Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Christian Huitema
 Given that many real organizations have hundreds of front end
 machines sharing RSA private keys, theft of RSA keys may very well be
 much easier in many cases than broader forms of sabotage.

Or we could make it easy to have one separate RSA key per front end, signed
using the main RSA key of the organization.

-- Christian Huitema


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] An NSA mathematician shares his from-the-trenches view of the agency's surveillance activities

2013-09-18 Thread ianG

On 18/09/13 00:56 AM, John Gilmore wrote:

Forwarded-By: David Farber d...@farber.net
Forwarded-By: Annie I. Anton Ph.D. aian...@mindspring.com

http://www.zdnet.com/nsa-cryptanalyst-we-too-are-americans-720689/

NSA cryptanalyst: We, too, are Americans



Speaking as a non-American, you guys have big problems concerning the 
nexus of cryptography and politics.


...

The rest of this article contains Roger's words only, edited simply for 
formatting.


I really, really doubt that.  I don't really wish to attack the author, 
but the style and phraseology is pure PR.  Ordinary people do not write 
PR.  Nor do they lay out political strategies and refer to their 
commander-in-chief as the supreme leader.  Nor indeed are employees of 
military and intelligence *permitted to talk to the press* unless 
sanctioned at high level.



...  Do I, as an American, have any concerns about whether the NSA is 
illegally or surreptitiously targeting or tracking the communications of 
other Americans?


The answer is emphatically, No.


Of course, Americans talking to Americans might be one debate.  But then 
there are Americans talking to the world, and people talking to people.


It should be remembered that espionage is illegal, and the activities of 
the NSA are more or less illegal *outside their borders*.  I give them 
no permission to monitor me or mine, and nor does any of the laws of my 
land(s).


The fact that we cannot stop them doesn't make it any less legal.  The 
fact that there is a gentleman's agreement between countries to look the 
other way doesn't make it any less palatable to us non-gentlepersons 
excluded from the corridors of powers.


And all that doesn't make NSA mathematicians any less a partner to the 
activity.  Any intelligence agent is typically controlled and often 
banned from overseas travel, because of the ramifications of this activity.



...


A myth that truly bewilders me is the notion that the NSA could or would spend 
time looking into the communications of ordinary Americans

There's no doubt about it: We all live in a new world of Big Data.



In two paras above, and the next two paras below, this 'mathematician' 
lays the political trap for Americans.  The collection by the federal 
government of data is almost certainly unconstitutional.  Yet, everyone 
acts as if that's ok because ... we live in the new world of Big Data?




Much of the focus of the public debate thus far has been on the amount of data 
that NSA has access to, which I feel misses the critical point.


Unless one subscribes to the plain wording of your (American) 
constitution...




In today's digital society, the Big Data genie is out of the bottle. Every day, 
more personal data become available to individuals, corporations, and the 
government. What matters are the rules that govern how NSA uses this data, and 
the multiple oversight and compliance efforts that keep us consistent with 
those rules. I have not only seen but also experienced firsthand, on a daily 
basis, that these rules and the oversight and compliance practices are 
stringent. And they work to protect the privacy rights of all Americans.


ditto, repeat.

Although, to be honest, we-the-world don't care about it;  the USG's 
temptation to rewrite the constitution in the minds of its subjects is 
strictly a domestic political affair.  For most other countries, the Big 
Data genie is truly out of the bottle, and there's precious little we 
can do about it.


...

As this national dialogue continues, I look to the American people to reach a 
consensus on the desired scope of U.S. intelligence activities


Good luck!


 The views and opinions expressed herein are those of the author and do not 
necessarily reflect those of the National Security Agency/Central Security 
Service.



I seriously doubt that.



iang

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] End to end

2013-09-18 Thread Christoph Gruber
On 2013-09-17 Max Kington mking...@webhanger.com wrote:


[snip]
 Hence, store in the clear, keep safe at rest using today's archival mechanism 
 and when that starts to get dated move onto the next one en-masse, for all 
 your media not just emails.
[snip]

I would tend to agree for environments with very high regulations, where the 
need to comply with regulations is more important than the need to keep data 
confidential.
I would suggest to balance that for every organisation. The risk to disclosure 
is much higher if data is stored unprotected. Any admin with access to the file 
system is able to read it.
Maybe this could be a cultural difference between US and Europe, the regulative 
pressure in US is higher, in Europe the privacy is more important or more 
protected.
I agree that both ways may be the right implementation for an organisation, but 
this has to be a management decision, balancing the needs.

Best regards

-- 
Christoph Gruber
If privacy is outlawed, only outlaws will have privacy. Phil Zimmermann

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] End to end

2013-09-18 Thread Max Kington
On 18 Sep 2013 07:44, Christoph Gruber gr...@guru.at wrote:

 On 2013-09-17 Max Kington mking...@webhanger.com wrote:


 [snip]
  Hence, store in the clear, keep safe at rest using today's archival
mechanism and when that starts to get dated move onto the next one
en-masse, for all your media not just emails.
 [snip]

 I would tend to agree for environments with very high regulations, where
the need to comply with regulations is more important than the need to keep
data confidential.
 I would suggest to balance that for every organisation. The risk to
disclosure is much higher if data is stored unprotected. Any admin with
access to the file system is able to read it.
 Maybe this could be a cultural difference between US and Europe, the
regulative pressure in US is higher, in Europe the privacy is more
important or more protected.
 I agree that both ways may be the right implementation for an
organisation, but this has to be a management decision, balancing the needs.

I was referring to the UK :-)

I'm not saying it isn't important to consider how data is made available in
the cases where you have end to end security but a future standard wants to
be permissive of a solution even if it's out of scope for the RFC rather
than prohibitive by including it as mandatory, could/can vs should/must.

That said now there appears to be evidence that side channel attacks that
force lesser security where it's an option are being actively exploited.
Previously we'd have all assumed that the main benefit of those was in
interoperability but now not so much. So there is an argument to use 'must'
more in standards concerning security.

By making archival a separate concern you also reduce the complexity of
many deployments. As you say, for environments with very high regulation,
my personal mailbox, isn't, my work one, is.

Max


 Best regards

 --
 Christoph Gruber
 If privacy is outlawed, only outlaws will have privacy. Phil Zimmermann

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] Some (limited) info about Apple A7 security for fingerprints, keychains

2013-09-18 Thread Jerry Leichter
A level beyond marketing talk, but nowhere near technical detail.  Still a bit 
more than has been previously described.  Links to some perhap
http://www.quora.com/Apple-Secure-Enclave/What-is-Apple%E2%80%99s-new-Secure-Enclave-and-why-is-it-important

There's a link to an ARM site with a reasonable overview of the ARM TEE 
(Trusted Execution Environment) - which Apple's Secure Enclave may (or may 
not) be based on.  
http://www.arm.com/products/processors/technologies/trustzone.php

Referring back to a point Perry made a while back:  TEE mode runs its own 
specialized secure OS.  That would seem to be an ideal target for 
verification
-- Jerry

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Viktor Dukhovni
On Tue, Sep 17, 2013 at 11:48:40PM -0700, Christian Huitema wrote:

  Given that many real organizations have hundreds of front end
  machines sharing RSA private keys, theft of RSA keys may very well be
  much easier in many cases than broader forms of sabotage.
 
 Or we could make it easy to have one separate RSA key per front end, signed
 using the main RSA key of the organization.

This is only realistic with DANE TLSA (certificate usage 2 or 3),
and thus will start to be realistic for SMTP next year (provided
DNSSEC gets off the ground) with the release of Postfix 2.11, and
with luck also a DANE-capable Exim release.

For HTTPS, there is little indication yet that any of the major
browsers are likely to implement DANE support in the near future.

-- 
Viktor.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Albert Lunde
Another consideration is that the NSA isn't the only bad actor out 
there. Improving the robustness of TLS and other security protocols will 
defend against other attacks.


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Phillip Hallam-Baker
A few clarifications

1) PRISM-Proof is a marketing term

I have not spent a great deal of time looking at the exact capabilities of
PRISM vs the other programs involved because from a design point they are
irrelevant. The objective is to harden/protect the infrastructure from any
ubiquitous, indiscriminate intercept capability like the one Gen Alexander
appears to have constructed.

PRISM-class here is merely a handy label for a class of attack where the
attacker can spend upwards of $100 million to perform an attack which
potentially affects every Internet user. PRISM-class is a superset of
PRISM, BULLRUN, MANASAS, etc. etc.


2) SSL is not designed to resist government intercept

Back in 1993-6 when I was working on Internet security and payments at CERN
and the Web Consortium the priority was to make payments on the Web, not
make it resistant to government intercept. The next priority was to
establish the authenticity of news Web sites. There were several reasons
for that set of priorities, one of which was that the technology we had
available was limited and it was impractical to do more than one public key
operation per session and it was only practical to use public key some of
the time. Severs of the day simply could not handle the load otherwise.

Twenty years later, much has changed and we can do much more. The designs
do not need to be constrained in the way they were then.

It is not a question of whether email is encrypted in transport OR at rest,
we need both. There are different security concerns at each layer.


3) We need more than one PKI for Web and email security.

PGP and S/MIME have different key distribution models. Rather than decide
which is 'better' we need to accept that we need both approaches and in
fact need more.

If I am trying to work out if an email was really sent by my bank then I
want a CA type security model because less than 0.1% of customers are ever
going to understand a PGP type web of trust for that particular purpose.
But its the bank sending the mail, not an individual at the bank.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread ianG

On 17/09/13 23:52 PM, John Kemp wrote:

On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker hal...@gmail.com



I am sure there are other ways to increase the work factor.


I think that increasing the work factor would often result in
switching the kind of work performed to that which is easier than
breaking secrets directly.



Yes, that's the logical consequence  approach to managing risks. 
Mitigate the attack, to push attention to easier and less costly 
attacks, and then start working on those.


There is a mindset in cryptography circles that we eliminate entirely 
the attacks we can, and ignore the rest.  This is unfortunately not how 
the real world works.  Most of risk management outside cryptography is 
about reducing risks not eliminating them, and managing the interplay 
between those reduced risks.  Most unfortunate, because it leads 
cryptographers to strange recommendations.




That may be good. Or it may not.



If other attacks are more costly to defender and easyish for the 
attacker, then perhaps it is bad.  But it isn't really a common approach 
in our security world to leave open the easiest attack, as the best 
alternative.  Granted, this approach is used elsewhere (in warfare for 
example, minefields and wire will be laid to channel the attack).


If we can push an attacker from mass passive surveillance to targetted 
direct attacks, that is a huge win.  The former scales, the latter does not.




PRISM-Hardening seems like a blunt instrument, or at least one which
may only be considered worthwhile in a particular context (technical
protection) and which ignores the wider context (in which such technical
protections alone are insufficient against this particular adversary).



If I understand it correctly, PRISM is or has become the byword for the 
NSA's vacuuming of all traffic for mass passive surveillance.  In which 
case, this is the first attack of all, and the most damaging, because it 
is undetectable, connects you to all your contacts, and stores all your 
open documents.


From the position of a systems provider, mass surveillance is possibly 
the most important attack to mitigate.  This is because:  we know it is 
done to everyone, and therefore it is done to our users, and it informs 
every other attack.  For all the other targetted and active attacks, we 
have far less certainty about the targetting (user) and the 
vulnerability (platform, etc).  And they are very costly, by several 
orders of magnitude more than mass surveillance.




iang
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] An NSA mathematician shares his from-the-trenches view of the agency's surveillance activities

2013-09-18 Thread Lodewijk andré de la porte
Everybody has to write a statement. The statement that most convinces the
public that we're okay gets published and a big-o-bonus. You guys have 3
days.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] An NSA mathematician shares his from-the-trenches view of the agency's surveillance activities

2013-09-18 Thread Phillip Hallam-Baker
On Tue, Sep 17, 2013 at 8:01 PM, John Gilmore g...@toad.com wrote:

 Techdirt takes apart his statement here:


 https://www.techdirt.com/articles/20130917/02391824549/nsa-needs-to-give-its-rank-and-file-new-talking-points-defending-surveillance-old-ones-are-stale.shtml

   NSA Needs To Give Its Rank-and-File New Talking Points Defending
   Surveillance; The Old Ones Are Stale
   from the that's-not-really-going-to-cut-it dept
   by Mike Masnick, Tue, Sep 17th 2013

   It would appear that the NSA's latest PR trick is to get out beyond
   the top brass -- James Clapper, Keith Alexander, Michael Hayden and
   Robert Litt haven't exactly been doing the NSA any favors on the PR
   front lately -- and get some commentary from the rank and file.
   ZDNet apparently agreed to publish a piece from NSA mathemetician/
   cryptanalyst Roger Barkan in which he defends the NSA using a bunch
   of already debunked talking points. What's funny is that many of
   these were the talking points that the NSA first tried out back in
   June and were quickly shown to be untrue. However, let's take a
   look. It's not that Barkan is directly lying... it's just that he's
   setting up strawmen to knock down at a record pace.


As someone who has met Hayden, I do not think his words are necessarily
untrue, they may be out of date. It appears that there was a major change
at the NSA after his departure. In particular the number of external
contractors seems to have increased markedly (based on the number and type
of job adverts from SAIC, Booz-Allen, Van Dyke, etc.)

The enterprise bridge control center certainly does not seem to be Hayden's
style either. Hayden is not the type to build a showboat like that.


After 9/11 we discovered that our view of the cryptowars was completely
false in one respect. Louis Freeh wasn't building a panopticon, he simply
had no comprehension of the power of the information he was demanding the
ability to collect. The FBI computer systems were antiquated, lacking the
ability to do keyword search on two terms.

I rather suspect that Alexander is similarly blind to the value of the
information the system is collecting. They might well be telling the truth
when they told the court that the system was so compartmentalized and
segregated nobody knew what it was doing.

For example, did the NSA people who thought it a good wheeze to trade raw
SIGINT on US citizens to the Israelis understand what they were passing on?
They certainly don't seem to know the past history of US-Israeli
'cooperation' only last year an Israeli firm was trying to sell intercept
equipment to Iran through an intermediary and the story of how the Chinese
got an example of the Stinger missile to copy is well known. My country has
had an arms embargo on Israel for quite a while due to breach of Israeli
undertakings not to use military weapons against civilians.


That does not make the situation any less dangerous, it makes it more so.

What Barkan does not mention is that we know that the NSA internal controls
have collapsed completely, Snowdens disclosure proves that. Snowden should
never have had access to the information he has disclosed.

As with gwbush53.com, the intelligence gathered through PRISM-class
intercepts will undoubtedly be spread far and wide. Anything Snowden knows,
China and Russia will know.


The fact that nothing has been said on that publicly by the NSA
spokespeople is something of a concern. They have a big big problem and
heads should be rolling. I can't see how Clapper and Alexander can remain
given the biggest security breach in NSA history on their watch.
-- 
Website: http://hallambaker.com/
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Gilmore response to NSA mathematician's make rules for NSA appeal

2013-09-18 Thread Walter van Holst
On 18/09/2013 01:50, John Gilmore wrote:

 Re Big Data: I have never seen data that could be abused by someone
 who didn't have a copy of it.  My first line of defense of privacy is
 to deny copies of that data to those who would collect it and later
 use it against me.  This is exactly the policy that NSA supposedly has
 to follow, according to the published laws and Executive Orders: to
 prevent abuses against Americans, don't collect against Americans.
 It's a good first step.  NSA is not following that policy.

What makes me a tad bitter is that we apparantly live in a world with
two classes: US citizens and the subhuman rest of it. NSA-style blanket
surveillance violates the fundamental right to privacy and ultimately
also the fundamental right to freedom of expression.

These are not rights that are solely vested in the exceptional
Americans. The Bill of Tights already alludes to their universality,
although it took the UN Declaration of Human Rights to explicitly
acknowledge their universal nature.

The way the debate is being framed in the USA does not endear the rest
of the world to the USA any more than the USA's track-record in foreign
policy already has.

Other than that I wholeheartedly agree with what you wrote.

Regards,

 Walter

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] An NSA mathematician shares his from-the-trenches view of the agency's surveillance activities

2013-09-18 Thread Pat Farrell
On 9/18/13 10:44 AM, Phillip Hallam-Baker wrote:
The enterprise bridge control center certainly does not seem to be Hayden's 
style either. Hayden is not the type to build a showboat like that.
Moving abit OT:

On the PBS Newshour coverage of this story, the showed the website of DBI 
Architects who designed the facility and it listed the other design firms. One 
of them was KTA Group my brother John was the signing engineer at KTA at that 
time. He says the design and construction was done at least ten years ago. It 
was not a secret facility, but access was restricted. Even though he signed and 
stamped all the design drawings for the HVAC, plumbing and electrical work, he 
was never allowed on site. So if you could find the design drawings for that 
facility (which is about 5 stories and all underground at Ft Belvoir (just 
across the river from Washington DC0)) you would see John Farrell's signature 
and stamp.

The usual point of a showboat facility like that is to impress the 
Congressmen who visit so the budget can get bigger.

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Ben Laurie
On 18 September 2013 15:30, Viktor Dukhovni cryptogra...@dukhovni.orgwrote:

 On Tue, Sep 17, 2013 at 11:48:40PM -0700, Christian Huitema wrote:

   Given that many real organizations have hundreds of front end
   machines sharing RSA private keys, theft of RSA keys may very well be
   much easier in many cases than broader forms of sabotage.
 
  Or we could make it easy to have one separate RSA key per front end,
 signed
  using the main RSA key of the organization.

 This is only realistic with DANE TLSA (certificate usage 2 or 3),
 and thus will start to be realistic for SMTP next year (provided
 DNSSEC gets off the ground) with the release of Postfix 2.11, and
 with luck also a DANE-capable Exim release.


What's wrong with name-constrained intermediates?



 For HTTPS, there is little indication yet that any of the major
 browsers are likely to implement DANE support in the near future.

 --
 Viktor.
 ___
 The cryptography mailing list
 cryptography@metzdowd.com
 http://www.metzdowd.com/mailman/listinfo/cryptography

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Bill Frantz

On 9/18/13 at 6:08 AM, hal...@gmail.com (Phillip Hallam-Baker) wrote:


If I am trying to work out if an email was really sent by my bank then I
want a CA type security model because less than 0.1% of customers are ever
going to understand a PGP type web of trust for that particular purpose.
But its the bank sending the mail, not an individual at the bank.


I know I would be a lot more comfortable with a way to check the 
mail against a piece of paper I received directly from my bank 
(the PGP model). I would have no problem in entering a magic 
authentication string (the key fingerprint) into my mail agent 
to authenticate my bank. The security of my money is of more 
that trivial importance.


Second would be having my mail agent tell me that the mail came 
from the same place as the previous piece of email I received 
(the SSH model). This model would work for most of my friends 
where MitM is unlikely. In the cases where MitM worries became 
important, I could then check fingerprints.


The CA model lets a powerful attacker subvert the CA at any time 
ignoring both out of band and same-as-the-last-time 
authentications. I'm OK with CAs for credit card transactions. 
There's a $50 limit on my risk from fraud.


Cheers - Bill

---
Bill Frantz| Truth and love must prevail  | Periwinkle
(408)356-8506  | over lies and hate.  | 16345 
Englewood Ave
www.pwpconsult.com |   - Vaclav Havel | Los Gatos, 
CA 95032


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Viktor Dukhovni
On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote:

  This is only realistic with DANE TLSA (certificate usage 2 or 3),
  and thus will start to be realistic for SMTP next year (provided
  DNSSEC gets off the ground) with the release of Postfix 2.11, and
  with luck also a DANE-capable Exim release.
 
 What's wrong with name-constrained intermediates?

X.509 name constraints (critical extensions in general) typically
don't work.

-- 
Viktor.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Gilmore response to NSA mathematician's make rules for NSA appeal

2013-09-18 Thread Kent Borg

On 09/18/2013 01:31 PM, Walter van Holst wrote:
What makes me a tad bitter is that we apparantly live in a world with 
two classes: US citizens and the subhuman rest of it. NSA-style 
blanket surveillance violates the fundamental right to privacy and 
ultimately also the fundamental right to freedom of expression. These 
are not rights that are solely vested in the exceptional Americans. 


You foreigners actually have a really big vote here.  All those US 
internet companies want your business, and as you get no protections, in 
the current scheme, not even lip-service, you should look for 
alternatives.  As you do, this puts pressure on the US internet 
companies, and they have the economic clout to put pressure on Feinstein 
and Polosi and all the others.


Sad that economic clout matters so much, but voters in the US are 
astoundingly ignorant of reality (pick a topic--other than sports and 
celebrity gossip--and we are ignorant), and so many can't be bothered to 
vote.  We kind of get the government we deserve.  Do what you can to 
save us, please.


-kb

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread John Kemp
On Sep 18, 2013, at 4:05 AM, ianG i...@iang.org wrote:

 On 17/09/13 23:52 PM, John Kemp wrote:
 On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker hal...@gmail.com
 
 I am sure there are other ways to increase the work factor.
 
 I think that increasing the work factor would often result in
 switching the kind of work performed to that which is easier than
 breaking secrets directly.
 
 
 Yes, that's the logical consequence  approach to managing risks. Mitigate 
 the attack, to push attention to easier and less costly attacks, and then 
 start working on those.
 
 There is a mindset in cryptography circles that we eliminate entirely the 
 attacks we can, and ignore the rest.  This is unfortunately not how the real 
 world works.  Most of risk management outside cryptography is about reducing 
 risks not eliminating them, and managing the interplay between those reduced 
 risks.  Most unfortunate, because it leads cryptographers to strange 
 recommendations.

The technical work always needs doing. It's not that we shouldn't do our best 
to improve cryptographic protection. It's more that one can always bypass 
cryptographic protection by getting to the cleartext before it is encrypted. 
 
 
 
 That may be good. Or it may not.
 
 
 If other attacks are more costly to defender and easyish for the attacker, 
 then perhaps it is bad.  But it isn't really a common approach in our 
 security world to leave open the easiest attack, as the best alternative.  
 Granted, this approach is used elsewhere (in warfare for example, minefields 
 and wire will be laid to channel the attack).
 
 If we can push an attacker from mass passive surveillance to targetted direct 
 attacks, that is a huge win.  The former scales, the latter does not.

My point was that mass passive surveillance is possible with or without 
breaking SSL/TLS (for example, but also other technical attacks), and that it 
is often simpler to pay someone to create a backdoor in an otherwise 
well-secured system. Or to simply pay someone to acquire the data in cleartext 
form prior to the employment of any technical protections to those data. Other 
kinds of technical protections (not really discussed here so far) might be 
employed to protect data from such attacks, but they would still depend on the 
possibility for an attacker to acquire the cleartext before such protections 
were applied. 

I would point out that it was historically the case that the best espionage was 
achieved by paying (or blackmailing) people close to the source of the 
information to retrieve the necessary information. The idea of the mole. That 
would seem to still be possible. 

 
 
 PRISM-Hardening seems like a blunt instrument, or at least one which
 may only be considered worthwhile in a particular context (technical
 protection) and which ignores the wider context (in which such technical
 protections alone are insufficient against this particular adversary).
 
 
 If I understand it correctly, PRISM is or has become the byword for the NSA's 
 vacuuming of all traffic for mass passive surveillance.  In which case, this 
 is the first attack of all, and the most damaging, because it is 
 undetectable, connects you to all your contacts, and stores all your open 
 documents.
 
 From the position of a systems provider, mass surveillance is possibly the 
 most important attack to mitigate.

If you yourself the systems provider, or a bad employee in your organization, 
are not handing the necessary cleartext to the attacker…

  This is because:  we know it is done to everyone, and therefore it is done 
 to our users, and it informs every other attack.  For all the other targetted 
 and active attacks, we have far less certainty about the targetting (user) 
 and the vulnerability (platform, etc).  And they are very costly, by several 
 orders of magnitude more than mass surveillance.

The issue for me is that it is becoming difficult to know whether one can 
reasonably trust service providers in the face of coercion. Both for the 
creation of good-enough technical protections, and the use of them. 

- johnk

 
 
 
 iang
 ___
 The cryptography mailing list
 cryptography@metzdowd.com
 http://www.metzdowd.com/mailman/listinfo/cryptography

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] RSA equivalent key length/strength

2013-09-18 Thread Lucky Green
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 2013-09-14 08:53, Peter Fairbrother wrote:

 I get that 1024 bits is about on the edge, about equivalent to 80
 bits or a little less, and may be crackable either now or sometime
 soon.

Moti Young and others wrote a book back in the 90's (or perhaps) 80's,
that detailed the strength of various RSA key lengths over time. I am
too lazy to look up the reference or locate the book on my bookshelf.
Moti: help me out here? :-)

According to published reports that I saw, NSA/DoD pays $250M (per
year?) to backdoor cryptographic implementations. I have knowledge of
only one such effort. That effort involved DoD/NSA paying $10M to a
leading cryptographic library provider to both implement and set as
the default the obviously backdoored Dual_EC_DRBG as the default RNG.

This was $10M wasted. While this vendor may have had a dominating
position in the market place before certain patents expired, by the
time DoD/NSA paid the $10M, few customers used that vendor's
cryptographic libraries.

There is no reason to believe that the $250M per year that I have seen
quoted as used to backdoor commercial cryptographic software is spent
to any meaningful effect.

- ---Lucky

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)

iQIcBAEBAgAGBQJSOhm/AAoJEARVjUj9NCi09/wP/jlBE78qlZdPctkhXXC8CblP
oOYD7OhrxP5eaI6UVHN8gJBZidrYZmGp6a9bGLtqzLZmx1L2DEhrKojyUy8lic71
LyZs2ulIY6GU87xr4k7w9ce25+WvK7LviGCjq1WfRxJtmoTSUpNcRI/CNHHnueWE
lGKFip0RVS0YPnVvgQ5pvDmJUW+2vb/4xi6cx592TaQKmgRQoY7gsFCDwuJsy3K/
OUhaEoM6OIMkboCU7CAtC7w1sqP+6GnDg0ZEUvZ8ILFkPYKyEGgJ+RNiUNOsMlIt
dvCEgmT1jL6tgZWHfByAfsYN54uWp5QMuL277ZKlvcjF2KNN7cPcsA4Y76RxTH7L
7gnzB2aQUn13O4dsmsB/54Mbg2Y+LvYCa40Q5RIi45evjANxx9Bx3sFMr3HbXArO
ijT081OUy6/tZYDXruWHlh3j4RAYp/fHecm4/25pQS9NrTAQnaCCnGMHRiP6/PEw
GtMWsW3TkDts3h41HJ5wU6Rppr1hX3pRn1ZgeNJbtRezcC4BL0pTX0PEZ76bhXze
231wdd15/Fnb8e30HbWLUiRSLKAbY4KWSdfdZBRzty7ZiiCTI3O8vQLg2Ld0iR1a
VYZX+hySDG8ZJvj8qoN3d7AR9q7WJk554aOSGb1ooBafm4YjbzAVglu/Afi48DHu
xZFLLjzDm5BhP5eGvsli
=TsSq
-END PGP SIGNATURE-
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Viktor Dukhovni
On Wed, Sep 18, 2013 at 08:47:17PM +, Viktor Dukhovni wrote:

 On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote:
 
   This is only realistic with DANE TLSA (certificate usage 2 or 3),
   and thus will start to be realistic for SMTP next year (provided
   DNSSEC gets off the ground) with the release of Postfix 2.11, and
   with luck also a DANE-capable Exim release.
  
  What's wrong with name-constrained intermediates?
 
 X.509 name constraints (critical extensions in general) typically
 don't work.

And public CAs don't generally sell intermediate CAs with name
constraints.  Rather undercuts their business model.

-- 
Viktor.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Gilmore response to NSA mathematician's make rules for NSA appeal

2013-09-18 Thread Peter Gutmann
Walter van Holst walter.van.ho...@xs4all.nl writes:

These are not rights that are solely vested in the exceptional Americans. The
Bill of Tights [...]

For people unfamiliar with this one, it's the bit that reads:

  Congress shall make no law respecting the wearing of hosiery, or prohibiting
  the free exercise thereof; or abridging the freedom of colour selection, or
  of the material used; or the right of the people peaceably to assemble, and
  to petition the manufacturers for a redress of manufacturing defects.

Peter.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography