Re: Intel to also add RNG

[Francois Grieu]

 On 12/07/2010 22:13, Eric Murray wrote:/
> On Mon, Jul 12, 2010 at 03:37:45PM -0400, Paul Wouters wrote:
>> On Mon, 12 Jul 2010, Eric Murray wrote:
>>
>>> Then there's FIPS- current 140 doesn't have a provision for HW RNG.
>>> They certify software RNG only, presumeably because proving a HW RNG to be
>>> random enough is very difficult.   So what's probably the primary market
>>> (companies who want to meet FIPS) isn't available.
>> So you can do HWRNG -> SWRNG -> Fips ?
> Last FIPS cert I did (140-2, a couple years ago), it was SWRNG only. 
> X9.62 or FIPS 186 or X9.31 or SP 800-90.
>
> I couldn't even use a HW RNG for the seed.  /dev/random was acceptable.
>

The Smart Card industry uses True RNG a lot. There, a common line of
thought is to use:
- a hardware RNG, which raw output (perhaps biased) is directly
accessible for testing purposes (only), so that the software can check
it in depth at startup and from time to time to ascertain that it is at
least generating a fair amount of entropy
- followed by appropriate post-processing in hardware (so as to gather
entropy at all time), acting as a mixer/debiaser:; e.g. something LFSR-based
- followed by a crude software test (e.g. no bit stuck)
- optionally followed by software postprocessing (the subject is
debated; this software has to be proven to not include weakness, and the
hardware + crude software test is certified to eliminate such weakness,
so why bother, some say)

There is a standard, known as AIS31, on evaluating True RNG, which
de-facto enforces the first three steps

which references


For German-reading audience, the page linking to that is

Google does good work when fed with AIS31.

  François Grieu

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Fwd: Anyone make any sense out of this skype hack announcement?

[Peter Gutmann]

Christian Collberg  writes:

>I don't know if the new crack reveals anything new. We have a writeup about 
>the Skype protection techniques in "Surreptitious Software", our book on 
>security-through-obscurity. (Sorry for the blatant self-promotion).

No need to apologise, it's a damn good read.  For people not familiar with it, 
the title is a bit misleading (it sounds like a book about malware), it's 
actually a book on software obfuscation and tamperproofing, IMHO it's the 
definitive reference on the topic.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Intel to also add RNG

[Peter Gutmann]

Paul Wouters  writes:

>Which is what you should do anyway, in case of a hardware failure. I know the 
>Linux intel-rng and amd-rng used to produce nice series of zeros.

Do you have any more details on this?  Was it a hardware problem, software
problem, ...?  How was it caught?

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Call for Papers: CPSRT 2010 - Deadlines Extended!

[George Yee]

DEADLINES EXTENDED!!

CALL FOR PAPERS (For HTML version, please visit http://CPSRT.cloudcom.org/)

INTERNATIONAL WORKSHOP ON CLOUD PRIVACY, SECURITY, RISK & TRUST (CPSRT 2010)

In conjunction with 2nd IEEE International Conference on Cloud Computing 
Technology and Science (CloudCom 2010), November 30 - December 3, 2010 Indiana 
University, USA, http://2010.cloudcom.org/


IMPORTANT DATES - EXTENDED!

Submission deadline: 15 August 2010
Author notification: 15 September 2010
Camera-ready manuscript: 1 October 2010
Author registration: 1 October 2010
Workshop date: 30 November 2010


WORKSHOP  CHAIRS

Latifur Khan – University of Texas at Dallas, USA
email: lk...@utdallas.edu

Siani Pearson – Hewlett-Packard Laboratories, Bristol, UK
e-mail: siani.pear...@hp.com

George Yee – Carleton University, Canada
e-mail: gm...@sce.carleton.ca


WORKSHOP STEERING COMMITTEE (in progress)

Martin Gilje Jaatun, Department of Software Engineering, Safety and Security, 
SINTEF, Trondheim, Norway 
Chunming Rong, Center of IP-based Services Innovation (CIPSI), University of 
Stavanger, Stavanger, Norway
Bhavani Thuraisingham, Cyber Security Research Center, University of Texas at 
Dallas, U.S.A.


WORKSHOP PROGRAM COMMITTEE

Carlisle Adams, University of Ottawa, Canada
Andrew Charleswoth, University of Bristol, UK 
Giles Hogben, ENISA, Greece
Paul Hopkins, University of Warwick, UK
Latifur Khan, University of Texas at Dallas, USA
Steve Marsh, Communications Research Centre Canada, Canada
Christopher Millard, University of London, UK
Andrew Patrick, Office of the Privacy Commissioner of Canada, Canada
Siani Pearson, HP Labs, UK
Simon Shiu, HP Labs, UK
Sharad Singhal, HP Labs, USA
Ronggong Song, National Research Council Canada, Canada
Anthony Sulistio, Hochschule Furtwangen University, Germany
George Yee, Carleton University, Canada


WORKSHOP OBJECTIVE

Cloud computing has emerged to address an explosive growth of web-connected 
devices, and handle massive amounts of data. It is defined and characterized by 
massive scalability and new Internet-driven economics. Yet, privacy, security, 
and trust for cloud computing applications are lacking in many instances and 
risks need to be better understood. 
   Privacy in cloud computing may appear straightforward, since one may 
conclude that as long as personal information is protected, it shouldn’t matter 
whether the processing is in a cloud or not. However, there may be hidden 
obstacles such as conflicting privacy laws between the location of processing 
and the location of data origin. Cloud computing can exacerbate the problem of 
reconciling these locations if needed, since the geographic location of 
processing can be extremely difficult to find out, due to cloud computing’s 
dynamic nature. Another issue is user-centric control, which can be a legal 
requirement and also something consumers want. However, in cloud computing, the 
consumers' data is processed in the cloud, on machines they don't own or 
control, and there is a threat of theft, misuse or unauthorized resale. Thus, 
it may even be necessary in some cases to provide adequate trust for consumers 
to switch to cloud services. 
   In the case of security, some cloud computing applications simply lack 
adequate security protection such as fine-grained access control and user 
authentication (e.g. Hadoop). Since enterprises are attracted to cloud 
computing due to potential savings in IT outlay and management, it is necessary 
to understand the business risks involved. If cloud computing is to be 
successful, it is essential that it is trusted by its users. Therefore, we also 
need studies on cloud-related trust topics, such as what are the components of 
such trust and how can trust be achieved, for security as well as for privacy.


MISSION

This year, the CPSRT workshop will bring together a diverse group of academics 
and industry practitioners in an integrated state-of-the-art analysis of 
privacy, security, risk, and trust in the cloud. The workshop will address 
cloud issues specifically related to access control, trust, policy management, 
secure distributed storage and privacy-aware map-reduce frameworks. 


TOPICS OF INTEREST

The workshop includes but is not limited to the following topics that refer to 
computing in the cloud:
* Access control and key management
* Security and privacy policy management 
* Identity management
* Remote data integrity protection
* Secure computation outsourcing
* Secure data management within and across data centers
* Secure distributed data storage
* Secure resource allocation and indexing
* Intrusion detection/prevention
* Denial-of-Service (DoS) attacks and defense
* Web service security, privacy, and trust
* User requirements for privacy
* Legal requirements for privacy 
* Privacy enhancing technologies 
* Privacy aware map-reduce framework 
* Risk or threat identification and analysis
* Risk or threat management
* Trust enhancing technologies
* Trust management

These