well in its most expensive steps.

Security is usually not limited by cryptography in the modern
world. Crypto systems are usually far stronger than opponents will to
spend, and bugs are the more obvious way to attack things.  However, if
you're talking about a really high value target and weak enough
crypto, the economics change, and with them so does everything else.
Crypto being a potential weak spot is an exceptionally rare situation,
but the DNS root key is insanely high value.

We should also recognize that in cryptography, a small integer safety
margin isn't good enough. If one estimates that a powerful opponent
could attack a 1024 bit RSA key in, say, two years, that's not even a
factor of 10 over 90 days, and people spending lots of money have a good
record of squeezing out factors of 10 here and there. Finding an
exponential speedup in an algorithm is not something one can do, but
figuring out a process trick to remove a small constant is entirely
possible.

Meanwhile, of course, the 1024 bit short term keying system may end up
staying in place far longer than we imagine -- things like this often
roll out and stay in place for a decade or two even when we imagine we
can get rid of them quickly. Do we really believe we won't be able to
attack a 1024 bit key with a sufficiently large budget even in 10 years?

Again, normally, crypto isn't where you attack an opponent, but in this
case, I'd suggest that key length might not be a silly thing to worry
about.

There are enough people here with the right expertise. I'd be interested
in hearing what people think could be done with a fully custom hardware
design and a budget in the hundreds of millions of dollars or more.

Perry
-- 
Perry E. Metzgerpe...@piermont.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Possibly questionable security decisions in DNS root management

2009-10-14 Thread Paul Hoffman
At 7:54 PM -0400 10/14/09, Perry E. Metzger wrote:
There are enough people here with the right expertise. I'd be interested
in hearing what people think could be done with a fully custom hardware
design and a budget in the hundreds of millions of dollars or more.

What part of owning a temporary private key for the root zone would be worth 
even 10% of that much? There are attacks, and there are motivations. Until we 
know the latter, we cannot put a price on the former.

Related question: if all the root keys were 2048 bits, who do you think would 
change the way they rely on DNSSEC?

--Paul Hoffman, Director
--VPN Consortium

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Possibly questionable security decisions in DNS root management

2009-10-14 Thread Jerry Leichter

On Oct 14, 2009, at 7:54 PM, Perry E. Metzger wrote:
...We should also recognize that in cryptography, a small integer  
safety

margin isn't good enough. If one estimates that a powerful opponent
could attack a 1024 bit RSA key in, say, two years, that's not even a
factor of 10 over 90 days, and people spending lots of money have a  
good

record of squeezing out factors of 10 here and there. Finding an
exponential speedup in an algorithm is not something one can do, but
figuring out a process trick to remove a small constant is entirely
possible.

Meanwhile, of course, the 1024 bit short term keying system may  
end up

staying in place far longer than we imagine -- things like this often
roll out and stay in place for a decade or two even when we imagine we
can get rid of them quickly.
As I read it, short term refers to the lifetime of the *key*, not  
the lifetime of the *system*.



Do we really believe we won't be able to
attack a 1024 bit key with a sufficiently large budget even in 10  
years? ...
Currently, the cryptographic cost of an attack is ... 0.  How many  
attacks have there been?  Perhaps the perceived value of owning part  
of DNS isn't as great as you think.


If the constraints elsewhere in the system limit the number of bits of  
signature you can transfer, you're stuck.  Presumably over time you'd  
want to go to a more bit-efficient signature scheme, perhaps using  
ECC.  But as it is, the choice appears to be between (a) continuing  
the current completely unprotected system and (b) *finally* rolling  
out protection sufficient to block all but very well funded attacks  
for a number of years.


Should we let the best be the enemy of the good here?

-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com