Book Review

2008-03-15 Thread Aram Perez 
Hi Folks,

Does anyone have a review on the upcoming book "Modern Cryptanalysis: 
Techniques for Advanced Code Breaking" by Christopher Swenson?

Thanks,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Dutch Transport Card Broken

2008-01-25 Thread Aram Perez 

Hi Folks,


Ed Felten has an interesting post on his blog about a Dutch smartcard
based transportation payment system that has been broken. Among other
foolishness, the designers used a custom cryptosystem and 48 bit keys.


Not to defend the designers in any way or fashion, but I'd like to  
ask, How much security can you put into a plastic card, the size of a  
credit card, that has to perform its function in a secure manner, all  
in under 2 seconds (in under 1 second in parts of Asia)? And it has to  
do this while receiving its power via the electromagnetic field being  
generated by the reader.


Regards,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Italian Bank's XSS Opportunity Seized by Fraudsters

2008-01-09 Thread Aram Perez 
Anyone know more about this ?


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: ITU-T recommendations for X.509v3 certificates

2007-11-08 Thread Aram Perez 

Hi Florian,


I'm looking for a halfway self-contained set of ITU-T recommendations
which are relevant for implementing X.509v3 certificates.  The
references in RFC 3280 appear to be incomplete; for instance, a
reference for ASN.1 itself is missing.


The ITU recently started allowing free downloads of all their  
standards. The ASN.1 standards have been free for download for several  
years. You can download them at <http://www.itu.int/rec/T-REC-X/en>.



Or is it unreasonable to expect that the specs match what is actually
needed for interoperability with existing implementations (mostly in  
the

TLS, S/MIME area)?


I can't help you there. You can see my opinion on this issue towards  
the middle of Peter Gutmann's page at <http://www.cs.auckland.ac.nz/~pgut001/ 
>.


Regards,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Spammers employ stripper to crack CAPTCHAs

2007-11-01 Thread Aram Perez 
'Melissa' disrobes in ploy that relies on people, not CPUs, to crack  
squiggly codes


October 30, 2007 (Computerworld) -- Spammers are using a virtual  
stripper as bait to dupe people into helping criminals crack codes  
they need to send more spam or boost the rankings of parasitic Web  
sites, security researchers said today.


A series of photographs shows "Melissa," no relation to the 1999 worm  
by the same name, with progressively fewer clothes and more skin each  
time the user correctly enters the characters in an accompanying  
CAPTCHA (Completely Automatic Public Turing Test to Tell Computers and  
Humans Apart), the distorted, scrambled codes that most Web mail  
services use to block bots from registering hundreds or thousands of  
accounts. Spammers rely on Web e-mail accounts because they're  
disposable; by the time filters have blocked the address, the spammers  
throw it away and move on to another.


The CAPTCHAs that Melissa feeds to users are, in fact, legitimate  
codes snatched from Yahoo Mail's signup screens, said analysts at  
Trend Micro Inc. The hackers, frustrated at their inability to come up  
with a way to automate account registration, are getting users to do  
their dirty work.


"They're using human beings in semi-real time to translate CAPTCHAs by  
proxy," said Paul Ferguson, a network architect at Trend Micro. "You  
have to give them this, it's clever."


Each time the user correctly decodes the CAPTCHA, a new Melissa photo  
is revealed, pulled from a hacker-controlled server in Israel,  
according to Symantec Corp. The plain-text decodes are sent to that  
same server, where they are presumably banked for future use in  
generating large numbers of Yahoo Mail accounts.


Fumble-fingered typists are even encouraged by Melissa to try their  
luck again: "Hmmm, nope, the word you entered is incorrect honey! Lets  
[sic] try again?" the virtual stripper replies.


Trend Micro said the striptease was part of a Trojan horse called  
CAPTCHA.a; rival Symantec dubbed it Captchar.a instead. The Trojan  
horse may be part of a multistage attack, downloaded to a PC that's  
been compromised by other, more malicious code, or can be encountered  
as a drive-by Web-based exploit.


"This isn't the first time that they've tried to bust CAPTCHAs," said  
Ferguson, noting past attempts by bot-driven malware to apply optical  
character-recognition technology to deciphering the squiggles and  
obscured letters. Nor is it the first time human beings have been put  
to work decoding CAPTCHAs. "Work-at-home money mule schemes run by  
criminals have hired people to do this same thing," Ferguson said.  
"They're told to log on to this Web page and type the CAPTCHA. They  
have a quota."


In some cases, those CAPTCHAs have been used to sidestep bot  
protection for blog commenting rights; hackers will flood a blog  
they've created with fraudulent comments to drive up its search-engine  
ranking, expecting that the higher placement will translate into more  
traffic and thus more clicks on the ads displayed on the blog page.  
"Sometimes they use [CAPTCHAs] just to bump up their page [ranking],"  
Ferguson said.


The Trojan horse can strike PCs running Windows 98, Me, NT, 2000, XP  
and Server 2003.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: OK, shall we savage another security solution?

2007-09-19 Thread Aram Perez 
Hi Jerry,
 
On Tuesday, September 18, 2007, at 07:24PM, "Leichter, Jerry" <[EMAIL 
PROTECTED]> wrote:
>Anyone know anything about the Yoggie Pico (www.yoggie.com)?  It claims
>to do much more than the Ironkey, though the language is a bit less
>"marketing-speak".  On the other hand, once I got through the
>marketing stuff to the technical discussions at Ironkey, I ended
>up with much more in the way of warm fuzzies than I do with Yoggie.

Here's another secure USB flash drive: 
 with minimal marketing-speak.

Regards,
Aram

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: flavors of reptile lubricant, was Another Snake Oil Candidate

2007-09-13 Thread Aram Perez 

Hi Folks,

My last comment on this. I've stated my own personal opinion and  
anyone is free to disagree.


On Sep 13, 2007, at 9:33 AM, Ali, Saqib wrote:


On 13 Sep 2007 13:45:42 -, John Levine <[EMAIL PROTECTED]> wrote:
I always understood snake oil crypto to refer to products that  
were of

no value to anyone, e.g., products that claim to have secret
unbreakable encryption, million bit keys, or "one time pads" produced
by PRNGs.


hear hear!

I think in the zeal for criticism of the IronDrive, folks have
expanded the definition of Snake Oil to include "All" security
products.

I don't like the "Military Grade AES Encryption" phrase that IronDrive
uses on their website, cause that implies they know what Military is
using. Maybe somebody should notify DoD that these IronDrive folks
know what Military uses to encrypt info ;-)

But other then that I don't see any Snake Oil Crypto like
techno-babble used by IronDrive Marketing.


I don't know if a product has to meet m of n criteria as stated in  
<http://www.interhack.net/people/cmcurtin/snake-oil-faq.html>, but,  
IMO, IronKey meets the following criteria: Technobabble, Experienced  
Security Experts, "Military Grade" and to a certain extend  
Unbreakability (normally applied to software, but IronKey claims the  
epoxy prevents "criminals from getting to the internal hardware  
components").


Respectfully,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

2007-09-13 Thread Aram Perez 
lex process runs
behind the scenes, giving you state-of-the-art protection
from phishers, hackers and other online threats.

The management team lists some people who should know what they are
doing.  They have a FAQ which gives a fair amount of detail about
what they do.


Well they are letting the marketing department sell snake oil.


I have nothing at all to do with this company - this is the first I've
heard of them - but it's hardly advancing the state of security if
even those who seem to be trying to do the right thing get tarred as
delivering snake-oil.


I do not have anything to do with them nor with any of their  
competitors. I'm sure many of the other organizations previously  
mentioned as selling snake oil had many hard working engineers that  
were trying to do the right thing also.



If you know something beyond the publicly-available information about
the company, let's hear it.  Otherwise, you owe them an apology -
whether they actually do live up to their own web site or not.


I ran across the company because they had an ad on a web page I had  
visited. Their ad raise my curiosity and I looked at their web site.  
I stand by my opinion that they are selling security snake oil. They  
imply that you can use an IronKey with any PC and be completely safe.  
That is false. You are free to disagree.


Respectfully,
Aram Perez

P.S. I did give them feedback about keylogging spyware and passwords.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

2007-09-12 Thread Aram Perez 

Hi Jon,

On Sep 11, 2007, at 5:35 PM, Jon Callas wrote:

I'm a beta-tester for it, and while I can understand a small twitch  
when they talk about "miltary" and "beyond military" levels of  
security, it is very cool.


It has hardware encryption and will erase itself if there are too  
many password failures. I consider that an issue, personally, but  
it appeals to people. The reason I consider it an issue is that I  
have had to use a brain-dead-simple password I'm not going to  
forget because if I get cute and need to try a number of things,  
poof, I'm dead.


Yeah, it's using AES CBC mode, but that's a good deal better than a  
lot of encrypted drives that are using ECB.


It also has their own little suite of Mozilla plus Tor and Privoxy  
for browsing and they've set it up so that you can run that on  
another computer from the drive.


It's not bad at all. My only real complaint is that it requires  
Windows.


The IronKey appears to provide decent security while it is NOT  
plugged into a PC. But as soon as you plug it in and you have to  
enter a password to unlock it, the security level quickly drops. This  
would be the case even if they supported Mac OS or *nix.


As I stated in my response to Jerry Leichter, in my opinion, their  
marketing department is selling snake oil.


Regards,
Aram

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Another Snake Oil Candidate

2007-09-11 Thread Aram Perez 

The world's most secure USB Flash Drive: .

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Fwd: Potential SHA 1 Hack Using Distributed Computing - Near Miss(es) May be Good Enough

2007-08-14 Thread Aram Perez 

Anyone know more about this?

Begin forwarded message:


From: "Steven W. Teppler"
Date: August 13, 2007 4:41:56 PM PDT
To: [EMAIL PROTECTED]
Subject: Potential SHA 1 Hack Using Distributed Computing - Near  
Miss(es) May be Good Enough


From DarkReading, via Heise Security:


Cracking SHA-1 using distributed computing



Researchers at the Technical University of Graz
  have launched a
distributed computing project to find a new kind of vulnerability  
in the
SHA-1 hash algorithm, which is used in numerous Internet  
applications such
as encrypted connections and e-mails. Hash algorithms like SHA-1  
perform a

sequence of mathematical operations on a block of data, for example a
message, which generates a unique fixed length value or "digest"  
from the
arbitrary length message. Even minor changes to the original  
message have a

great effect on the digest, making changes easy to detect.


   

However, collisions do occur: the algorithm produces the same  
digest for two
or more different messages. In the presence of a collision, the  
variant
messages involved cannot be distinguished from each other using the  
digest,
although indeed most of the variant messages would often not be  
very useful,
as they would consist of human-meaningless data. But finding  
collisions is
excessively arduous using simplistic methods. However, in 2005,  
Chinese
researchers demonstrated that the search for collisions can in  
principle be
optimized so that the number of attempts falls below the  
theoretical minimum
of 280. Then around   a  
year ago
a way to control the content of a possibly quite substantial  
proportion of

the manipulated message was made public.

The cryptologists at the Technical University of Graz are taking a  
slightly
different approach: they are not looking directly for collisions,  
but for
"near misses", where SHA-1 produces very similar digests from two  
different

messages. They believe that two near misses with the same minimal
differences might actually compensate for each other, producing the  
same

outcome as a true collision.

To test this theory, the researchers have launched
  a distributed  
computing
project. The trusty old Boinc   client  
known
from other such projects such as [EMAIL PROTECTED] is also being used in  
Graz. Those

who wish to help find collisions are advised to read the manual on the
project's website.

The successor of SHA-1 is currently being redeveloped from scratch
  because the algorithms
originally intended to be used in the SHA-2 family all are similar  
to SHA-1

and therefore vulnerable to the same kind of attacks.

Steven



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Quantum Cryptography

2007-06-21 Thread Aram Perez 

Hi Folks,

On a legal mailing list I'm on there is a bunch of emails on the  
perceived effects of quantum cryptography. Is there any authoritative  
literature/links that can help clear the confusion?


Thanks in advance,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

The best riddle you wil hear today...

2007-05-02 Thread Aram Perez 


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: More info in my AES128-CBC question

2007-04-24 Thread Aram Perez 

Hi Nico,

On Apr 23, 2007, at 8:11 AM, Nicolas Williams wrote:


On Sun, Apr 22, 2007 at 05:59:54PM -0700, Aram Perez wrote:

No, there will be message integrity. For those of you asking, here's
a high level overview of the protocol is as follows:



[...]



3) Data needing confidentiality is encrypted with the SK in the mode
selected in step 1. The message is integrity protected with MK. A new
MK is generated after a message is sent using MK(i+1) = H[MK(i)]


You don't necessarily have to change the integrity protection key for
every message.  One thing this says is that the protocol involves an
ordered stream of messages.


You need to change the integrity key if you want to prevent replay  
attacks.


No, the message do not have to be ordered in any fashion. And in  
fact, an attacker would not send the messages in the correct order.





Hope this clarifies things somewhat.


It does.  You can get by without a random IV by using CBC  
analogously to
how you use counter modes and cipher streams in general.  The key  
thing

is to avoid key and IV/counter re-use.  For a protocol where ordered
delivery of messages is expected/ required this is easy to achieve.

Derive the key and/or counter/IV from a message sequence number and do
it in such a way that you either cannot repeat them or are very, very
unlikely to repeat them and you're fine.

But be careful.  Simply chaining the IV from message to message will
create problems (see SSH).


The intention would be a new IV with each message begin sent.

What is the concern with using random IVs/confounders anyways?  The  
need

for an entropy source?  If so keep in mind that a PRNG will be
sufficient for generating the IVs/confounders and that you'll  
generally

need some source of entropy for at least some protocol elements (e.g.,
nonces).


The concern was that "that's the way SD cards do it today". Another  
response was "you haven't heard of anyone breaking SD cards have you?"


Thanks,
Aram


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Change of Heart WRT to a Fixed IV of 0's

2007-04-22 Thread Aram Perez 

Hi Folks,

The latest version the document, where the use of a fixed IV of zeros  
was originally proposed, now has a regular random IV.


Thanks for all the support,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: More info in my AES128-CBC question

2007-04-22 Thread Aram Perez 


Hi David,

On Apr 21, 2007, at 2:04 PM, David Wagner wrote:


Hagai Bar-El writes:

What Aram wrote is "many of the attendees have very little security
experience", not: "there are no attendees with security experience".
There are people at the relevant OMA group who know enough about
security, but just like in the real world -- they are outnumbered by
plain "feature-set" people, and thus have to come up with very clear
arguments to get their way.


So the people who don't know anything about security are reluctant to
listen to those who do?  That's not a good sign.  It may be standard
operating procedure in groups like this, but that doesn't make it  
right.
It's still dysfunctional and dangerrous.  If the committee doesn't  
have

a commitment to security and is reluctant to listen to the experts,
that's a risk factor.


As Hagai stated, welcome to the "real world". There may be standards  
organization (IETF?) that do really worry about security, but in the  
"real world", dead lines and existing products unfortunately  
influence security decisions.



If you're sick and you go to a doctor, do you tell the doctor "you'd
better come up with some very clear arguments if you want me to follow
your advice"?  Do you tell your doctor "you'd better build a strong  
case

before I will listen to you"?  I would hope not.  That would be silly.
Doctors are medical professionals with a great deal of training and
expertise in the subject.  They can speak with authority when it comes
to your health.  So why do people with no training in security think
that they can freely ignore the advice of security professionals  
without

any negative consequences?


You're totally correct but it doesn't change the "reality" of the  
situation. Later this week I will create a document with the  
arguments sent to me and others from papers on the web and send it to  
this working group of OMA so there will be an "official record" of my  
objection to the decision.



[snip]

AND (3) If you don't care about replacement attacks on the (1 to i)
blocks that will result only in a (possibly-undetected) corruption  
when

decrypting the i+1 block (rather than two blocks, with a varying and
non-attacker-changeable). [...]


Wait a minute.  This reference to replacement attacks has me  
concerned.

Does the protocol use a message authentication code (MAC)?  I hope so.
If your protocol uses a MAC, and uses it properly, then replacement
attacks are not an issue, and the only issue with using a fixed IV is
related to confidentiality.  If you don't use a MAC, you've got bigger
problems, and even random IVs won't be enough.


No, there will be message integrity. For those of you asking, here's  
a high level overview of the protocol is as follows:


1) Do a Mutual Authentication with Key Exchange

A --> B  CertChainA | ControlOptions
B --> A  CertChainB | E[PubA, RanB | ControlOptions |  
ChosenOptions]  //Using RSA-OAEP

A --> B E[PubB, RandA | H[RanB]]  //SHA-1
B --> A H[RanA | RanB]

The ControlOptions includes protocol version and encryption algorithm.

2 ) Using a KDF, derive an AES-128 session encryption key SK, an HMAC- 
SHA-1 message integrity key MK and either a counter or IV

 Either AES-CTR or AES-CBC will be support

3) Data needing confidentiality is encrypted with the SK in the mode  
selected in step 1. The message is integrity protected with MK. A new  
MK is generated after a message is sent using MK(i+1) = H[MK(i)]


Hope this clarifies things somewhat.

Thanks for the replies,
Aram Perez


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

More info in my AES128-CBC question

2007-04-20 Thread Aram Perez 
Hi Folks,

First, thanks for all your answers.

The proposal for using AES128-CBC with a fixed IV of all zeros is for a 
protocol between two entities that will be exchanging messages. This is being 
done in a "standards" body (OMA) and many of the attendees have very little 
security experience. As I mentioned, the response to my question of why would 
we standardize this was "that's how SD cards do it".

I'll look at the references and hopefully convince enough people that it's a 
bad idea.

Thanks again,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

AES128-CBC Question

2007-04-19 Thread Aram Perez 
Hi Folks,

Is there any danger in using AES128-CBC with a fixed IV of all zeros? This is 
being proposed for a standard "because that's how SD cards implemented it".

Thanks,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Interesting paper on PKI and TRUSTe

2006-09-28 Thread Aram Perez 

Abstract

Widely-used online "trust" authorities issue certifications without  
substantial verification of the actual trustworthiness of recipients.  
Their lax approach gives rise to adverse selection: The sites that  
seek and obtain trust certifications are actually significantly less  
trustworthy than those that forego certification. I demonstrate this  
adverse selection empirically via a new dataset on web site  
characteristics and safety. I find that TRUSTe-certified sites are  
more than twice as likely to be untrustworthy as uncertified sites, a  
difference which remains statistically and economically significant  
when restricted to "complex" commercial sites. I also present  
analogous results of adverse selection in search engine advertising -  
finding ads at leading search engines to be more than twice as likely  
to be untrustworthy as corresponding organic search results for the  
same search terms.


See http://www.benedelman.org/publications/advsel-trust-draft.pdf

Enjoy,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: EMC is buying RSA

2006-06-29 Thread Aram Perez 

On Jun 29, 2006, at 2:26 PM, Steven M. Bellovin wrote:

http://www.tmcnet.com/usubmit/-emc-announces-definitive-agreement- 
acquire-rsa-security-further-/2006/06/29/1700560.htm

says that EMC is buying RSA.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb


Here's another version of the story: news.moneycentral.msn.com/ticker/article.asp?Feed=BW&Date=20060629&ID

=5836046&Symbol=US:RSAS>

Regards,
Aram Perez



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Chinese WAPI protocol?

2006-06-12 Thread Aram Perez 
Hi Folks,

My apologies on stating that the Wiki page had a link to the algorithm. I saw 
the link but didn't click on it to see if in fact there was a description of 
the actual algorithm.

Regards,
Aram Perez

On Monday, June 12, 2006, at 06:45PM, David Wagner <[EMAIL PROTECTED]> wrote:

[snip]
>
>[*] Contrary to what Adam Perez's email might suggest, Wikipedia does
>not have a link to a specification of SMS4 or of WAPI.  Wikipedia has
>an entry for SMS4, but about all it says is that not much is publicly
>known about SMS4.
>
>-
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
>
>

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Chinese WAPI protocol?

2006-06-12 Thread Aram Perez 
Hi Richard,

I have not looked at WAPI, but they have been trying to get it approved for a 
number of years, check out <http://en.wikipedia.org/wiki/WAPI> (has link to 
algorithm) and <http://www.foxnews.com/story/0,2933,199082,00.html>.

Regards,
Aram Perez


On Monday, June 12, 2006, at 03:25PM, Richard Salz <[EMAIL PROTECTED]> wrote:

>Today in slashdot (http://it.slashdot.org/it/06/06/12/0710232.shtml) there 
>was an article about China wanting to get WAPI accepted as a new wireless 
>security standard.  Has anyone looked at it?
>
>/r$
>
>--
>SOA Appliances
>Application Integration Middleware
>
>
>-
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
>
>

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Why phishing works

2006-04-24 Thread Aram Perez 
I don't recall seeing this here, but a friend sent me the following  
link: <http://people.deas.harvard.edu/~rachna/papers/ 
why_phishing_works.pdf>


Enjoy,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Entropy Definition (was Re: passphrases with more than 160 bits of entropy)

2006-03-22 Thread Aram Perez 

On Mar 22, 2006, at 2:05 PM, Perry E. Metzger wrote:


Victor Duchovni <[EMAIL PROTECTED]> writes:
Actually calculating the entropy for real-world functions and  
generators

may be intractable...


It is, in fact, generally intractable.

1) Kolmogorov-Chaitin entropy is just plain intractable -- finding the
   smallest possible Turing machine to generate a sequence is not
   computable.
2) Shannon entropy requires a precise knowledge of the probability of
   all symbols, and in any real world situation that, too, is
   impossible.


I'm not a cryptographer nor a mathematician, so I stand duly  
corrected/chastised ;-)


So, if you folks care to educate me, I have several questions related  
to entropy and information security (apologies to any physicists):


* How do you measure entropy? I was under the (false) impression that  
Shannon gave a formula that measured the entropy of a message (or  
information stream).
* Can you measure the entropy of a random oracle? Or is that what  
both Victor and Perry are saying is intractable?

* Are there "units of entropy"?
* What is the relationship between randomness and entropy?
* (Apologies to the original poster) When the original poster  
requested "passphrases with more than 160 bits of entropy", what was  
he requesting?
* Does processing an 8 character password with a process similar to  
PKCS#5 increase the entropy of the password?

* Can you add or increase entropy?

Thanks in advance,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: passphrases with more than 160 bits of entropy

2006-03-22 Thread Aram Perez 

On Mar 22, 2006, at 9:04 AM, Perry E. Metzger wrote:



Aram Perez <[EMAIL PROTECTED]> writes:

Entropy is a highly discussed unit of measure.


And very often confused.


Apparently.


While you do want maximum entropy, maximum
entropy is not sufficient. The sequence of the consecutive numbers 0
- 255 have maximum entropy but have no randomness (although there is
finite probability that a RNG will produce the sequence).


One person might claim that the sequence of numbers 0 to 255 has 256
bytes of entropy.


It could be, but Shannon would not.


Another person will note "the sequence of numbers 0-255" completely
describes that sequence and is only 30 bytes long.


I'm not sure I see how you get 30 bytes long.


Indeed, more
compact ways yet of describing that sequence probably
exist. Therefore, we know that the sequence 0-255 does not, in fact,
have "maximum entropy" in the sense that the entropy of the sequence
is far lower than 256 bytes and probably far lower than even 30 bytes.


Let me rephrase my sequence. Create a sequence of 256 consecutive  
bytes, with the first byte having the value of 0, the second byte the  
value of 1, ... and the last byte the value of 255. If you measure  
the entropy (according to Shannon) of that sequence of 256 bytes, you  
have maximum entropy.



Entropy is indeed often confusing. Perhaps that is because both the
Shannon and the Kolmogorov-Chaitin definitions do not provide a good
way of determining the lower bound of the entropy of a datum, and
indeed no such method can exist.


No argument from me.

Regards,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: passphrases with more than 160 bits of entropy

2006-03-22 Thread Aram Perez 

On Mar 22, 2006, at 4:28 AM, Thierry Moreau wrote:


Travis H. wrote:

Hi,
Does anyone have a good idea on how to OWF passphrases without
reducing them to lower entropy counts?  That is, I've seen systems
which hash the passphrase then use a PRF to expand the result --- I
don't want to do that.  I want to have more than 160 bits of entropy
involved.


More than 160 bits is a wide-ranging requirement.

Entropy is a highly discussed unit of measure.


And very often confused. While you do want maximum entropy, maximum  
entropy is not sufficient. The sequence of the consecutive numbers 0  
- 255 have maximum entropy but have no randomness (although there is  
finite probability that a RNG will produce the sequence).


Regards,
Aram Perez


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: CD shredders, was Re: thoughts on one time pads

2006-02-02 Thread Aram Perez 

On Feb 1, 2006, at 3:50 AM, Travis H. wrote:


On 1/28/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:

In our office, we have a shredder that happily
takes CDs and is designed to do so.  It is noisy
and cost >$500.


Here's one for $40, although it doesn't appear to "shred" them so much
as make them pitted:

http://www.thinkgeek.com/gadgets/security/6d7f/


For a few more dollars, you can get one where the residue is powder:  
.



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-08 Thread Aram Perez 

On Dec 7, 2005, at 10:24 PM, James A. Donald wrote:


--
James A. Donald:

We can, and should, compare any system with the
attacks that are made upon it.   As a boat should
resist every probable storm, and if it does not it
is a bad boat, an encryption system should resist
every real threat, and if it does not it is a bad
encryption system.


Aram Perez

I'm sorry James, but you can't expect a (several
hundred dollar) rowboat to resist the same probable
storm as a (million dollar) yacht.


Software is cheaper than boats - the poorest man can
afford the strongest encryption, but he cannot afford
the strongest boat.


If it is that cheap, then why are we having this discussion? Why  
isn't there a cheap security solution that even my mother can use?


Respectfully,
Aram Perez


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-07 Thread Aram Perez 

On Dec 7, 2005, at 8:40 AM, James A. Donald wrote:


--
From:   Ed Gerck <[EMAIL PROTECTED]>
Subject:X.509 / PKI, PGP, and IBE Secure
Email Technologies


http://email-security.net/papers/pki-pgp-ibe.htm

X.509 / PKI (Public-Key Infrastructure), PGP (Pretty
Good Privacy) and IBE (Identity-Based Encryption)
promise privacy and security for email. But comparing
these systems has been like comparing apples with
speedboats and wingbats. A speedboat is a bad apple,
and so on.


We can, and should, compare any system with the attacks
that are made upon it.   As a boat should resist every
probable storm, and if it does not it is a bad boat, an
encryption system should resist every real threat, and
if it does not it is a bad encryption system.


I'm sorry James, but you can't expect a (several hundred dollar)  
rowboat to resist the same probable storm as a (million dollar)  
yacht. There is no such thing as "one-size encryption system fits all  
cases".


Regards,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Web Browser Developers Work Together on Security

2005-11-30 Thread Aram Perez 
Core KDE developer George Staikos recently hosted a meeting of the  
security developers from the leading web browsers. The aim was to  
come up with future plans to combat the security risks posed by  
phishing, ageing encryption ciphers and inconsistent SSL Certificate  
practise. Read on for George's report of the plans that will become  
part of KDE 4's Konqueror and future versions of other web browsers...




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Another Skype Study

2005-11-10 Thread Aram Perez 
Don't recall seeing this on the list: <http://www.ossir.org/windows/ 
supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf>


Enjoy,
Aram Perez



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Skype Patches Critical Flaws

2005-10-31 Thread Aram Perez 

Skype Patches Critical Flaws

Skype users are being urged to upgrade to the latest version of the
Internet telephony client, due to a number of critical flaws in the
software that were disclosed by Skype's maker, Skype
Technologies SA.




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

High-risk flaws in Skype

2005-10-26 Thread Aram Perez 



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Motorist wins case after maths whizzes break speed camera code

2005-08-11 Thread Aram Perez 

On Aug 10, 2005, at 7:01 PM, Victor Duchovni wrote:


On Wed, Aug 10, 2005 at 02:29:38PM -0400, [EMAIL PROTECTED] wrote:


The facts are very scrambled but I like it.
The brief TV reports from lawyers were more factual.

Motorist wins case after maths whizzes break speed camera code


http://www.faqs.org/qa/rfcc-1420.html

Possibly related:

http://www.redflex.com.au/traffic/pdfs/RedflexSpeed2V2.pdf


From the brochure: "Security/Encryption: all enforcement information  
is public key authenticated using MD5 encryption to ensure  
information is authentic and tamper free". So, of course, it must be  
very secure, no marketing enhancements here.


On the other hand, it seems that the prosecutor didn't use/hire the  
proper expert witness. Putting aside the inaccuracies of the article  
I'm trying to interpret correctly what the article stated. The record  
being protected by MD5 consists of the  "time, date, place,  
numberplate and speed". Assuming that only the speed was in question,  
then it should be possible to calculate all the MD5's for all  
possible speed values and see if you get a collision (actually, just  
the speed values above the speed limit).


Just my 2 centavos,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: the limits of crypto and authentication

2005-07-15 Thread Aram Perez 

On Jul 14, 2005, at 8:13 PM, Rich Salz wrote:


If you had two products ... both effectively performing the same
function, one you already had deployed, which was significantly  
cheaper,
significantly simpler, and significantly faster, which one would  
you choose?


I was told that one of the reasons SSL took off was because Visa  
and/or MC
told merchants they would "for the time being" treat SSL as card- 
present,
in terms of fraud penalties, etc.  If this is true (anyone here  
verify?
My source is on the list if s/he wants to name themselves), then  
SSL/SET

is an interesting example of betting on both sides.


On the contrary, merchants were (and maybe still are) being charged  
MOTO (mail order/telephone order) rates for using SSL. Even SET was  
going to charge MOTO rates until just before it was finalized. The  
payment card companies weren't getting enough interest for SET and  
decided to offer card-present rates to get more interest in SET. SSL  
took off because it was free, in over 90% of the browsers (Netscape  
own the browser market then), and it was easy to integrate into  
shopping carts. As a merchant, basically your only cost was your  
VeriSign cert.


But you are correct in that the payment card companies were in an  
interesting position: on one hand they charge higher rates for using  
SSL but on the other hand, the "perception" was that something more  
secure than SSL was needed.


One other point, SET did NOT require certs for the consumers. The  
client-merchant protocol supported clients without certs.


Respectfully,
Aram Perez


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: the limits of crypto and authentication

2005-07-14 Thread Aram Perez 

On Jul 14, 2005, at 6:23 AM, Perry E. Metzger wrote:


Rich Salz <[EMAIL PROTECTED]> writes:


I think that by eliminating the need for a merchant to learn
information about your identity I have aimed higher. Given that  
we're

talking about credit instruments,


Wasn't that a goal of SET?


Some of it was, yah. I don't claim that any of this is original. The
problem with SET was that the protocol was far too complicated to
implement (hell, the spec was nearly too heavy to lift), and it was
proposed well before people even had USB connectors on their
computers, let alone cheap USB card interfaces. I think people threw
out the baby with the bathwater, though. The general idea was correct.


While the SET protocol was complicated, it's failure had nothing to  
do with that fact or the lack of USB on PCs. You could buy libraries  
that implemented the protocol and the protocol did not require USB.  
IMO, the failure had to do with time-to-market factors. In the late  
90s, when ecommerce was just at it's infancy and you took the risk of  
setting up a web store, were you going to wait you could integrate a  
SET toolkit into you web site and until your customers had SET  
wallets installed on their PCs before selling a product? Or were you  
going to sell to anyone who used a web browser that supported SSL? It  
was very simple economics, even if you had to pay VeriSign $400 for  
your SSL certificate and pay Visa/MasterCard a higher fee.


Respectfully,
Aram Perez


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: ID "theft" -- so what?

2005-07-14 Thread Aram Perez 
Why do cryptography folks equate PKI with  
certificates and CAs? This fallacy is a major "root cause" of the  
problem IHO. Why was the term "PKI" invented in the  late 70s/early  
80s (Kohnfelder's thesis?)?. Before the invention of asymmetric  
cryptography, didn't those people who used symmetric cryptography  
need an SKI (secret key infrastructure) to manage keys? But no one  
uses the term SKI or talks about how to manage secret keys (a very  
hard problem). Anytime you use any type of cryptography, you need an  
"infrastructure" (<http://en.wikipedia.org/wiki/Infrastructure>) to  
manage your keys, whether secret or public. There are at least two  
public key infrastructures that do NOT require CAs: PGP and SPKI. But  
like in so many real life cases, the best technology does not always  
win and we are stuck with the system that garnered the most business/ 
economic support.


Respectfully,
Aram Perez

On Jul 14, 2005, at 6:19 AM, Perry E. Metzger wrote:


Ian Grigg <[EMAIL PROTECTED]> writes:


It's 2005, PKI doesn't work, the horse is dead.


He's not proposing PKI, but nymous accounts.  The
account is the asset, the key is the owner;


Actually, I wasn't proposing that. I was just proposing that a private
key be the authenticator for payment card transactions, instead of the
[name, card number, expiration date, CVV2] tuple -- hardly a
revolutionary idea. You are right, though, that I do not propose that
any PK_I_ be involved here -- no need for certs at all for this
application.

I don't claim this is a remotely original idea, by the way. I'm just
flogging it again.


But, thank the heavens that we now have reached
the point where people can honestly say that PKI
is the root cause of the problem.


"Root Cause of the Problem" isn't correct either. It is better to say
that PKI doesn't solve many of the hard problems we have, or, in some
cases, any problems -- it doesn't per se cause any problems, or at
least not many.

This is not a "new realization" -- this goes back a long way.

People were saying PKI was a bad idea a decade ago or more. A number
of the people here, including me, gave talks on that subject years
ago. I spoke against PKI during the debate I was invited to at the
Usenix Electronic Commerce Workshop in 1998 or so, and at many
opportunities before and since. Dan Geer has a pretty famous screed on
the subject. Peter Gutmann talks about the follies of X.509 so often
it is hard to keep up. I don't mean to single us out as visionaries --
we were just saying things lots of other people were also saying.

Honestly, where have you been?


Can you now tell the browser people?


I can smell the rest of this discussion right now, Ian. You'll
misunderstand the constraints the browser people are under, and start
claiming SSL is bad (or unnecessary) about 20 seconds after that. I'm
not playing the game.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to  
[EMAIL PROTECTED]





-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Blowsearch Secured Messanger

2005-02-10 Thread Aram Perez 
BSM must be very secure!
Quote from the web site: " Blowsearch Secured Messenger utilizes the 
OpenSSL library to provide encryption routines for your Instant 
Messages. We use a combination of randomly selected schemes and bit 
lengths, ranging up to 4096 bits, with additional algorithms added in 
to make your messages even more secure. We start with an RSA foundation 
and move out from there."


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Is 3DES Broken?

2005-01-31 Thread Aram Perez 
Hi Folks,
I hate to bother you with what I consider a dumb question, but I'm 
trying to give a person the benefit of my doubts. There's a person on a 
legal forum that I participate in that claims that 3DES has been 
broken/cracked. However, he has not provided any documentation to the 
effect as his "time at present is limited and valuable". He claims that 
"the specifics were already posted on this and several other similar 
forums". Other than Ross Anderson and his students extracting a 3DES 
key from an IBM4758, has 3DES been in fact broken?

Thank you,
Aram Perez
[Moderator's note: The quick answer is no. The person who claims
otherwise is seriously misinformed. I'm sure others will chime
in. --Perry]
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Al Qaeda crypto reportedly fails the test

2004-08-13 Thread Aram Perez 
Hi Chris,

> Steven M. Bellovin writes:
> 
>> http://www.petitcolas.net/fabien/kerckhoffs/index.html for the actual
>> articles.)
> 
> Does there exist an English translation (I'd be surprised if not)? If
> not, I'd be happy to provide one if there were sufficient interest.

I'd be interested in an English version.

Thanks!
Aram

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: should you trust CAs? (Re: dual-use digital signature vulnerability)

2004-08-03 Thread Aram Perez 
Hi Adam,

> From: Adam Back <[EMAIL PROTECTED]>
> Date: Fri, 30 Jul 2004 17:54:56 -0400
> To: Aram Perez <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED], Cryptography <[EMAIL PROTECTED]>, Adam
> Back <[EMAIL PROTECTED]>
> Subject: Re: should you trust CAs? (Re: dual-use digital signature
> vulnerability)
> 
> On Wed, Jul 28, 2004 at 10:00:01PM -0700, Aram Perez wrote:
>> As far as I know, there is nothing in any standard or "good security
>> practice" that says you can't multiple certificate for the same email
>> address. If I'm willing to pay each time, Verisign will gladly issue me a
>> certificate with my email, I can revoke it, and then pay for another
>> certificate with the same email. I can repeat this until I'm bankrupt and
>> Verisign will gladly accept my money.
> 
> Yes but if you compare this with the CA having the private key, you
> are going to notice that you revoked and issued a new key; also the CA
> will have your revocation log to use in their defense.
> 
> At minimum it is detectable by savy users who may notice that eg the
> fingerprint for the key they have doesn't match with what someone else
> had thought was their key.
> 
>> I agree with Michael H. If you trust the CA to issue a cert, it's
>> not that much more to trust them with generating the key pair.
> 
> Its a big deal to let the CA generate your key pair.  Key pairs should
> be generated by the user.

>From a purely (and possibly dogmatic) cryptographic point of view, yes, key
pairs should be generated by the user. But in the real world, as Ian G
points out, where businesses are trying to minimize costs and maximize
profits, it is very attractive to have the CA generate the key pair (and as
Peter G pointed, delivers the pair securely), and issue a certificate at the
same time. I hope you are not using a DOCSIS cable modem to connect to the
Internet, because that is precisely what happened with the cable modem. A
major well-known CA generated the key pair, issued the certificate and
securely delivered them to the modem manufacturer. The modem manufacturer
then injected the key pair and certificate into the modem and sold it. I
guess you can say/argue that there is a difference between a "user key pair"
and a "device key pair", and therefore, it can work for cable modems, but I
don't how you feel/think/believe in this case.

Until fairly recently, when smart card could finally generate their own key
pairs, smart cards were delivered with key pairs that were generated outside
the smart card and then injected into them for delivery to the end user.

I'm not trying to change your mind, I'm just trying to point out how the
real business world works, whether we security folks like it or not.

Respectfully,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: should you trust CAs? (Re: dual-use digital signature vulnerability)

2004-07-30 Thread Aram Perez 
Hi Adam,

> The difference is if the CA does not generate private keys, there
> should be only one certificate per email address, so if two are
> discovered in the wild the user has a transferable proof that the CA
> is up-to-no-good.  Ie the difference is it is detectable and provable.

As far as I know, there is nothing in any standard or "good security
practice" that says you can't multiple certificate for the same email
address. If I'm willing to pay each time, Verisign will gladly issue me a
certificate with my email, I can revoke it, and then pay for another
certificate with the same email. I can repeat this until I'm bankrupt and
Verisign will gladly accept my money.

I agree with Michael H. If you trust the CA to issue a cert, it's not that
much more to trust them with generating the key pair.

Respectfully,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: New Attack on Secure Browsing

2004-07-16 Thread Aram Perez 
Hi Ian,

> Congratulations go to PGP Inc - who was it, guys, don't be shy this
> time? - for discovering a new way to futz with secure browsing.
> 
> Click on http://www.pgp.com/ and you will see an SSL-protected page
> with that cute little padlock next to domain name.  And they managed
> that over HTTP, as well!  (This may not be seen in IE version 5 which
> doesn't load the padlock unless you add it to favourites, or some
> such.)

Here what I saw when going to the PGP site:

Windows XP Pro:
IE 6.x: No padlock
Firefox 0.9.2:  Padlock on address bar and tab

Mac OS 10.2.8:
IE 5.2: No padlock
Safari 1.0.2:   Padlock on address bar but no on tab
Fixfox 0.8: Padlock on address bar and tab
Camino 0.7: Padlock on address bar and tab

You stated that http://www.pgp.com is an SSL-protected page, but did you
mean https://www.pgp.com? On my Powerbook, with all the browsers I get an
error that the certificate is wrong and they end up at http://www.pgp.com.

I'm not sure if PGP deliberately set out to confuse naïve users since their
logo has been the padlock for a while. Many web sites have their logo
displayed on the address bar (and tab) when you go to there site, see
http://www.yahoo.com or http://www.google.com. Maybe Jon can answer the
question.

Respectfully,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: identification + Re: authentication and authorization

2004-07-09 Thread Aram Perez 
Hi Ed and others,

Like usual, you present some very interesting ideas and thoughts. The
problem is that while we techies can discuss the "identity theft" definition
until we are blue in the face, the general public doesn't understand all the
fine subtleties. Witness the (quite amusing) TV ads by CitiBank.

With high regards,
Aram Perez

[snip]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]