Re: Anyone know anything about the new AT&T encrypted voice service?

[David G. Koontz]

On 7/10/10 11:19 AM, Perry E. Metzger wrote:
> AT&T debuts a new encrypted voice service. Anyone know anything about
> it?
> 
> http://news.cnet.com/8301-13506_3-20018761-17.html
> 
> (Hat tip to Jacob Applebaum's twitter feed.)
> 
JavaScript needs to be enabled:
http://www.att.com/gen/press-room?pid=18624&cdvn=news&newsarticleid=31260&mapcode=enterprise
AT&T to Offer First Carrier-Provided, Two Factor Encryption Service for
Smartphones

AT&T Encrypted Mobile Voice Service uses Powerful Combination of Hardware
and Software to Enable Voice Calls with High-Level Security
Dallas, Texas, October 06, 2010

AT&T to Offer First Carrier-Provided, Two Factor Encryption Service for
Smartphones

AT&T Encrypted Mobile Voice Service uses Powerful Combination of Hardware
and Software to Enable Voice Calls with High-Level Security
Dallas, Texas, October 06, 2010
newsrelease


AT&T* today launched AT&T Encrypted Mobile Voice, the first carrier-provided
two factor encryption service, which provides high-level security features
for calls on the AT&T wireless network. The service is targeted at
government agencies, law enforcement organizations, financial services
institutions and international businesses.
 ...
AT&T Encrypted Mobile Voice combines KoolSpan’s TrustChip® and SRA
International’s One Vault Voice™ into the first carrier-provided two-factor
encryption solution. TrustChip is a fully hardened, self-contained crypto
engine inserted into the smartphone’s microSD slot. Embedded with AT&T
TrustGroup, the KoolSpan TrustChip offers the strength of additional
hardware authentication, enables encrypted calling interoperability with a
defined group of other AT&T TrustGroup users and can be managed over-the-air.
 ...
AT&T Encrypted Mobile Voice supports BlackBerry® smartphones and Windows®
Phones on the AT&T wireless network. Unlike other encrypted voice systems,
AT&T Encrypted Mobile Voice is not limited by availability of legacy Circuit
Switched Data coverage and can operate in the over 190 countries globally
where AT&T provides data roaming.

AT&T Encrypted Mobile Voice meets the government information classification
standards for Controlled Unclassified Information, offering The National
Institute of Standards and Technology (NIST) FIPS – 140-2 validation.
 ...
 ---
It would appear to be susceptible to the FBI's proposed law on making plain
text available.

It's OEM'd:

http://www.koolspan.com/products/trustchip.html

http://www.koolspan.com/images/stories/docs/KoolSpan_TrustChip_Secured_Solutions_Secure_Voice.pdf

http://www.koolspan.com/images/stories/docs/KoolSpan_TrustChip.pdf

http://www.koolspan.com/images/stories/docs/KoolSpan_TrustCenter.pdf

Linux is supported in the TrustChip Developer Kit
http://www.koolspan.com/products/developer-kit.html

AES-256


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Obama administration wants encryption backdoors for domestic surveillance

[David G. Koontz]

http://www.boingboing.net/2010/09/27/obama-administration.html

A good first point of interest clearinghouse site for the issue can be found
on Boing Boing.

It points to a Green Greenwald article on Salon and the ACLU.

There's also a nice piece at the Cato Institute
http://www.cato-at-liberty.org/designing-an-insecure-internet/
Designing an Insecure Internet

and

http://reason.com/blog/2010/09/27/obama-administration-frustrate
Feds Frustrated With Their Inability to Wiretap This Here New-Fangled
Internet Thing

Seems the underdogs in the Crypto Wars still has strong feelings, and now a
lot of them are part of mainstream media.

also

https://www.eff.org/deeplinks/2010/09/government-seeks
Government Seeks Back Door Into All Our Communications

The CDT and EPIC web sites haven't been updated yet.

I'd expect once a lot of people get the chance to do some digging will see
some 'entertaining' articles show up on the web.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Obama administration revives Draconian communications intercept plans

[David G. Koontz]

On 28/09/10 1:26 AM, Perry E. Metzger wrote:

> From the New York Times, word that the Obama administration wants to
> compel access to encrypted communications.
> 
> http://www.nytimes.com/2010/09/27/us/27wiretap.html

Someone should beat up the FBI for using specious arguments:

> But as an example, one official said, an investigation into a drug cartel 
> earlier this year was stymied because smugglers used peer-to-peer software,
> which is difficult to intercept because it is not routed through a central
> hub. Agents eventually installed surveillance equipment in a suspect’s
> office, but that tactic was “risky,” the official said, and the delay
> “prevented the interception of pertinent communications.”

You could note that the communications either went through a phone system or
through an ISP. The qualifier 'delay "prevented the interception of
pertinent communications"' means they couldn't get a wiretap instantly.
Seems they wouldn't either if they asked for a court order first.

This sort of argumentation is why privacy advocates won in the Clipper
debate.  The FBI isn't arguing 'for' rationally, but then again they'd
probably have a hard time winning without resorting to propaganda.

> And their envisioned decryption mandate is modest, they contended, because
> service providers — not the government — would hold the key.
>
> “No one should be promising their customers that they will thumb their nose
>  at a U.S. court order,” Ms. Caproni said. “They can promise strong
> encryption. They just need to figure out how they can provide us plain text.”

Sounds like an effort to legitmize and institutionalize the ability of
government to perform SSL MITM with service providers footing the bill.

There's also a Declan McCullagh article "Report: Feds to push for Net
encryption backdoors".  http://news.cnet.com/8301-31921_3-20017671-281.html


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Intel plans crypto-walled-garden for x86

[David G. Koontz]

On 14/09/10 3:58 PM, John Gilmore wrote:
> http://arstechnica.com/business/news/2010/09/intels-walled-garden-plan-to-put-av-vendors-out-of-business.ars
> 
> "In describing the motivation behind Intel's recent purchase of McAfee
> for a packed-out audience at the Intel Developer Forum, Intel's Paul
> Otellini framed it as an effort to move the way the company approaches
> security "from a known-bad model to a known-good model." Otellini went
> on to briefly describe the shift in a way that sounded innocuous
> enough--current A/V efforts focus on building up a library of known
> threats against which they protect a user, but Intel would live to
> move to a world where only code from known and trusted parties runs on
> x86 systems."

The 'approved application' security model doesn't have to be ubiquitous
anymore than the IOS application restrictions on iDevices extend to Mac OS
X.  Just yesterday I tripped across a media item saying Nvidia's Tegra 2 was
being replace by an Intel Atom CE4100 (due to lack of performance for Full
HD output).
http://liliputing.com/2010/09/boxee-box-up-for-pre-order-nvidia-tegra-2-chip-replaced-with-intel-atom-ce4100.html

If you look in the August 20th Business Week article
http://www.businessweek.com/news/2010-08-20/intel-after-mcafee-may-find-mobile-a-difficult-sell.html

  “As we look at all of the growth areas for Intel silicon, one of the
  consistent purchase criteria for both IT managers and consumer is
  security,” Renee James, the head of Intel’s software division, said in an
  interview yesterday. “This is a pretty natural step for us.”

Growth areas for Intel silicon aren't in the PC market, which is saturated,
Intel is producing silicon to compete with ARM CPUs in mobile and appliance
computing.

  “The number of new security threats identified every month continues to
  rise,” Otellini said. “We have concluded that security has now become the
  third pillar of computing, joining energy-efficient performance and
  Internet connectivity in importance.”

Energy-efficient implies portability.  And:

  Intel will have to persuade customers they need security in non-PC
  electronics in much the same way it has convinced businesses and
  consumers that they required chips that speed computing tasks or ensure
  seamless wireless connections.

Owning an antivirus software company is probably a good license to
scaremonger. It's likely McAfee will suddenly start detecting threats and
offering solutions.

And:

  “As we move from a PC-centric era to a mobile-centric era, Intel needs to
  take advantage of every opportunity to expand its footprint into that
  marketplace.”

The gist of the article is that the intent is for new Intel markets.  In
other words there's more to mobile and appliance computing than dreamed
about in Mr. Gates philosophy, wherein Microsoft has moved in the antivirus
market for PCs, haven't they?  (Microsoft Security Essentials).  In a
saturated PC market the McAfee adoption rate has probably been stagnating or
dropping signaling the need for new markets, hence the company being
available for purchase.

There doesn't appear to be enough information to state what Intel plans
authoritatively, but it does bring into question Windows Mobile 7 adoption
rates.

Also when (web) content contains programming (javascript, etc.) you'd be
faced with the necessity of certifying everyone's content (including blogs)
or impinging on First Amendment uses of the Internet.  It's unlikely the
entire Internet would be transformed into commercial outlets for goods and
services, while providing the means for walled city marketing in specific
products appears the hot new thing.

While vigilance to impingement of rights is always a good thing, there's
evidence for the meat of the issue to fall on the other side of the razor's
edge.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: About that "Mighty Fortress"... What's it look like?

[David G. Koontz]

On 18/08/10 3:46 AM, Peter Gutmann wrote:
> Alexander Klimov  writes:
> 
>> Each real-time check reveals your interest in the check. What about privacy
>> implications?
>
> (Have you ever seen a PKI or similar key-using design where anyone involved in
> speccing or deploying it genuinely cares about privacy implications?  Not only
> have I never seen one, I've even been to a talk at a conference where someone
> was criticised for wasting time on privacy concerns).


(You may have opened your question too wide).

Privacy against whom?  There were enough details revealed about the key
escrow LEAF in Clipper to see that the operation derived from over the air
transfer of keys in Type I applications.  The purpose was to keep a back
door private for use of the government.  The escrow mechanism an involution
of PKI.

There were of course concerns as evinced in the hearing under the 105th
Congress on 'Privacy in the Digital Age: Encryption and Mandatory Access
Hearings', before the Subcommittee on the Constitution, Federalism, and
Property Rights, of the Committee on The Judiciary, United States Senate in
March 1998.  These concerns were on the rights of privacy for users.

Clipper failed primarily because there wasn't enough trust that the privacy
wouldn't be confined to escrow agents authorized by the Judiciary.  The
Federal government lost credibility through orchestrated actions by those
with conscience concerned over personal privacy and potential government abuse.

Privacy suffers from lack of legislation and is only taken serious when the
threat is pervasive and the voters are up in arms.









-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: "Cars hacked through wireless tire sensors" Another paper plus USENIX SEC10 proceedings

[David G. Koontz]

What looks like to be an applicable paper.  Not the same set of authors as
the earlier reference to USENIX.

Experimental Security Analysis of a Modern Automobile
Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, and
Tadayoshi Kohno
Department of Computer Science and Engineering University of Washington
Seattle, Washington 98195–2350 Email:
{supersat,aczeskis,franzi,shwetak,yos...@cs.washington.edu
Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham,
and Stefan Savage
Department of Computer Science and Engineering University of California San
Diego La Jolla, California 92093–0404 Email:
{s,dlmccoy,brian,d8anders,hovav,sava...@cs.ucsd.edu


Abstract—  Modern automobiles are no longer mere mechanical devices; they
are pervasively monitored and controlled by dozens of digital computers
coordinated via internal vehicular networks. While this transformation has
driven major advance- ments in efficiency and safety, it has also introduced
a range of new potential risks. In this paper we experimentally evaluate
these issues on a modern automobile and demonstrate the fragility of the
underlying system structure. We demonstrate that an attacker who is able to
infiltrate virtually any Electronic Control Unit (ECU) can leverage this
ability to completely circumvent a broad array of safety-critical systems.
Over a range of experiments, both in the lab and in road tests, we
demonstrate the ability to adversarially control a wide range of automotive
functions and completely ignore driver input — including disabling the
brakes, selectively braking individual wheels on demand, stopping the
engine, and so on. We find that it is possible to bypass rudimentary network
security protections within the car, such as maliciously bridging between
our car’s two internal subnets. We also present composite attacks that
leverage individual weaknesses, including an attack that embeds malicious
code in a car’s telematics unit and that will completely erase any evidence
of its presence after a crash. Looking forward, we discuss the complex
challenges in addressing these vulnerabilities while considering the
existing automotive ecosystem.

Appears in 2010 IEEE Symposium on Security and Privacy. See
http://www.autosec.org/ for more information.

http://www.autosec.org/pubs/cars-oakland2010.pdf

There's also a FAQ on the paper:  http://www.autosec.org/faq.html


Add electronic throttle and steer by wire (ala Lexus LS460) and I see an App
Store app getting popular for those James Bond back seat drivers.

The USENIX Security Symposium http://www.usenix.org/events/sec10/tech/
lists the paper referenced in Ars Technia under Real-World Security as

Security and PRivacy Vulnerabilities of In-Car Wireless Networks: A Tire
Pressure Monitoring System Case Study (P. 323)

Ishtiaq Rouf, University of South Carolina, Columbia; Rob Miller, Rutgers
University; Hossen Mustafa and Travis Taylor, University of South Carolina,
Columbia; Sangho Oh, Rutgers University; Wenyuan Xu, University of South
Carolina, Columbia; Marco Gruteser, Wade Trappe, and Ivan Seskar, Rutgers
University

The USENIX SEC10 Paper
Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire
Pressure Monitoring System Case Study

Ishtiaq Rouf et. al. is available at:
http://www.usenix.org/events/sec10/tech/full_papers/Rouf.pdf

It is also found in the two page layout PDF of the USENIX SEC10 proceedings
http://www.usenix.org/events/sec10/tech/
at:

http://www.usenix.org/events/sec10/tech/full_papers/security10_proceedings.pdf
 (20 MB)
http://www.usenix.org/events/sec10/tech/full_papers/sec10_errata.pdf

(Referred papers are available individually)

or the epub versions:
http://www.usenix.org/sec10/epub  (16 MB)
http://www.usenix.org/events/sec10/tech/full_papers/USENIX_Security10_Errata.epub

Readable with the Firefox EPUBReader add-on the epub is not encrypted
meaning you can extract quotes or cites easily and access the papers as HTML
files found in the epub (zip) archive.  The quality is excellent.

Also in  a mobi version, the proceedings are just chocka full of other
interesting things, too.



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

After spyware fails, UAE gives up and bans Blackberries

[David G. Koontz]

http://arstechnica.com/tech-policy/news/2010/08/after-spyware-failed-uae-gives-up-and-bans-blackberries.ars
By John Timmer


Discussing in general terms RIM's Blackberry email server connections to
their servers in Canada's encryption resistance to United Arab Emirates
monitoring efforts when used by enterprise customers (bankers).

>From the article:

  Why the apparent ire is focused on the devices themselves rather than
  the general approach isn't clear. An SSL connection to an offshore e-mail
  server would seem to create just as much trouble as RIM's approach, but
  there don't seem to be any efforts afoot to clamp down on other
  smartphone platforms.

The first thing that comes to mind is SSL MITM interception.  Has the UAE
compelled Etisalat to aid in MITM?

You might expect a government to be a bit more subtle dancing around
plausible deniability.  Enough concerns and the 'marks' just may develop
alternative means.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Crypto dongles to secure online transactions

[David G. Koontz]

Jerry Leichter wrote:
> On Nov 8, 2009, at 2:07 AM, John Levine wrote:
> 
>> At a meeting a few weeks ago I was talking to a guy from BITS, the
>> e-commerce part of the Financial Services Roundtable, about the way
>> that malware infected PCs break all banks' fancy multi-password logins
>> since no matter how complex the login process, a botted PC can wait
>> until you login, then send fake transactions during your legitimate
>> session.  This is apparently a big problem in Europe.
>>
>> I told him about an approach to use a security dongle that puts the
>> display and confirmation outside the range of the malware, and
>> although I thought it was fairly obvious, he'd apparently never heard
>> it before.
> Wow.  *That's* scary.
> 


http://www.zurich.ibm.com/ztic/
IBM Zone Trusted Information Channel (ZTIC)
A multi line display and two buttons (approve/disapprove)

http://www.zurich.ibm.com/pdf/csc/ZTIC-Trust-2008-final.pdf

More and more attacks to online banking applications target the user's home
PC, changing what is displayed to the user, while logging and altering key
strokes.

 ...

In order to foil these threats, IBM has introduced the Zone Trusted
Information Channel (ZTIC), a hardware device that can counter these attacks
in an easy-to-use way. The ZTIC is a USB-attached device containing a
display and minimal I/O capabilities that runs the full TLS/SSL protocol,
thus entirely bypassing the PC's software for all security functionality.

The ZTIC achieves this by registering itself as a USB Mass Storage Device
(thus requiring no driver installation) and starting a "pass-through" proxy
configured to connect with pre-configured (banking) Websites. After starting
the ZTIC proxy, the user opens a Web browser to establish a connection with
the bank's Website via the ZTIC. From that moment on, all data transmitted
between browser and server pass through the ZTIC; the SSL session is
protected by keys maintained only on the ZTIC and, hence, is inaccessible to
malware on the PC (see usage and technical operation animations, which
illustrate how the ZTIC works).

 ...

 --

There's a video clip. http://www.youtube.com/watch?v=mPZrkeHMDJ8 (HD and low
res)

It puts the onus on the user for approval of malware driven transactions.

http://www.zurich.ibm.com/ztic/operation.html
(animated illustration)

Our Land Transport New Zealand agency (www.ltsa.govt.nz, like the DMV) uses
POLi for making on line transactions.  Apparently POLi uses the very same
techniques to provide transaction confirmation to a third party, as are used
by malware to interject data into transactions or steal information.

There should be no reason a ZTIC like device couldn't be used to provide
authentication to a third party as well, the idea being your car license
renewal etc. transaction isn't confirmed until the bank completes the
payment transaction.

Browsers compartmentalizing connections in the equivalent of sandboxes like
as done by Chrome would while defending against malware attacks make POLi
impossible without something like ZTIC.  POLi currently has other
dependencies on Windows.  It strikes me as insecure today, using the same
features exploited by malware.

http://www.centricom.com/  (POLi, centricom used to do routers and the like)
The POLi service now operates in three countries around the world:
Australia, New Zealand and the UK.

You'd think the solution would be cost sensitive.

Internet banking is big here too.  As is phone banking and cell phone
message based transactions.  You have to subscribe (thankfully).  We get our
share of fake ATM fronts and the like.





-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: full-disk subversion standards released

[David G. Koontz]

Peter Gutmann wrote:
> John Gilmore  writes:
> 
>> The theory that we should build "good and useful" tools capable of monopoly
>> and totalitarianism, but use social mechanisms to prevent them from being
>> used for that purpose, strikes me as naive.
> 
> There's another problem with this theory and that's the practical
> implementation issue.  I've read through... well, at least skimmed through the
> elephantine bulk of the TCG specs, and also read related papers and
> publications and talked to people who've worked with the technology, to see
> how I could use it as a crypto plugin for my software (which already supports
> some pretty diverse stuff, smart cards, HSMs, the VIA Padlock engine, ARM
> security cores, Fortezza cards (I even have my own USG-allocated Fortezza ID
> :-), and in general pretty much anything out there that does crypto in any
> way, shape, or form).  However after detailed study of the TCG specs and
> discussions with users I found that the only thing you can really do with
> this, or at least the bits likely to be implemented and supported and not full
> of bugs and incompatibilities, is DRM.
> 

You could note a certain overlap between the promoters of Digital Content
Protection and the Trusted Computing Group:

http://www.digital-cp.com/about_dcp
Nearly 400 leading companies license the technology, including the following:
Semiconductor: PC Companies:Consumer Electronics:

AMD HP  Panasonic
Analog Devices  Microsoft   Samsung
Intel   Lenovo  Sony
Silicon Image   Toshiba
Full List of Licensees: Click here  
(Fuji Xerox Co., Ltd.)

https://www.trustedcomputinggroup.org/about/members/

Current Members
  Promoter  Contributor

AMD...
Fujitsu Limited Panasonic
Hewlett-Packard...
IBM Samsung Electronics Co.
Infineon   ...
Intel Corporation   Sony Corporation
Lenovo Holdings Limited...
Microsoft   Toshiba Corporation
Seagate Technology
Sun Microsystems, Inc.
Wave Systems

The costs and economy of scale say at some point all the disk drives will be
capable of FDE, whether or not it is enabled (whether or not you pay for the
'extra' feature).  The distinction is the added cost of testing the
encryption versus the cost of two different testing regimes, when silicon is
typically pin bound defining area and cost.   The same integration cost
advantages makes the like of HDMI close to zero cost to the television media
consumer.

Enterprise 'platform owners' have the capability of assuming control of the
attestation chain, while 'personal computing' might have few opportunities
other than to allow the likes of an operating system vendor to provide
control 'in loco parentis' for the naive consumer.  Loss of control of
personal computing would come about by seduction - the offer of benefits in
exchange for more of the camel edging under the tent skirt.  More's the pity
if it offers competitive advantage excluding open source.  You'd think video
content providers would be anxious for a way to provide secure delivery of
content via download.  Being able to stick video onto a disk protected by a
plus thirteen Mage DMCA spell would be a definite benefit.

I'd also imagine we'll see vulnerabilities that will allow content recovery.
Getting 'secure' computing requires a secure operating system.  Building a
computer secure against end user tampering would incur high adoption costs
that wouldn't be supportable in the marketplace.  To borrow and mutilate a
turn of phrase from Bruce, what we get is Kabuki security theater with the
commiserate tendency toward prostitution.

All that said and done, people may still well end up with better security -
data encrypted at rest.  I'd think fighting DRM would be a separate battle
from opposing FDE.  It may be worthwhile to show systemic vulnerabilities
that despite the encryption endanger threaten 'content protection', because
while DRM's proponents like to provide a stylized threat model the real
world doesn't match up.   The enterprise is able to leverage further
behavioral limits on users actions during platform operation and the Trusted
Computing threat model allows users within the cryptographic boundary
(undoubtedly due to the cost of exclusion).  Additional behavioral limits
aren't available for the DRM usage model, and there is nothing stopping the
malevolent end user from monitoring unencrypted data from a drive for example.

Trusted Computing may never be suitable for DRM either.  I'd expect an
enterprise would field a careful selected configuration that they could
manage to make work for their purposes.   DRM has to work for 

Re: Obama's secure PDA

[David G. Koontz]

Jerry Leichter wrote:

> I commented earlier that $3200 seemed surprisingly cheap.  One of the
> articles on this claimed this was absurdly expensive - typical DoD gold
> plating.  Well ... the real price of a standard Blackberry is a couple
> of hundred dollars, and put one in a room with a speaker phone and
> listen to the famous "Blackberry buzz".  Shielding these things, even to
> avoid obvious interference, is *not* easy.  Getting it to Tempest specs
> must take some impressive engineering.  For a non-mass-market device
> with that kind of engineering, $3200 seems pretty cheap.

Quite a few TEMPEST approved devices are rather innocuous looking these
days, the PDA a case in point.  Having been present during the big TEMPEST
adoption in the military (early 70's) and the introduction of FCC Part 15
(late 70's) I'd think that shielding requirements for compromising
emanations are at least extremely closely related to EMI prevention. There's
also Red/Black separation, electrical and physical isolation between
circuitry carrying classified signals and those not.  If I were to hazard a
guess TEMPEST requirements are close to those found for VDE/CE approval
today (a bit more stringent than FCC).

I would expect that the reason for 'approved' cables has to do with insuring
construction to an approved standard perhaps with some actual testing thrown
in.  The amount of shielding  required in cabling is on par with the use of
shielded twisted pairs.   The additional cost of TEMPEST approved equipment
primarily comes from design testing and certification.  The engineering is
otherwise on par with COTS best practices (today).

I used to work on a non HY-11 CVSD secure voice link utilizing a KG-13/TSEC
Key Generator, used in support of what we publicly know now as the National
Reconnaissance Office.  Got a late night call from the security officer
complaining about picking up an AM radio station on the secure phone
handset.  The installation had a plan, nice Red/Black separation, ferrous
conduits enclosing cabling, physical distance separations, power line
filtering and separate power circuits, the whole nine yards.  To make a long
story short it was picking up the radio station because of a ground loop in
the shield for the receive phone pair and a cold solder joint.  Re-flowing
the solder joint was sufficient to stop the impromptu crystal radio, and I
broke the ground loop as well and sent off an annotated copy of the
installation wiring diagram to the engineer who did the installation plan.
The ground loop mixed inside and outside grounds exposing the shield for the
receive pair to broadcast signals, this particularly strong local AM station
in point.  The cold solder joint acted as a rectifier.

Working a few years later for a local video game company, one late night I
had occasion to listen to the same AM station on the speaker of an arcade
video game we were prototyping.  That was cured by twisting a pair in the
wiring harness.  The next year FCC Part 15 was slated to go into effect and
was causing all sorts of industry panic. A year or two later we were still
seeing significant EMI from computer equipment.  My upstairs neighbor's
Apple II used to cause some serious interference with my TV reception using
a pair of rabbit ears, some of the biggest EMI culprits for the longest time
were power supplies.

Today your desktop or laptop PC is generating a significant amount of power
across various portions of the spectrum including up into the Giga Hertz
range.  The amount of EMI produced is closely on par with TEMPEST approved
equipment, and the greatest threat to producing EMI or compromising
emanations (following the demise of CRT displays) is cabled peripherals. The
difference is that it isn't TEMPEST certified, nor has it necessarily been
design with Red/Black separation in mind.

There'd be strong motivation to use tested and approved cables in classified
data handling equipment.  While the reduction in EMI for any equipment is
largely due to management of signal and power return paths, reduction in
power by using smaller signal amplitudes, lower edge rates (rise and fall
times as opposed to data rate) filtering and where necessary shielding.
Connect one little cheap cable and the next thing you know someone is
complaining about receiving AM broadcasts on their fancy (and expensive)
secure voice system, or worse, being surveilled without knowing it.

I'm not surprised you can hear a Blackberry with a speaker phone.  It's got
a radio transmitter, and more than likely the speaker phone has an RJ-11
connector on a long straight conductor cable.  As a guess we'd be talking
about a Blackberry within a couple of meters, and that phone wire strung
across a conference table before reaching the floor.

http://www.blackberry.com/solutions/pdfs/Healthcare/Wireless_EMI_in_Healthcare_Facilities_White_Paper.pdf

You could note a preponderance of phone sensitivity due to proximity (Page
10).  A secure handset will do the sam

Steve Bellovin on the MD5 Collision attacks, more on Wired

[David G. Koontz]

http://www.cs.columbia.edu/~smb/blog//2008-12/2008-12-30.html

Steve mentions the social pressures involved in disclosing the vulnerability:

Verisign, in particular, appears to have been caught short. One of the CAs
they operate still uses MD5. They said:

The RapidSSL certificates are currently using the MD5 hash function
  today. And the reason for that is because when you're dealing with
  widespread technology and [public key infrastructure] technology, you have
  phase-in and phase-out processes that cane take significant periods of
  time to implement.

 ...
[4 years?]

Legal pressure? Sotirov and company are not "hackers"; they're respected
researchers. But the legal climate is such that they feared an injunction.
Nor are such fears ill-founded; others have had such trouble. Verisign isn't
happy: "We're a little frustrated at Verisign that we seem to be the only
people not briefed on this". But given that the researchers couldn't know
how Verisign would react, in today's climate they felt they had to be cautious.

This is a dangerous trend. If good guys are afraid to find flaws in fielded
systems, that effort will be left to the bad guys. Remember that for
academics, publication is the only way they're really "paid". We need a
legal structure in place to protect security researchers. To paraphrase an
old saying, security flaws don't crack systems, bad guys do.

 --

The researchers provided information under NDA to browser manufacturers and
Microsoft contacted Verisign providing no real details
(http://blog.wired.com/27bstroke6/2008/12/berlin.html , the Wired article.):

Callan confirms Versign was contacted by Microsoft, but he says the NDA
prevented the software-maker from providing any meaningful details on the
threat. "We're a little frustrated at Verisign that we seem to be the only
people not briefed on this," he says.

The researchers expect that their forged CA certificate will be revoked by
Verisign following their talk, rendering it powerless. As a precaution, they
set the expiration date on the certificate to August 2004, ensuring that any
website validated through the bogus certificate would generate a warning
message in a user's browser.

 ---

The 2007 paper http://www.win.tue.nl/hashclash/EC07v2.0.pdf

Chosen-prefix Collisions for MD5 and Colliding X.509 Certificates for Different
Identities, Marc Stevens , Arjen Lenstra , and Benne de Weger

(also from the Wired article)

 --

Nate Lawson's comments
http://rdist.root.org/2008/12/30/forged-ca-cert-talk-at-25c3/
To paraphrase Gibson, “Crypto security is available already, it just isn’t
equally distributed.”


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Researchers Use PlayStation Cluster to Forge a Web Skeleton Key

[David G. Koontz]

http://blog.wired.com/27bstroke6/2008/12/berlin.html

More coverage on the MD5 collisions.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Researchers Show How to Forge Site Certificates |

[David G. Koontz]

http://www.freedom-to-tinker.com/blog/felten/researchers-show-how-forge-site-certificates

 By Ed Felten - Posted on December 30th, 2008 at 11:18 am

Today at the Chaos Computing Congress, a group of researchers (Alex Sotirov,
Marc Stevens, Jake Appelbaum, Arjen Lenstra, Benne de Weger, and David
Molnar) announced that they have found a way to forge website certificates
that will be accepted as valid by most browsers. This means that they can
successfully impersonate any website, even for secure connections.


 ---

Through the  use of MD5 collisions.  The slides from the presentation are
available here:

http://events.ccc.de/congress/2008/Fahrplan/events/3023.en.html

The presentation entitled "MD5 considered harmful today, Creating a rogue CA
Certificate"

The collisions were found with a cluster of 200 PlayStation 3's. (slide
number 3, see slide number 25 for a picture of the cluster, a collision
taking one to two days)

They apparently did a live demo using forged certificates in a man in the
middle attack using a wireless network during the demonstration with access
by the audience. (slide number 5)

 CAs still using MD5 in 2008:  (slide number 19)
  ? RapidSSL
  ? FreeSSL
  ? TrustCenter
  ? RSA Data Security
  ? Thawte
  ? verisign.co.jp


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: CPRNGs are still an issue.

[David G. Koontz]

Charles Jackson wrote:

> 
> I probably should not be commenting, not being a real device guy.  But,
> variations in temperature and time could be expected to change SSD timing.
> Temperature changes will probably change the power supply voltages and shift
> some of the thresholds in the devices.  Oscillators will drift with changes
> in temperature and voltage.  Battery voltages tend to go down over time and
> up with temperature.  In addition, in some systems the clock frequency is
> purposely swept over something like a 0.1% range in order to smooth out the
> RF emissions from the device.  (This can give a 20 or 30 dB reduction in
> peak emissions at a given frequency.  There is, of course, no change in
> total emissions.)
> 
> Combine all of these factors, and one can envision the SSD cycles taking
> varying numbers of system clock ticks and consequently the low order bits of
> a counter driven by a system clock would be "random."  However, one would
> have to test this kind of entropy source carefully and would have to keep
> track of any changes in the manufacturing processes for both the SSD and the
> processor chip. 
> 
> Is there anyone out there who knows about device timing that can say more?  

As a chip wonk, without addressing SSD operational timing directly how much
a clock can change is dependent on the accuracy over a period of time
sufficient to be off by one or more clocks, implying long counter chain
timing - slow entropy accumulation at best.  Worse still, the error value
when compared to an outside clock source would tend to be at a fixed rate,
although you see minor variations based on temperature and voltage.  The
same things that make power analysis a valid attack also influence
temperature and voltage.  I'd expect you could  manipulate second order
effects by how the system is operated. Other than effects on frequency,
temperature and voltage affect switching thresholds which can cause
variability in delay in particular when crossing clock domains.  These
threshold delays can be strongly correlated.

Dithered clocks are intended to only fool spectrum analyzers measuring peak
power and are not based on entropy or second order effects.  A PLL feedback
pattern is typically masked by applying the output of a counter and look up
table or combinatoric circuit.  There is no disparity generated long term in
clock high and low bauds, the counter makes the dithering periodic.  Think
short PRNG cyclically applying clock edge offsets and hitting all the
positive and negative offsets equally.

The two don't strike me as sufficient to construct an adequate ergodic system.

Using a HDD as an 'entropy' source is based on operating an ergodic system
where the preceding state is not readily predictable.   The variability is
based in part on sectors and cylinders, angular velocity, disk position and
head position.  All that variability can collapse in an SSD.  Trying to rely
on remaining secondary effects for loss of predictability could be countered
by eliminating or reducing them.  We design systems to not be readily
influenced by secondary effects in the first place.



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Why the poor uptake of encrypted email? [Was: Re: Secrets and cell phones.]

[David G. Koontz]

JOHN GALT wrote:
> StealthMonger wrote:
> 
>> This may help to explain the poor uptake of encrypted email.  It would
>> be useful to know exactly what has been discovered.  Can you provide
>> references?
> 
> The iconic Paper explaining this is "Why Johnny Can't Encrypt" available
> here:  http://portal.acm.org/citation.cfm?id=1251435
> 

Available from the Authors:

http://gaudior.net/alma/johnny.pdf
http://www.cs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf

(For those of us not ACM members and not having Library or affliate access).

There's also a power point presentation on the cognitive dissonance involved:

http://www.nku.edu/~waldenj1/classes/2006/spring/csc593/presentations/Johnny.ppt

And something done at Carnegie Mellon:

http://cups.cs.cmu.edu/courses/ups-sp06/notes/060202LectureNotes.doc

http://cups.cs.cmu.edu/courses/ups-sp06/slides/060202-user-tests2.ppt


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Lifting Some Restrictions on Encryption Exports

[David G. Koontz]

Ali, Saqib wrote:
> Does anyone have more info on the following:
> http://snurl.com/75m3f
> 
> I couldn't find any other article that talked about it. The pay per
> news is the only item I found.
> 

It was tough to google for, because of all of the new references to Clinton
era articles.

google 'encryption "export restrictions"  2008' (past month)

http://www.governmentcontractslawblog.com/2008/11/articles/export-controls/encryption-export-restrictions-loosened-under-new-rules-that-reduce-prereview-and-reporting-requirements/

>From this article you can see that the restrictions have had the effect of
driving cryptographic software development offshore:
http://www.governmentcontractslawblog.com/2008/11/articles/export-controls/new-export-rules-revise-de-minimis-provisions-allowing-bundled-software-to-be-included-in-commodity-valuation-clarifying-terms-and-reducing-reporting-requirements/

(Mostly European companies, I understand)

The first link has a link to the Federal Register to 'see the word of the law':

http://www.governmentcontractslawblog.com/uploads/file/GovConNov.pdf
Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / Rules and
Regulations  Pages 57495 through 57512

The PDF file is 124 KB.

17 pages plus a couple of column inches on the 18th page, too long to copy
here.





-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: EFF press release on the gag order being lifted.

[David G. Koontz]

Perry E. Metzger wrote:
> http://www.eff.org/press/archives/2008/08/19
> 

You wonder if it was MTBA exhibit 4 that tipped their case against the
MTBA's injunction, using Roblimo's article on Sklyarov, quoting reactions to
Dmitry Sklyarov's arrest for a DMCA violation on July 16, 2001, wherein:

  Jennifer Granick, the clinical director of Stanford University's Center
  for Internet and Society, has also criticized the move by the software
  industry and the FBI.

  "American corporations have never been shy about using taxpayer money to
  enforce their rights," she said.

Using a news article containing a quote from the defense's representation
counter to your position doesn't sound like a winning strategy.  Ms. Granick
is the Civil Liberties Director with the EFF and has filed a declaration in
the case.

The Wikipedia article http://en.wikipedia.org/wiki/Dmitry_Sklyarov has a
succinct summary of the Sklyarov case, where charges against him were
dropped in exchange for testimony (against his employer).  In December 2002,
Elcomsoft (the employer) was found not guilty of violating the DMCA in a
jury trial.

Most notably:

  On July 19, 2001, the Association of American Publishers issued a press
  release announcing their support of his arrest. Adobe initially supported
  the arrest, but after a meeting with the Electronic Frontier Foundation,
  they issued a joint press release on July 23, 2001, recommending his
  release. However, Adobe still supports the case against ElcomSoft.

The MTBA had no organization or employer to fall back on in prosecution, and
are still alleging CFAA violations against the defendants, undoubtedly
stemming from the initial conference description of their presentation,
mentioning free fares, and the slide presentation showing MTBA operations
centers, possibly counterfeit transit authority identification, and
surreptitious access to computing facilities.  The problem being either one
of a bit too much security theater on the part of the defendants, or
possible violations of the CFAA.

It is notable that there is no criminal case to date.  One could also wonder
if the MTBA is taking corrective actions to protect their system both
through physical plant security and proper inclusion of cryptographic
protection of their ticketing system, as well.










-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Kiwi expert cracks chip passport

[David G. Koontz]

http://www.stuff.co.nz/4659100a28.html?source=RSStech_20080817


Peter Gutmann has gotten himself in the news along with Adam Laurie and
Jeroen van Beek for altering the passport microchip in a passport.

Think of this as a local boy makes good piece of news, well worth it for the
picture of Peter:

http://www.stuff.co.nz/images/748842.jpg


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Judge approves TRO to stop DEFCON presentation

[David G. Koontz]

Jim Youll wrote:
> these have been circulating for hours, but they are content-free title
> slides...
> 
> On Aug 9, 2008, at 7:38 PM, Ivan Krstić wrote:
> 
>> On Sat, 09 Aug 2008 17:11:11 -0400, "Perry E. Metzger"
>> <[EMAIL PROTECTED]>
>> wrote:
>>>Las Vegas - Three students at the Massachusetts Institute of
>>>Technology (MIT) were ordered this morning by a federal court
>>>judge to cancel their scheduled presentation about vulnerabilities
>>>in Boston's transit fare payment system, violating their First
>>>Amendment right to discuss their important research.
>>
>> 

There's also the synopsis as an exhibit to the case found in the Wired
article.  Note the recommendations for corrective action are familiar from
the  previous reported weaknesses to the MIFARE system.


http://blog.wired.com/27bstroke6/2008/08/injunction-requ.html
DefCon: Boston Subway Officials Sue to Stop Talk on Fare Card Hacks --
Update: Restraining Order Issued; Talk Cancelled

http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf
Vulnerability Assessment of the MTBA System (Exhibit 1 to Case
1:08-cv-11364-GAO).

A report on the Dutch Public Transit Card:
http://staff.science.uva.nl/~delaat/sne-2006-2007/p41/report.pdf

Recently updated Dutch information by Andy Tanenbaum:
http://www.cs.vu.nl/~ast/ov-chip-card/

The fellows at Raboud University Nijmegan:
http://www.ru.nl/ds/research/rfid/

(Where we'll probably be able to find the Esorics 2008 presentation.
'Dismantling MIFARE Classic', in October.)

I'd imagine there is sufficient information available to replicate the
attack, there's info on the MIFARE Classic cryptographic algorithm.

http://www.cs.virginia.edu/~kn5f/pdf/Mifare.Cryptanalysis.pdf
http://www.cs.virginia.edu/~kn5f/pdf/OV-card_security.pdf

Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic
http://eprint.iacr.org/2008/166.pdf

Security Evalution of the disposable OV-chipkaart v1.7  updated 13 April 08
http://staff.science.uva.nl/~delaat/sne-2006-2007/p41/Report.pdf
(which has a description of the memory structure found on the cards as well
as a lot of useful protocol information.)

And the Translink Netherlands report on why disclosure doesn't matter:
http://www.translink.nl/media/bijlagen/nieuws/TNO_ICT_-_Security_Analysis_OV-Chipkaart_-_public_report.pdf
(translation: security through obscurity? still obscure enough)

And of course we've seen the Raboud video link found on Youtube:
http://www.youtube.com/v/NW3RGbQTLhE&hl=en


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Surveillance, secrecy, and ebay, monor correction.

[David G. Koontz]

David G. Koontz wrote:
> Sherri Davidoff wrote:

You know how memory is, little things get squishy with the passage of years.
As soon as I saw the post up on cryptography I asked myself was that 1972 or
1974?

>Privacy Act of 1972

That should be 1974.
http://www.law.cornell.edu/uscode/html/uscode05/usc_sec_05_0552---a000-notes.html

Public law 93-579  "The Privacy Act of 1974"

http://www.law.cornell.edu/uscode/html/uscode05/usc_sec_05_0552---a000-.html
5 USC 552a  Records maintained on individuals.

(10) establish appropriate administrative, technical, and physical
safeguards to insure the security and confidentiality of records and to
protect against any anticipated threats or hazards to their security or
integrity which could result in substantial harm, embarrassment,
inconvenience, or unfairness to any individual on whom information is
maintained;


The quoted section (10) being the basis for finding harm on disclosure.

I remember seeing the Federal Register notice for the Digital Encryption
Standard, in 1977, mind you.




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Surveillance, secrecy, and ebay

[David G. Koontz]

Sherri Davidoff wrote:
> Matt Blaze wrote:
>> Once sensitive or personal data is captured, it stays around forever,
>> and the longer it does, the more likely it is that it will end up
>> somewhere unexpected.
> 
> Great point, and a fundamental lesson-of-the-moment for the security
> industry. To take it one step further: The amount of sensitive
> information an organization stores is roughly proportional to the number
> of data leaks it initiates. We already know that information "wants" to
> be free, and if you keep information around, sooner or later, it's going
> to leak out. (There's probably some mathematical way to describe this
> relationship.)
> 
> Rather than expecting companies to keep data totally secure and then
> send apologetic letters when it gets lost, perhaps we should start
> taxing companies in proportion to the amount of sensitive information
> they store, and use that tax to assist victims of identity theft. This
> would have the double benefit of giving companies immediate incentive to
> reduce the amount of information they store, and would also provide
> appropriate public funding for incident recovery.
> 
> Sherri
> 
> 

Encryption with a resistance to cryptanalytic techniques requiring on the
order of the useful lifetime of the 'secrets' being protected to overcome is
a perfectly valid way to secure private data.  This resulted following the
Privacy Act of 1972, in the release of the Digital Encryption Standard
detailing the Digital Encryption Algorithm commonly known as DES in 1977 and
published as FIPS PUB 46.

Immediately the U.S. government started providing itself with waivers to the
use of encryption for at rest storage of data, that are only being overcome
today.  During the same era, the nation's security agencies exhibited a
strong desire to prevent the disbursement of security technology for private
and business use, as it foils the gathering of economic intelligence and
provides strong encryption to foreign military and security concerns. I'm of
the opinion that DES didn't provide much advantage to 'adversaries' of the
U.S. government, but it's spread was effectively limited to the banking
industry for a considerable length of time.

During it's life time the cost of breaking DES has reduced steadily, to the
point a recent low cost implementation could attack a DES system in between
5 and 32 hours using $1000 dollars worth of commercial FPGA hardware[1], or
a totally brute force attack yielding a key in 7.8 days at the cost of
$10,000[2].  Note that this has resulted in changes  to approved algorithms,
with resulting increase in resistance to brute force attacks by dramatically
increasing the key space.  We now worry about the near mythical quantum
computer's ability to break any current encryption scheme.

While Matt was relating the inadvertent disbursement of information relating
to a criminal investigation, you'd think that could be under the aegis of
the court system, perhaps by tinkering with the rules of evidence.  After
all encrypted storage is an effective means of preventing unauthorized
access, duplication and altering of evidence.  Bar associations would appear
a logical place to influence protecting client-data and client attorney
privilege.

We also see the Department of Defense requiring at rest encrypted storage of
data, the requirement becoming universal over time.  You'd have to wonder if
the requirement was extended to the rest of the U.S. government, just how
long it would take to protect data.  Couldn't be more than a decade.

State and local governments, you run into unfunded mandates.  It helps that
they already have a duty under various privacy laws to protect data, as do
private companies.  Perhaps the problem is not that we need more laws, but
that the laws we have aren't be adhered to?

Is the resistance to data protection today predicated on cost?  We see
secure disk products that when the costs are amortized across volume for a
couple of kilobytes of code, a slightly faster processor, or one with
security co-processor, the cost of developing software interface controls
and finally certification costs, should add a cost burden of a couple of
dollars but are being sold at a premium, all the market can bear.

What's not apparent is the cost of data loss, other than bad press.  We find
interesting cases, such as in aviation security where we find from Professor
Mueller that the cost in terms of lives saved with the Transportation
Security Agency is 15 times higher than their value by protection by other
means[3], indicating we have an enormous white elephant, there.  How do we
prevent the inadvertent replication of waste in another large area of
government mandated security?

Balancing the apparent lack of adherence to current privacy laws and the
potential cost of a bureaucracy dedicated to measuring quanta of privacy
data, regulating the balance of taxes owed, offsets by encryption, tracking
the acquisition of privacy data, it's proper and a

Re: Permanent Privacy - Are Snake Oil Patents a threat?

[David G. Koontz]

Ali, Saqib wrote:
> Quoting the Foxbusiness article:
> 
> Permanent Privacy (patent pending) has been verified by Peter
> Schweitzer, one of Harvard's top cryptanalysts, and for the inevitable
> cynics Permanent Privacy is offering $1,000,000 to anyone who can
> decipher a sample of ciphertext."

I did a quick check to look for patent applications or patents by them and
didn't find any.  This isn't definitive if a patent application isn't
published.  The newest published patent application I found on encryption
had an application date of 11 Dec 2007.  Some recently published patent
applications are 6 or 7 years old, too.

While there I updated my periodic search for recent patents and applications
on cryptography.  It's surprising the number of questionable patent
applications and patents you can find.  Aside from propping up marketing
claims with patents as has been done throughout history, the primary threat
poor quality patents present is the ability of patent trolls to tax
'innovation'.  The volume of crypto related patents and applications is
increasing lately and there is no clear sign the quality is rising.  Crypto
patents used to be primarily a competition method between defense
contractors, now its just about everyone as use expands.

There was one recent application from a chip company on an architecture and
instruction set for implementing the Advanced Encryption Standard , where
the architecture is that of a modern processor and the instruction set isn't
covered in the claims, rather a description of the algorithm for executing
AES is given.  While it would be well suited for a defensive patent
portfolio, imagine the havoc if granted and this patent were to fall into
the hands of a patent troll claiming it covered all implementations on a
processor.

Being a bit of a hardware wonk, a lot of these patents appear obvious.  For
instance Rainbow inherited a patent on the use of dual rank shift registers
to allow overlapping data I/O and cryptographic operations.  It does perform
the useful function of bringing down the clock rate needed to sustain some
throughput, but it was hardly a non-obvious innovation at the time it was
filed.  Rate buffers had been used as long before the patent was filed to
balance communications throughput.  I also recall one on MIMD execution of
DES to increase throughput, hardly non-obvious though granted.

Obviously patents could be improved by searching further across disciplines
for prior art and by having more USPTO expertise.  We're also seeing a
dumbing down of the 'Persons Having Ordinary Skill In the Art' as the number
of practitioners expand rapidly.

Has anyone been feeling the heat or see a future threat?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why doesn't Sun release the crypto module of the OpenSPARC?

[David G. Koontz]

[Moderator's note: this seems to be much more about the open source
 wars and such than about crypto and security. I'm not going to
 forward replies on this topic that don't specifically address
 security issues -- those who were not interested in the original
 thread may want to skip this message, too. --Perry]


David G. Koontz wrote:
> zooko wrote:
>> On Jun 12, 2008, at 4:35 PM, David G. Koontz wrote:
>>
>>> There's the aspect of competition.
>>> I've also wondered if a reason they didn't release it is because they
>>> bought
>>> the 'IP' from someone.
>> Those are good guesses, David, and I guessed similar things myself and
>> inquired of various Sun folks if this was the "real" reason.  Nobody
>> could give me any definite answer, however, until Sridhar Vajapey wrote:
>>
>>  "US export control regulations prevent Sun from opensourcing the crypto
>> portion of N2.".
> 
> 
> You've got to admit, that the work load for implementation is quite a bit
> higher without the PCI-E, 10GE MACs, and crypto, for a piece of competitive
> silicon.  All the sudden you don't have that 'Server On a Chip' that Sun
> sells.
> 
> The net result is still that you can't compete directly with Sun, but you
> can still expand the range of applications for Sun processors, and oh by the
> way, Sun's silicon works perfectly well in any new markets.  It still walks
> like a duck.
> 
> For the record I don't begrudge Sun captive markets, it supports a fairly
> decent 64 bit architecture and isn't Intel.  What they have released isn't
> what they sell.  They're demonstrably Rice Christian open source advocates.
> 
> http://en.wikipedia.org/wiki/Rice_Christian
> 

On June 5th, Sun released more of the T2 RTL source, in this case for the
NIU (Network Interface Unit) which includes the 10G Ethernet interfaces.

This was presented by the fellow responsible on several blogs and
announcement on opensparc.net.

http://blogs.sun.com/dv/entry/10g_ethernet_design_open_sourced
http://blogs.sun.com/dwaynelee/entry/latest_opensparc_t1_and_t2
http://www.opensparc.net/2008-06/durgam-vahia-10g-ethernet-design-open-sourced.html
http://www.opensparc.net/opensparc-t2/version-1.1-released.html
announcement in which:

  OpenSPARC T2 System-on-chip (SoC) micro-architecture document has a new
  chapter on NIU. The document now is also divided in two volumes to reduce
  the size of the each book.

This new System-on-chip (SoC) micro-architecture documents are not in
evidence for download, the SoC document available is from December 2007
(without the NIU).

One could note that lack of open release of documentation on the NIU would
not be a major impediment to a Sun partner with a close working relationship
(and access to the UltraSPARC T2 full documentation).  One could likewise
view it to be detrimental to an independent effort.

The reasoning for why I labeled Sun as faint hearted open source advocates
can be summed up by how well they fit into the open source community.

http://www.groklaw.net/article.php?story=20080626160554713
Pamela Jone's Groklaw article entitled  'A Sun Update on the NetApp
Litigation', 26 June 2008:

  Brendan Scott of Open Source Law was interviewed recently and he made
  this point:

Open source is about community. You need to understand the community
to operate effectively in it and this means changing your own behaviour.
For example, if you start a new job and there is a cake morning on
Monday, then you are going to have to find a cake shop or hone your
baking skills if you want to be part of the team. Popping out for group
coffee on a Friday like you did at your last employer won't work. That
is why it's important to connect with people who are already members of
the community and know their way around it - people from the Monday set,
not the Friday set.

  In other words, you have to fit in. Releasing code is not all there is to
  it. Ethics, fairness, honesty -- it's the FOSS culture, and it's the value
  add. Any company that tries to play by the old rules undercuts that
  advantage.

http://www.computerworld.com.au/index.php/id;1993045790;pp;1;fp;16;fpid;1
(Brenden Scott interview)

Mike Dillon, Sun's General Counsel comments on the NetApp v. Sun litigation
over ZFS and on his blog http://blogs.sun.com/dillon/entry/netapp_draft
firmly declares Sun as a FOSS player.

>From what we see with Sun's opensparc.net effort, their part of the Friday
coffee crowd and not part of the Monday effort.  The difference between
getting by as an open source advocate while continuing your proprietary
behaviors, versus really changing and pro actively supporting open source.
Sun has lots of irons in the fi

Re: Why doesn't Sun release the crypto module of the OpenSPARC?

[David G. Koontz]

zooko wrote:
> On Jun 12, 2008, at 4:35 PM, David G. Koontz wrote:
> 
>> There's the aspect of competition.
> 
>> I've also wondered if a reason they didn't release it is because they
>> bought
>> the 'IP' from someone.
> 
> Those are good guesses, David, and I guessed similar things myself and
> inquired of various Sun folks if this was the "real" reason.  Nobody
> could give me any definite answer, however, until Sridhar Vajapey wrote:
> 
>  "US export control regulations prevent Sun from opensourcing the crypto
> portion of N2.".


You've got to admit, that the work load for implementation is quite a bit
higher without the PCI-E, 10GE MACs, and crypto, for a piece of competitive
silicon.  All the sudden you don't have that 'Server On a Chip' that Sun
sells.

The net result is still that you can't compete directly with Sun, but you
can still expand the range of applications for Sun processors, and oh by the
way, Sun's silicon works perfectly well in any new markets.  It still walks
like a duck.

For the record I don't begrudge Sun captive markets, it supports a fairly
decent 64 bit architecture and isn't Intel.  What they have released isn't
what they sell.  They're demonstrably Rice Christian open source advocates.

http://en.wikipedia.org/wiki/Rice_Christian



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why doesn't Sun release the crypto module of the OpenSPARC? Competition?

[David G. Koontz]

Lawerence Spracklen's Blog:
http://blogs.sun.com/sprack/entry/detailed_t2_crypto_info

  Detailed T2 crypto info

  Very detailed info on the UltraSPARC T2 cryptographic accelerators can be
  found here on the OpenSPARC website (the pertinent info can be found in
  chapter-21 of the doc)

  Posted on: Sep 11, 2007

With a rebuttal that the Ch 21 in the document found there contained the PCI
Express Interface Unit:

  Unfortunately, it looks like the accelerator details have been removed :-(
  The SPU is not technically part of OpenSPARC

  Posted by Lawrence Spracklen on November 05, 2007 at 11:39 AM PST #

There's the aspect of competition.  The on core crypto gives one heck of a
competitive edge for networking applications, and performance figures found
on Dr. Spracklen's site show that the crypto stream processors across the
CMT can keep up with the 10G Ethernet ports.  I can't see them giving a
potential competitor everything needed to compete directly.  It'd be
reminiscent of IBM and Amdahl clones, captive markets and margins for
hardware threatened as easily as National's memory boards.  I'm sure Sun is
wiley enough to have some key patents, too.  A case of encouraging help to
enlarge the ecosystem, but not empowering direct competition.  They don't
mind if you develop more markets, after all Sun can play there, too.

I've also wondered if a reason they didn't release it is because they bought
the 'IP' from someone.  There are other instances - parts of the System on a
Chip.  In the OpenSPARC T2 System on a Chip Micro Architecture pdf there is
a disclaimer on page 3:

  Note ? OpenSPARC T2 currently does not include PCI-Express and 10Gigabit
  Ethernet design implementation due to current legal restrictions.
  Equivalent models may be available in the subsequent releases of OpenSPARC
  T2.

If the real reason is competition, it's always nice to have a good excuse,
too.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: NSA approves secure smart phone

[David G. Koontz]

Steven M. Bellovin wrote:
> http://www.gcn.com/online/vol1_no1/45946-1.html
> 
> 

http://www.afcea.org/signal/articles/templates/Signal_Article_Template.asp?articleid=1346&zoneid=210

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: NSA approves secure smart phone

[David G. Koontz]

Steven M. Bellovin wrote:
> http://www.gcn.com/online/vol1_no1/45946-1.html

>http://www.gdc4s.com/documents/D-SMEPED-6-1007_p21.pdf

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RFID-hack hits 1 billion digital access cards worldwide

[David G. Koontz]

http://computerworld.co.nz/news.nsf/scrt/3FF9713E23292846CC25740A0069243E

The Dutch government has issued a warning about the security of access keys
that are based on the widely used Mifare Classic RFID chip.


The warning comes in a week when two research teams independently
demonstrated hacks of the chip's security algorithm.


Criminals can use the hack to clone cards that use the Mifare Classic chip,
allowing them to create copies of building access keys or commit identity theft.


The chip is used in payment systems worldwide, such as the Oyster Card in
the UK and the CharlieCard that is used in Boston. Both offer payment
systems that allow for wireless transactions.


The chip is the basis of a national proof-of-payment system for public
transport. A recently published government-issued study by the Netherlands
Organisation for Applied Scientific Research dismissed the potential
security threat, claiming that hackers would take at least two years to
crack the security codes.


(The article is short enough it is hard to do fair-use justice.)

The cryptanalysis:
http://www.cs.virginia.edu/~kn5f/pdf/Mifare.Cryptanalysis.pdf

A March 12th Press Release from Radboud University Nijmegen:
http://www2.ru.nl/media/pressrelease.pdf
In HTML:
http://www.ru.nl/ds/group/ds_group/press_release/

A link to a demo video on Youtube:
http://www.ru.nl/ds/group/ds_group/press_release/film/

Run time is 1:55, 4.9 MB and a Flash Video
The demo is an attack on a door security system.

A recent report stating that it would take at least two years for the
cryptographic algorithm to be broken and used casually (From the video I'd
say this is optomistic by almost two years):
http://www.translink.nl/media/bijlagen/nieuws/TNO_ICT_-_Security_Analysis_OV-Chipkaart_-_public_report.pdf

A Mifare+ fix for the security weaknesses is announced (Mar 12th):
http://www.thetechherald.com/article.php/200811/394

On Monday NXP Semiconductors said they plan to release a new version of the
Mifare chip; the chip that has gained fame lately after its security was
broken by researchers at U. VA. Dubbed the Mifare Plus, the new chip
addresses the exact security problems that its predecessor the Mifare
Classic faced. The new NXP offering is boasting 128-bit encryption over the
original 48-bit.


The NXP press release:
http://www.nxp.com/news/content/file_1418.html

There are a couple of things of note.  They are seeking EAL-4+ evaluation
rating (which Windows 2000 has), it uses AES 128 bit encryption, and it has
backward compatibility with the 48 bit encryption,  Also the new cards won't
be available until Q4.

The cost of infrastructure upgrade (equipment cost versus card processing
delay) might cause an adoption lag.

NXP Semiconductors also claims to lead the car access and immobilzation markets.

















-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Unique locks on microchips could reduce hardware piracy

[David G. Koontz]

Two papers of interest in evaluating the paper
http://www.eecs.umich.edu/~imarkov/pubs/conf/date08-epic.pdf
EPIC: Ending Piracy of Integrated Circuits
Jarrod A. Roy?, Farinaz Koushanfar? and Igor L. Markov?
?The University of Michigan, Department of EECS, 2260 Hayward Ave., Ann
Arbor, MI 48109-2121
?Rice University, ECE and CS Departments, 6100 South Main, Houston, TX 77005

The two papers:

http://www.usenix.org/events/sec07/tech/full_papers/alkabani/alkabani.pdf
Active Hardware Metering for Intellectual Property Protection and Security
Yousra M. Alkabani and Farinaz Koushanfar, Rice University

http://delivery.acm.org/10.1145/133/1326215/p674-alkabani.pdf?key1=1326215&key2=5023225021&coll=&dl=GUIDE&CFID=15151515&CFTOKEN=6184618
Remote Activation of ICs for Piracy Prevention and Digital Right Management
Yousra Alkabani Computer Science Dept., Rice University
Farinaz Koushanfar Electrical & Computer Engineering and
Computer Science Depts., Rice University
Miodrag Potkonjak Computer Science Dept.,
University of California, Los Angeles




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Unique locks on microchips could reduce hardware piracy

[David G. Koontz]

David G. Koontz wrote:
> http://www.physorg.com/news123951684.html
> 

Two more articles:

http://arstechnica.com/news.ars/post/20080309-fighting-the-black-market-crypto-locks-for-cpus-other-ics.html
This one has a bit of the technical description

http://itnews.com.au/News/71553,chip-lock-aims-to-end-hardware-piracy.aspx

This has some comments including:

"Ok, so ow the hardware has to 'phone home'; before it will work. does this
mean that worldwide legitimate chip production has to halt every time the
patent holder has a server failure?
secondly, if someone has the capability of turning design documents into
working silicon, they also have the capability to make changes to the
design. what's to stop them from simply removing the lock circuitry from the
design before making the chips?
It seems to me that this DRM is like all other DRM. It causes problems for
the legal users, and won't do anything to stop the illegal users."

Posted by Kelly Gray, 8/03/2008 1:26:23 AM






-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Unique locks on microchips could reduce hardware piracy

[David G. Koontz]

http://www.physorg.com/news123951684.html


The technique is called EPIC, short for Ending Piracy of Integrated
Circuits. It relies on established cryptography methods and introduces
subtle changes into the chip design process. But it does not affect the
chips' performance or power consumption.

There's also the paper:

http://www.eecs.umich.edu/~imarkov/pubs/conf/date08-epic.pdf

Random number generators, public keys, remote attestation, oh my!

There appears to be an assumption that a potential 'pirate' isn't inside the
cryptographic boundary  which includes the chip design and tools,
fabrication process, and programming/testing facility.  I'm not sure the
vulnerability assessment includes all the threat models for gray market ICs.
 There seems to be a bit of hand waving involved.  It may narrow the avenues
available to the potential pirate.  From the article:

 "However, even in U.S. facilities, working chips are sometimes reported
defective by individual employees and later sold in gray markets,"
Koushanfar said."

By itself it doesn't stop silicon from being diverted after unlocking, for
instance.  I'd imagine the things you would do to increase threat coverage
might be sufficient in and of themselves to preclude the need for this lock
mechanism.

An attack on the random number generator appears a likely vector.


















-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Toshiba shows 2Mbps hardware RNG

[David G. Koontz]

Hal Finney wrote:
> 
> Looking at the block diagram for the new Toshiba circuit, and comparing
> with the Intel design, one concern I have is with attacks on the device
> via external electromagnetic fields which could modulate current flows
> and potentially influence internal random numbers. Intel attempted
> to mitigate this attack by using a pair of resistors spaced close
> together, and taking differentials between them. I don't see any such
> countermeasures in the (admittedly crude) block diagram in the Toshiba
> press release.
> 


>From the EE Times article, the stochastic noise source for the Toshiba RNG
is from a trap layer of Silicon Nitride in a MOSFET transistor.  An Analog
to Digital Converter is used as a gating amplifier and the random noise bit
rate is dependent on the conversion speed instead of transformer etc.impulse
response.  The difference in size between the 2 Mb/s  and 10 Mb/s RNG appear
to be due to A/D converter area (from the ISSCC session 22 advanced program).


http://www.toshiba.co.jp/rdc/rd/detail_e/e0704_03.html

It's a floating gate structure.

"  it is clear from the figure that the SiN MOSFET device generates greater
current fluctuation. This is presumably because more frequent occurrence of
electron capture and emission between the Si channels and dangling bonds
owing to the remarkably large number of the traps that cause noise
generation makes possible generation of a large amount of noise. Also, the
SiN MOSFET?s ID fluctuation makes it possible to generate a larger amount of
random noise due to the respective parameter designs of the devices (gate
length, gate width, tunnel oxidized film thickness (Tox), the Si/N atomic
ratio). "

The more "signal", the higher the noise immunity, presumably.  The
description reminds me of tube thermionic noise.   I'd suspect it would
benefit from a drawing done on a rotated axis showing the Trap layer as a 2D
array.

You get a random noise source that doesn't require the cryptographic
boundary be pushed into instruction/procedural space or across chip
boundaries for RNG generation, avoiding those pesky predictable random
numbers as attributed to a Microsoft software implementation recently.

Military silicon already has RNG on chip (e.g. AIM, Advanced INFOSEC
Machine, Motorola), you wonder if someone would consider an FPGA with a good
RNG hard core cell on chip, now that someone has figured out how to do
red/black separation in an FPGA compiler.  Wonder how cheap it is to spot
dope SiN or will we have to switch to anti-fuse FPGAs to take advantage?







-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Jihadi software promises secure web communication

[David G. Koontz]

http://www.stuff.co.nz/4365478a28.html

An Islamist website often used by al Qaeda supporters is promoting
encryption software which it says will help Islamic militants communicate
with greater security on the internet.

The Mujahideen Secrets 2 software was promoted as "the first Islamic program
for secure communications through networks with the highest technical level
of encoding".

The software, available free on the password-protected Ekhlaas.org site
which often carries al Qaeda messages, is a newer version of Mujahideen
Secrets issued in early 2007 by the Global Islamic Media Front, an al
Qaeda-linked web-based group.

"This special edition of the software was developed and issued by ...
Ekhlaas in order to support the mujahideen (holy war fighters) in general
and the (al Qaeda-linked group) Islamic State in Iraq in particular," the
site said.

 --

On the other hand, imagine if the software were compromised by a TLA in the
spirit of the recent revival of interest of Crypto AG?  What a coup that
would be.  Of course vulnerabilities can be simply a matter of using the
wrong random number generator...






-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Encryption Faulted in TJX Hacking,

[David G. Koontz]

http://www.physorg.com/news109963481.html  25 Sep 2007

 (AP) -- Hackers stole millions of credit card numbers from discount
retailer TJX Cos. by intercepting wireless transfers of customer information
at two Miami-area Marshalls stores, according to an eight-month
investigation by the Canadian government.

The probe led by Canadian Privacy Commissioner Jennifer Stoddart faulted TJX
for failing to upgrade its data encryption system by the time the electronic
eavesdropping began in July 2005. The break-in ultimately gave hackers
undetected access to TJX's central databases for a year and a half, exposing
at least 45 million credit and debit cards to potential fraud.

 ...
Retail wireless networks collect and transmit data via radio waves so
information about purchases and returns can be shared between cash registers
and store computers. Wireless transmissions can be intercepted by antennas,
and high-power models can sometimes intercept wireless traffic from miles away.

While such data is typically scrambled, Canadian officials said TJX used an
encryption method that was outdated and vulnerable. The investigators said
it took TJX two years to convert from Wireless Encryption Protocol to more
sophisticated Wi-Fi Protected Access, although many retailers had done so.

Lang said TJX's systems complied with industry standards when the breach
started. She said TJX chose in 2005 to make the conversion and needed more
time than some retailers because its systems weren't compatible with the WPA
standard.

 ---

WLAN Security Service Aims to Boost PCI Compliance   August 31, 2007
http://www.wi-fiplanet.com/news/article.php/3697436?

?Never rely exclusively on wired equivalent privacy (WEP) to protect
confidentiality and access to a wireless LAN.  If WEP is used, do the following:


* Use with a minimum 104-bit encryption key and 24 bit-initialization value
* Use ONLY in conjunction with WPA, WPA2, VPN, or SSL/TLS
* Rotate shared WEP keys quarterly (or automatically) [and] whenever
there are changes in personnel with access to keys
* Restrict access based on media access code (MAC) address.?

 ---

The emphasis on the 'in conjunction' part.  There's a cascade effect of
course,  The security of the WLAN is dependent on the strength of the
password of the satellite router, router configuration, register
administrators password, and so on.

There's another article or two on TJX, makes interesting reading, might even
have been worth a book if they'd only been on to the theft.

http://www.physorg.com/news94480989.html  March 30, 2007

http://www.physorg.com/news94568787.html  March 31, 2007, wherein there's a
feeble attempt to paint the problem as single DES as being weak in speculation.


T.J. Maxx Data Theft Likely Due To Wireless 'Wardriving'
http://www.informationweek.com/news/showArticle.jhtml?articleID=199500385&subSection=All+Stories


TJX
http://updates.zdnet.com/tags/TJX.html

WEP Security + Pringles-Can = $1 Billion TJX Loss?
http://msmvps.com/blogs/harrywaldron/archive/2007/05/09/wep-security-pringles-can-1-billion-tjx-loss.aspx

May 10th, 2007
Retailers haven?t learned from TJX - still running WEP
http://blogs.zdnet.com/Ou/?p=487


There was a slashdot article on 15 May.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

News on stolen Australian Law Enforcement Secure Radios

[David G. Koontz]

http://www.news.com.au/story/0,23599,22345160-2,00.html

APEC security arrangements have been thrown into disarray with the theft of
  digitally encrypted police radios and a bullet-proof vest.

The Sunday Telegraph reports that statewide memos have been issued to police
working during the APEC weekend to advise against using special frequencies
that can be picked up by the missing radios.

The loss of the vital pieces of equipment poses a major headache for NSW
Police, who are under extreme pressure from both the State and Federal
governments to ensure there are no security breaches over the APEC weekend.

 ---

What no Over The Air Re-keying for net exclusion, or perhaps the radios
aren't unique?  It's my  understanding that the Project 25 stuff used in the
U.S. wouldn't be similarly vulnerable on two counts:  OTAR with remote key
management and role based security.

more in the Australian news article:

Worth around $5000 each, the digital encryption system radios cannot be
picked up by regular scanners.

The NSW Government has spent an estimated $18 million in the past three
years to convert the old police radio network to a digital system.

The source said it was understood several digital radios had also been
stolen from NSW Fire Brigade stations in the inner west in recent weeks.

 ---

I'd imagine if they are actually vulnerable as a result of the radio
thefts, they've bought the wrong equipment, or at least certainly paid too much.

Note the contrast with the Olympics:

http://www.abc.net.au/news/stories/2004/08/11/1174423.htm
Radio theft 'doesn't compromise' Games security

Posted Wed Aug 11, 2004 9:54pm AEST

Thieves have stolen six communication radios used by Olympic Games
organisers but police say the state-of-the-art devices pose no security risk.

  ...

"They were taken on the night of August 4 from cardboard boxes that
contained other equipment, but they cannot be used by anyone now," Mr
Economou said.

 ---

What appears to have rendered them harmless is that they weren't keyed.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: FBI "point and click" wiretapping.

[David G. Koontz]

Perry E. Metzger wrote:
> The blogs of Matt Blaze, Steve Bellovin and Bruce Schneier all linked
> to this article today. It is rather disturbing.
> 
> http://www.wired.com/politics/security/news/2007/08/wiretap
> 
I downloaded the docs this morning and poke through them.
http://www.eff.org/flag/061708CKK/

One thing to keep in mind, is that the DCS-3000 is the lowest security
system in the family.  I looked for security vulnerabilities right away,
and it looks like it could be exploited by an insider.  It does use the
DCSNET which is purported to be encrypted.  The (Cisco) routers
interconnecting the system components use static routes. Lots of security
through obscurity, not letting the public  know what software is used for
remote administration.http://www.eff.org/flag/061708CKK/070207_dcs01.pdf ,
page 43:

7.2.4.4.3 Remote Diagnostics

The SBIT team utilizes| redacted|o remotely control the DCS
3000 systems deployed in the ERF and the other locations for
maintenance and repair purposes. The usernames and passwords used on
the system are strictly controlled and only provided on a need-to-know
basis| redacted | configured to utilize the security mechanism
available with the software, including the|   redacted   |
mechanism and other security mechanisms.

 --

I don't think you can extrapolate insecurity forward to the DCS-5000 used
for national security intercepts.  That system handles classified
information, where the DCS-3000 doesn't.  Some of the later documents
available on the eff web site show the certification process and paperwork
for the DCS-3000.  While it's mostly eyewash, it at least indicates someone
in the FBI knows something on the subject.  I think you can even find the
buzz phrase "Information Assurance" in their somewhere.  Handling classified
information on computer systems is under the direct auspices of the NSA (and
yes the Director of the FBI could 'waiver', they'd borrow the expertise,
instead).

http://goliath.ecnext.com/coms2/gi_0199-3379543/FBI-Will-Use-Unique-New.html

Publication: PR Newswire
Publication Date: 22-OCT-03
Delivery: Immediate Online Access
Author:

Article Excerpt
HERNDON, Va., Oct. 22 /PRNewswire/ -- Sprint announced today that it has
been awarded a new 36-month contract to provide secure IP Virtual Private
Network (VPN) services to Federal Bureau of Investigation (FBI) sites across
the country to support the FBI's Digital Collection System Network (DCSNet).
The VPN services will be delivered using the "government- grade" Sprint
peerless IP network, a unique national network that has...

Apparently as a result of some concerns by law enforcement that their
surveillance targets were changing behavior as soon as they were being
targeted by Carnivore, (this came out shortly after 9/11).  Seems running
the system was contracted out to a company in Virginia, where at least some
personnel apparently had other agendas:

http://www.foxnews.com/story/0,2933,40747,00.html (no longer valid, from
2001) see
http://www.whatreallyhappened.com/Israeli-Spying-Part-3.htm

 ...

The manufacturers have continuing access to the computers so they can
service them and keep them free of glitches.  This process was authorized by
the 1994 Communications Assistance for Law Enforcement Act, or CALEA.
Senior government officials have now told Fox News that while CALEA made
wiretapping easier, it has led to a system that is seriously vulnerable to
compromise, and may have undermined the whole wiretapping system.

Indeed, Fox News has learned that Attorney General John Ashcroft and  FBI
Director Robert Mueller were both warned Oct. 18 in a hand-delivered letter
from 15 local, state and federal law enforcement  officials, who complained
that "law enforcement's current  electronic surveillance capabilities are
less effective today than they  were at the time CALEA was enacted."

 --

The flip side of the loss of privacy, the bunnies getting wise when you
bring out the shotgun.








-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: NSA crypto modernization program

[David G. Koontz]

Steven M. Bellovin wrote:
> http://www.fcw.com/article103563-08-27-07-Print
> 
> 
>   --Steve Bellovin, http://www.cs.columbia.edu/~smb


An interview with DIRNSA, a bit on the subject of cryptomod:
http://www.military-information-technology.com/article.cfm?DocID=389

Straight from the horses mouth:
https://www.cryptomod.org/frontpage.htm  (unfortunately you have to
be a member, which is essentially by invitation only.  If you're a
member it appears the content is dynamic, and has more of interest
than the neophyte can see.

There's the wiki page:
http://en.wikipedia.org/wiki/Cryptographic_Modernization_Program

They're purportedly talking about reconfigurable crypto to be able to
run different algorithms:
http://edageek.com/2007/02/21/xilinx-virtex-4-fpga-nsa-crypto/
http://www.xilinx.com/prs_rls/2007/end_markets/0713_v4nsa.htm
Xilinx, NSA Create Virtex-4 FPGA-based Cryptographic Solution
Posted in FPGAs on Wednesday, February 21, 2007

http://www.mil-embedded.com/PDFs/NSA.Mar07.pdf
FPGA-BASED SINGLE CHIP CRYPTOGRAPHIC SOLUTION (U)

I ran into something talking about a next generation secure identification
friend or foe (SIFF), that if I recall correctly was saying that it was KI-1
backward compatible, sounded reconfigurable.  I know there are other single
chip implementations of older Type I originally using permuters.

Articles with some equipment and process replacements:;
http://findarticles.com/p/articles/mi_m0EIN/is_2005_May_6/ai_n13674881
http://findarticles.com/p/articles/mi_m0EIN/is_2005_June_10/ai_n13807215
(Safenet bought Mykotronx/Rainbow?)
http://findarticles.com/p/articles/mi_m0PAA/is_3_31/ai_n16740679

John Young's cryptome:
http://cryptome.org/kg30-library.htm
U) NSA/CSS Policy 3-9, Cryptographic Modernization Initiative Requirements
for Type 1 Cryptographic Products, National Security Agency, Information
Assurance Directorate, 28 Mar 2003 (U//FOUO Document - NSA)
You can see that the cryptomod has been underway for a while.

Saw something last week saying the KG-30 family was retired.

There appears to be either two or three cryptoprocessors, too.
http://www.l-3com.com/products-services/docoutput.aspx?id=805
(Hadn't seen this one before.)

You can find lots of interesting things by pursuing the latest buzz phrase,
Information Assurance:
http://www.military-information-technology.com/article.cfm?DocID=1932
(This one is very interesting)

Literally everyone is jumping on the bandwagon.









-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Skype new IT protection measure

[David G. Koontz]

Peter Thermos wrote:
> Interesting comment from Skype:
> 
> "The disruption was triggered by a massive restart of our users' computers
> across the globe within a very short timeframe as they re-booted after
> receiving a routine set of patches through Windows Update."
> 
> and
> 
> "We can confirm categorically that no malicious activities were attributed
> or that our users' security was not, at any point, at risk."
> http://heartbeat.skype.com/2007/08/what_happened_on_august_16.html 
> 

Or as the New Zealand Herald put it:

Windows blamed for Skype crash - 21 Aug 2007 - NZ Herald: Technology News
from New Zealand and around the World

http://www.nzherald.co.nz/section/story.cfm?c_id=5&objectid=10458978

"Skype has now identified and already introduced a number of improvements to
its software to ensure that our users will not be similarly affected in the
unlikely possibility of this combination of events recurring," said the blog.

 --

If the unlike event is referring to Windows users automatic updates, I
wouldn't bet on it.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Susan Landau Op Ed on new NSA powers

[David G. Koontz]

Alex Alten wrote:
> It seems that a large chunk (and probably relative soon nearly all)
> voice is now via VoIP. And to date, Skype not withstanding, this has 
> all been cleartext traffic.  Using router netflow records, etc., one 
> can now pinpoint any phone conversation and then do a pcap dump. Many
> Tier 1 through Tier 3 internet carriers are now deploying this type of
> L7 deep packet inspection directed analysis.  Currently they are limited
> to about 10 Gbps (L4 DPI), but soon 40 Gbps will be available.


Endace in New Zealand has a product for OC-768 concatenated.
http://endace.co.nz/what-we-do/ninja-appliances/ninjaprobe-40g1
It feeds four of their 10G boxes, with a software layer running the whole
thing as a virtual system.  Management can be over authenticated and secure
links.

The ability for a hacker or organization to exploit vulnerabilities would
come from loss of control of the monitoring capability, and diverting the
results.

Corporate uses for commercial purposes or regulatory compliance imply a
level of vulnerability and a duty of care that might require regulatory
mandate from some number of agencies.  Some regulated uses have no teeth for
failure of duty of care.  Taking advantage of corporate DPI could be viewed
as hit or miss although the use is growing to the point it could be
seriously exploited.

Law enforcement intercept monitoring is a bit more worrisome.  Who controls
the equipment?  What regulatory oversight is mandated?  We've seen that the
FBI and DOJ aren't trustworthy or competent, what happens when you throw
state and local law enforcement in the mix?  It's been demonstrated that
without a controlling infrastructure that law enforcement intercept
capability can be suborned as in the case of the Greek wiretapping.  The
attraction for mis use by foreign intelligence concerns or criminal elements
is that the law enforcement intercept infrastructure will become ubiquitous.
There isn't currently a defined control infrastructure, and the agency
responsible for driving development of intercept capability isn't competent
to direct development of a control infrastructure.

National security monitoring is made safer by equipment partitioning such as
found in the description of the separate rooms in the AT&T case.  All the
pipes go through a controlled facility containing monitoring equipment. They
don't want anyone to know what they are monitoring so they don't want to
share infrastructure.  The monitoring output links from these rooms go to
Ft. Huacua, San Antonio or wherever and would be encrypted.  The equipment
is under control of the TLA directly, There's around $300K-500K worth of
equipment installed in one of these major switching centers to monitor the
Internet.  The threat is more TLA misuse than exploitation  by foreign or
criminal concerns. The TLA won't merge capability with law enforcement
intercept capability because law enforcement capability doesn't have a
controlling infrastructure the TLA can dominate, nor do costs dictate the
capabilities be merged.

The Landau Op-Ed could be viewed as railing against infrastructure already
in place for national security purposes now being 'legitimized' and
confusing the distinction between law enforcement access and national
security monitoring.  I don't subscribe to the notion that classified
information is inherently accessible by Internet penetration, certainly not
communications intelligence.  I'd have serious doubts that a penetration at
Ft. Huachuca could gain someone control of the monitoring equipment in AT&Ts
San Francisco office for purposes of targeting national security monitoring
capability.

The long and the short of it is, the NSA can already monitor everything at
least connected internationally, and it's legality fluctuates.  Foreign and
criminal interests probably can't exploit that capability.

Law enforcement intercept and corporate Deep Packet Inspection capabilities
are probably vulnerable to foreign or criminal exploitation.  The scope of
the individual vulnerabilities tends to be a bit more localized.

And I don't really want the NSA to get into the business of domestic
monitoring for law enforcement purposes as a partial solution, it has impact
on net neutrality above and beyond legal issues.




> At 05:12 PM 8/9/2007 -0400, Perry E. Metzger wrote:
> 
>> http://www.washingtonpost.com/wp-dyn/content/article/2007/08/08/AR2007080801961.html
>>
>>
>> Selected quote:
>>
>>To avoid wiretapping every communication, NSA will need to build
>>massive automatic surveillance capabilities into telephone
>>switches. Here things get tricky: Once such infrastructure is in
>>place, others could use it to intercept communications.
>>
>>Grant the NSA what it wants, and within 10 years the United States
>>will be vulnerable to attacks from hackers across the globe, as
>>well as the militaries of China, Russia and other nations.
>>
>> Perry
>>
> 


--

Re: Free Rootkit with Every New Intel Machine

[David G. Koontz]

Looking for TPM enterprise adoption.

The current version of TPM was adopted in March o f 2006, which should
have limited TPM up take.

There's an article in Network World
http://www.networkworld.com/allstar/2006/092506-chip-security-papa-gino.html

from September 2006 talking about a restaurant chain being a pioneer in
the use of TPM, apparently a poster boy for Dell.

There's also

http://www.fcw.com/article95422-07-26-06-Web

July 26, 2006, talking about the Army mandating TPM in all their small
computers (PCs), a relatively large enterprise customer.

A 10-Q filed by Wave Systems in May provides providence for the numbers
quoted in NVLabs abstract on their TPM breaker:

http://sec.edgar-online.com/2007/05/10/0001104659-07-038339/Section9.asp

† Adoption of TPMs and Trusted Computing technology is also growing -
according to industry analyst, IDC, shipments of TPMs are expected to
grow from under 25 million units in 2005 to over 250 million units in
2010. More information is available from the IT Compliance Institute.

(looking at the IT Compliance Institute doesn't seem to help)

The IDC is the quoted source for TPM adoption, figuring prominently on
the trudedcomputingroup.org web site and articles derived from publicity.

There's an Executive Summary from IDC:

https://www.trustedcomputinggroup.org/news/Industry_Data/IDC_448_Web.pdf

Predicting TPM 75 percent penetration for world wide Desktop PCs in
2009, 85 percent for mobile computing, and 80 percent for servers.
The only other data point is for 2005, showing a couple of percent for
Desktop PC, three percent for Servers, and 37 percent for mobile PCs

There's a claim the Bitlocker in Vista provided the tipping point for
TPM uptake in:

http://www.investors.com/editorial/IBDArticles.asp?artsec=17&issue=20070306

The IDC reference is "Worldwide PC Interface and Technologies 2007-2010
Forecast"  February 2007, Doc #205155, a Market Analysis

http://idc.com/getdoc.jsp?containerId=205155

At $4500, a bit steep for curiosity's sake.

TPM is the focus of a chapter or section on Security, as seen in the
table of contents

The Papa Gino's Restaurants example for Network World,is indeed a Dell
real world example, one of several mentioned:

https://www.trustedcomputinggroup.org/news/Industry_Data/Endpoint_Technologies_Associates_TCG_report_Jan_29_2007.pdf

The real world examples include a Japanese pharmaceutical company with
20,000 seats

Papa Gino's Pizzas

A US auto rental agency of indeterminate size using HP's security solution.

Three projects underway in Japan, the Japanese Ministry of Economy,
Trade and Industry  funded security initiatives for:

  Sendai Wellness Consortium  (sounds like an HMO)
  IBM's Tokyo Research Laboratory
  Nagoya University Medical Center

The size of these aren't known, but should qualify as respectably sized
enterprises.

This paper is from Endpoint Technologies, again and intended to allay
naysayers of Trusted Computing adoption rates:

Some market watchers may feel that the entire Trusted Computing
movement, championed by the Trusted Computing Group (TCG) with its
Trusted Platform Module (TPM) and related security technologies, is just
a straw man and that it will be years before large numbers of companies
and even individuals adopt TPM based secure computing. For example, IDC
cites, in "Trusted Platform Module: Adoption Dynamics," August 30, 2006,
a complex system dynamics model that shows that only the PC hardware
OEMs and the smallest security vendors are fully engaged with the TPM,
and that Microsoft and the major security players remain at best tepid
in their support. Particularly, the authors cite a lack of user pull in
TPM deployment. They conclude that, although many TPM modules will ship
on client systems over the next few years, most will remain inactive.


[There's also anecdotal evidence IDC hasn't always had their cheery
outlook for TPM uptake.]

There are other developments mentioned in the paper:

   The NSA uses TPM for encrypted disk drives

   The US Army is mentioned herein requiring TPM on PCs

   The Federal Deposit Insurance Corporation has recommended that their
   member banks adopt TPM.

 Also, Microsoft appears to have actually jumped on the TPM bandwagon,
supplying impetous over the tipping point:

http://www.pc.ibm.com/us/pdf/idc_compliance_whitepaper.pdf
February 2005, Validation of Hardware Security in PC Clients, sponsored
by IBM and Microsoft

TPM is pretty much required for PC biometric authentication (fingerprints)

  There are a few more poster children marched out:

  A large international pharmaceutical company (perhaps different from

 above)

  A Large Apparel Manufacturer, mentions Sarbannes-Oxley, and
fingerprint access.


We're being underwhelmed with hard numbers and numerous examples of
enterprise adoption.












-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe crypto

Re: Free Rootkit with Every New Intel Machine

[David G. Koontz]

http://www.nvlabs.in/?q=node/32

Vipin Kumar of of NVLabs had announced a break of TPM and a
demonstration of a break into Bitlocker, (presumably using TPM) to be
presented at Black Hat 2007.  The presentation has been pulled.

Significance to the exchanges on cryptography under this subject stem
from the abstract of the announcement.  It references a paper on
implementing Trusted Computing:

https://www.trustedcomputinggroup.org/news/Industry_Data/Implementing_Trusted_Computing_RK.pdf

>From Which Kumar interpolates the graph shown in figure 4 to make the
claim that through the end of 2007 there will be 150 million TPM devices
shipped. The preceding paragraph to figure 4 makes a claim of 20 million
TPM devices shipped in 2005.  The paper is produced by Endpoint
Technologies Associates, Inc., and doesn't give references for how the
numbers were promulgated.  The graph shows a number of TPM devices
shipped per year to exceed 250 million by the years 2010.

The point being that's a lot tchotchkes, even if the claimed numbers are
inflated in a fashion reminiscent of how fast the internet was growing
before the internet bubble burst.

Even conservatively there is in the tens of millions of these devices
sold, although we have no indication how many were actually used for
Trusted Computing purposes.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Free Rootkit with Every New Intel Machine

[David G. Koontz]

David G. Koontz wrote:

> 
> I picked on one motherboard, a Gigabyte GA-P3-DQ6 which has the 20 pin
> header for the IEI TPM pluggable. After an extensive investigation I
> found no direct evidence you can actually do as Peter states and roll
> your own building a TPM enabled system. That includes downloading the
> BIOS and trying to search it.  Found evidence of a TPM driver, no hard
> proof though.  Why the emphasis on doing this as an end user anyway?
> Heck you should have seen how hard it was to get DVDs to work with
> Windows98 on an Intel D815 motherboard as an end user.  If took the same
> level of investigation, and I still got lucky.  The information
> necessary is available to OEMs, not generally end users.  Looking across
> various vendors motherboards you see statements in the specifications
> stating TPM v1.2 support which I'd be inclined to think means BIOS
> support.

I found another Gigabyte board GA-N680SLI-DQ6 with TPM, available from
Ascent here in New Zealand.  I looked at the BIOS for it.  It was close
to brand new and mentioned it would take loadable drivers and didn't
have reference to TPM.   This leads creedence to the requirement for OEM
access to enable TPM.  The TPM driver wasn't available on the download
page for the board.  This board has the IEI 20 pin connector on it.

The IEI page provides no links to documentation.  The page shows various
software management interfaces that are specific to TPM chip vendors, so
I looked for them up.  There are three modules based on infineon, atmel
and sinosun TPM chips.

Looking at the Infineon TPM v1.2 page we see the complete information
isn't publicly available.  There is no indication of how to do PC-BIOS
integration, no in depth datasheet/manual, etc.  It's probably not
possible to to implement under windows without a partnership.

I checked the Atmel site and the public information there was sparse.

The Sinosun site has some basic information on management software.
These would require your're are in partnership, although I found an
advertisement for the Sinosun TPM software management tools ($26.99 US)
http://www.orbitmicro.com/global/20pinsinosuntpmmoduleswmanagementtool-p-4385.html
Orbit Micro is a system integrator and IEI distributor and probably can
provide a white box solution.

You're still at the mercy of the Motherboard/PC vendor for BIOS support.

The Supermicro motherboard with integrated TPM has a BIOS that is TPM
aware..  It probably uses an ST19WP18-TPM-C from Standard Microsystems
(Found by searching their FAQ, another board with TPM).

There is some information on software development environment:
http://www.st.com/stonline/products/families/smartcard/sc_support.htm

This compares the three TPM chip versions:
http://www.st.com/stonline/stappl/productcatalog/app?path=/comp/stcom/PcStComOnLineQuery.showresult&querytype=type=product$$view=table&querycriteria=RNP139=1120.0
and prompted examination of the their pdf files, the sections on the
back on software.

The drivers are actually in ROM on the ST chips, with a flag system for
the host BIOS, allowing the same BIOS to work with or without TPM.  This
may explain  some of the lack of visibility in some BIOS images. The
windows drivers are embedded, too.  The -TMP-C version used by the
Supermicro motherboard talks about the use of Embassy Security Center
suite from Wave Systems.  There is a right to use license transfered
with the chip: http://www.st.com/stonline/press/news/year2004/p1499m.htm
also mentioned: http://www.tonymcfadden.net/tpmvendors_arc.html#software
The last link gives insight into the Atmel software, too.

The IEI pluggable TPM module web page shows software interfaces from
three different vendors for the three different chips it uses.  The
Winbond chip is shown being administered by Wave's ESC.  No indication
of licensing terms.

For open source/linux afficionados there's jtpmtools:

http://trustedjava.sourceforge.net/  (probably ripe for a tcl wrapper)

And information on the Open Trusted Computing web site:
http://www.opentc.net

(http://www.wavesys.com/products/TPM_Matrix.html  describes the
currently available TPM products from various system vendors.)

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Free Rootkit with Every New Intel Machine

[David G. Koontz]

Peter Gutmann wrote:
> "David G. Koontz" <[EMAIL PROTECTED]> writes:
> 
>> There are third party TPM modules, which could allow some degree of
>> standardization:
> 
> As I said in my previous message, just because they exist doesn't mean they'll
> do anything if you plug them into a MB with the necessary header (assuming you
> have a MB with the header, and it's physically compatible, and electrically
> compatible, and the BIOS is compatible, and ...).
> 
> Which MBs have you plugged one of these TPMs into and had it work?

I don't have the luxury of buying tchotchkes to prove a point.  (Ya,
I have no use for this stuff either).  In view of Peters insistence it
was worth looking harder.

I picked on one motherboard, a Gigabyte GA-P3-DQ6 which has the 20 pin
header for the IEI TPM pluggable. After an extensive investigation I
found no direct evidence you can actually do as Peter states and roll
your own building a TPM enabled system. That includes downloading the
BIOS and trying to search it.  Found evidence of a TPM driver, no hard
proof though.  Why the emphasis on doing this as an end user anyway?
Heck you should have seen how hard it was to get DVDs to work with
Windows98 on an Intel D815 motherboard as an end user.  If took the same
level of investigation, and I still got lucky.  The information
necessary is available to OEMs, not generally end users.  Looking across
various vendors motherboards you see statements in the specifications
stating TPM v1.2 support which I'd be inclined to think means BIOS
support.

I looked for mention of the IEI motherboards, and found distributors, no
mention of anyone actually using them other than for industrial use.
The Fujitsu-Siemens motherboards with TPM were similarly for industrial
use.  The idea of system integrity makes sense for say industrial
robotics.  Wonder if someone thought of using ECC memory?

I found a Foxconn motherboard with the same 20 pin connector.  Didn't
find it on their G33 motherboard (Bearlake).  There was no mention of
TPM support in any documentation for the G33 board.  I downloaded the
BIOS for the board with the connector, de-lharc'd it and searched for
strings indicating TPM support.  Didn't find any references at all.  It
appears to be an older Phoenix BIOS.   Same story for Peter - no proof
you could actually use it, worse still, nothing in the BIOS.

I found a Supermicro C2SBA mother board (another G33 Bearlake) that you
can buy today.  TPM enabled, theres a jumper described in the manual to
enable TPM, which allows the BIOS page for it to show up.  Sounds like
solid support.  The manual only has the topside layout.  The jumper is
near the system front edge, and the closest silicon is the ICH9
Southbridge.  Note that the LPC bus is on the Southbridge anyway and
would interconnect to a TPM chip (as well as BIOS FLASH/ROM), There's a
candidate chip near the front panel stuff not to close to the BIOS chip,
I couldn't find a high enough resolution photo to read the label.  There
is no through hole connector footprint for an external TPM manual visible.

If I wanted to buy a TPM motherboard today, I could, a brand new one,
too.  The manual has pictures of the TPM pages in the BIOS console.  The
BIOS should work.  Around $164 in the U.S., real pretty too with all the
copper cooling on it.

Theres also indication of whitebox integrators using the intel
motherboards with TPM in-built.  No indications of volume, which is
probably the real question.


> 
>> TPM may well end up being present ubiquitously.
> 
> Smart cards may well end up being present ubiquitously.
> Hardware RNGs may well end up being present ubiquitously.
> NIC-based crypto may well end up being present ubiquitously.
> Biometric readers may well end up being present ubiquitously.
> Home taping is killing mus... oops, wrong list.
> 
> Been there, done that, got the tchotchkes to prove it.

> 
> I've seen zero evidence that TPMs are going to be anything other than a repeat
> of hardware RNGs, NIC-based crypto, biometric readers, and the pile of other
> failed hardware silver bullets that crop up every few years.  Wait a  year or
> two and there'll be some other magic gadget along to fix all our problems.

I found a FIPS 140-2 compliance statement from Phoenix dated July 2006,
that mentions all your silver bullets except the biometric readers and
encrypting NIC.

http://csrc.nist.gov/cryptval/140-1/140sp/140sp709.pdf

Someone doesn't think they are all relegated to tchotchkes, just yet. I
was surprised to hear Intels random number chip is still marketed, must
still be used in Type 1 COMSEC stuff.

There is indication that TPM is tied to fingerprint scanners on laptops,
they could be a passing fad.  It'd be nice to see someone demonstrating
spoofing one.

Found something else that supports Peters point of

Re: Free Rootkit with Every New Intel Machine

[David G. Koontz]

Peter Gutmann wrote:
> "Ian Farquhar (ifarquha)" <[EMAIL PROTECTED]> writes:
> 
>> For example: the Gigabyte GA-965QM-DS2 (rev 2.0) which "features security
>> enhancement by TPM".  More common (ASUS, Foxconn) was the "TPM Connector",
>> which seemed to be a hedged bet, by replacing the cost of the TPM chip with
>> the cost of a socket.
> 
> Those are actually misleading, since there's no certainty that you'll be able
> to find anything that'll actually plug into them.  That is, not only are the
> TPM whatever-they-are-that-goes-there's almost impossible to find, but if you
> do find one there's no guarantee that it'll actually work when plugged into
> the header. In practice this is just a way of adding the "TPM" keyword to your
> marketing without having to actually do anything except include a dummy header
> on the MB.

There are third party TPM modules, which could allow some degree of
standardization:

http://www.ieiworld.com/en/news_content.asp?id=erbium/projectOBJ00244201&news_cate=News&news_sub_cate=Product

The IEI TPM module is used in their own motherboards and some VIA
motherboards.  They actively market the pluggable modules.  Thinkpads
appear to use a different connector:
https://www.cosic.esat.kuleuven.be/publications/article-591.pdf
30 pins instead of 20 pins.  The Low Pin Count bus is an ISA bus
replacement is specified as the TPM interface, and isn't defined for
connector use, so a connector pin out isn't standardized.

http://www.intel.com/design/chipsets/industry/25128901.pdf  (the spec)

> 
> (For people who don't work with the innards of PCs much, most motherboards
> have assorted unused headers, sites for non-installed ICs, and so on, as a
> standard part of the MB.  The TPM header is just another one).
> 
> Peter.
> 

In addition to pluggable modules, TPM can also be an assembly bill of
materials option, where you have a  chip and a few passive components
not stuffed for non-enterprise PCs or notebooks.  The advantage of a
pluggable module would be to allow late binding build configurations
when you can't adequately forecast demands.

Even the low costs of TPM hardware, patent licenses, BIOS licenses,
etc., are probably enough to prevent blanket inclusion in personal
computers not intended for enterprise use today.  TPM can also be built
into chip sets like Intels Bearlake, which removes the hardware cost.
TPM may well end up being present ubiquitously.

One of the driving forces for TPM adoption going forward will be
enterprise remote or "distributed" management. http://www.dmtf.org/home
Doing distributed management with TPM allows some degree of security
that would otherwise be missing. Distributed management is  the purpose
of Intels vPro and iAMT initiatives.  Note that the distributed
management push is relatively recent, going mainline in the last year or
so and may  signal an upcoming acceleration in TPM adoption.  Also of
note is that the membership list for the Distributed Management Task
Force contains most of the big name PC sellers.

Distributed management can be OS 'gnostic, the driving need is the
ability to handle large volumes of software updates and security
patches. While some OS's require large volumes of security patches,
others are evolving fast enough to require automated  updates. We're
pretty much guaranteed to see see enterprise adoption across all platforms.

Linux supports TPM devices directly, as will Solaris.  Apple (mis)uses
TPM to unsuccessfully prevent OS X from running on non-Apple Hardware.
All Apple on Intel machines have TPM, that's what 6 percent of new PCs?
 There is a virtual TPM in Xen, IBM would tell you that you can't
operate a trusted computer with out a security server for providing
virtual TPM storage.  They're willing to sell you one and Microsoft
doesn't want you to operate Vista virtually without a trustworthy
Trusted Platform Module.

It may be inappropriate to build a system with absolute trust in TPM to
protect "intellectual property".  There are other architectures that can
do better, say a blade server running a virtual copy of an OS.  The
element providing greater security is removing the potentially malicious
end-user from physical access, and not allowing access beyond the
virtual machine.  Thin clients and web applications come to mind for
protecting corporate secrets, too.  TPM is predicated on the notion that
the corporate universe is comprised of fully capable computers.  The
idea for Trusted Computing comes mainly from hardware vendors, so the
bias isn't surprising.

No one likes the idea of TPM on their personal machines,it's really
driven by enterprise needs, although you could imagine a market for a
service intended to keep your personal Windows PC updated.  There can be
useful side effects to having TPM on personal computers.  TPM could
provide secure storage for keys to software or hardware encrypted disk
drives, the alternative might imply uncovering the equivalent of master
keys over questionable channels during boo

Re: can a random number be subject to a takedown?

[David G. Koontz]

Hal Finney wrote:
>> My question to the assembled: are cryptographic keys really subject to
>> DMCA subject to takedown requests? I suspect they are not
>> copyrightable under the criterion from the phone directory
>> precedent.
> 
> A sample demand letter from the AACS Licensing Authority appears at:
> 
> http://www.chillingeffects.org/notice.cgi?sID=03218
> 
>>From what I can see, there is no claim that the key is copyrighted.
> Rather, the letter refers to the provisions of the DMCA which govern
> circumvention of technological protection measures.  It demands that
> the key be taken down in order to avoid "legal liability".
> 
> This seems odd to me because my understanding of the DMCA's
> anti-circumvention provisions is that they are criminal rather than civil
> law.  Violations would lead to charges from legal authority and not from a
> copyright owner.  So it's not clear that AACSLA has any power to enforce
> these demands, other than trying to get some government agency involved.
> 
> The letter specifically cites 17 USC 1201(a)2 and (b)1, which can be read
> here:
> 
> http://cyber.law.harvard.edu/openlaw/DVD/1201.html#a2
> 

>From an explanation of the justification for the take down notices:
http://www.out-law.com/page-8022

  Fred von Lohman, an attorney at the Electronic Frontier Foundation,
  said in his blog that sites which carry the code or links to it are
  unlikely to be able to use a traditional defence of 'safe harbor'.

  "While no court has ruled on the issue, AACS will almost certainly
  argue that the DMCA safe harbors do not protect online service
  providers who host or link to the key," he said. "The DMCA safe
  harbors apply to liabilities arising from 'infringement of copyright.'
  Several courts have suggested that trafficking in circumvention tools
  is not 'copyright infringement,' but a separate violation of a
  'para-copyright' provision."

  "The AACS takedown letter is not claiming that the key is
  copyrightable, but rather that it is (or is a component of) a
  circumvention technology," said von Lohman. "The DMCA does not require
  that a circumvention technology be, itself, copyrightable to enjoy
  protection."

One would think that the recent SCOTUS findings in Microsoft v. AT&T
would demonstrate that intangibiles such as software (and perhaps large
integers) were not components or parts thereof, unless in place in a
"device":

http://www.webster.com/cgi-bin/dictionary?sourceid=Mozilla-search&va=device

  f : a piece of equipment or a mechanism designed to serve a special
  purpose or perform a special function 

>From http://cyber.law.harvard.edu/openlaw/DVD/1201.html#a2

17 USC 1201:

  (b) Additional Violations. -

  (1) No person shall manufacture, import, offer to the public,
provide, or otherwise traffic in any technology, product,
service, device, component, or part thereof, that -

 o (A) is primarily designed or produced for the purpose of
circumventing protection afforded by a technological measure
that effectively protects a right of a copyright owner under
this title in a work or a portion thereof;
 o (B) has only limited commercially significant purpose or use
other than to circumvent protection afforded by a
technological measure that effectively protects a right of a
copyright owner under this title in a work or a portion
thereof; or
 o (C) is marketed by that person or another acting in concert
with that person with that person's knowledge for use in
circumventing protection afforded by a technological measure
that effectively protects a right of a copyright owner under
this title in a work or a portion thereof.


I'd strongly suspect that most if not all of the 2 million hits would
not reveal "another acting in concert with that person's knowledge".
While this instance is not indicative of a trend to the lawyer
equivalent of judicial activism, I don't see any protection under the
DMCA against distributing the Processing Keys as what appears to be a
political statement (which could be held to be protected speech).

(IANAL)

Freds blog entry:  http://www.eff.org/deeplinks/archives/005229.php




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

A processor that can do a DES round in 1 clock

[David G. Koontz]

I've seen this quite some time in the past, it wasn't for public 
disclosure.  Periodically I've looked for a copy on the internet.


This is from Strech Inc., their Software Configurable Processor.

http://www.pdcl.eng.wayne.edu/msp6/MSP6_Workshop_Keynote_2004_POSTING.pdf

The stuff on DES encryption starts on page 44.

The processor is based on a Tensilica Xtensa processor, which can be 
customized.

















-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: A small editorial about recent events.

[David G. Koontz]

[EMAIL PROTECTED] wrote:

Clinton's Asst. A.G.
http://www.chicagotribune.com/news/opinion/chi-0512210142dec21,0,3553632.story?
coll=chi-newsopinioncommentary-hed

Dick Morris
http://www.drudgereport.com/flash7.htm


--dan



Yet President Bush as publicly stated it requires a court order to wiretap:

 "Secondly, there are such things as roving wiretaps. Now, by the way, 
any time you hear the United States government talking about wiretap, it 
requires -- a wiretap requires a court order. Nothing has changed, by 
the way. When we're talking about chasing down terrorists, we're talking 
about getting a court order before we do so. It's important for our 
fellow citizens to understand, when you think Patriot Act, 
constitutional guarantees are in place when it comes to doing what is 
necessary to protect our homeland, because we value the Constitution."


http://www.whitehouse.gov/news/releases/2004/04/20040420-2.html

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: NY Times reports: NSA falsified Gulf of Tonkin intercepts

[David G. Koontz]

Perry E. Metzger wrote:

http://www.nytimes.com/2005/10/31/politics/31war.html?ex=1288414800&en=e2f5e341687a2ed9&ei=5090&partner=rssuserland&emc=rss

   WASHINGTON, Oct. 28 - The National Security Agency has kept secret
   since 2001 a finding by an agency historian that during the Tonkin
   Gulf episode, which helped precipitate the Vietnam War,
   N.S.A. officers deliberately distorted critical intelligence to
   cover up their mistakes, two people familiar with the historian's
   work say.

   The historian's conclusion is the first serious accusation that
   communications intercepted by the N.S.A., the secretive
   eavesdropping and code-breaking agency, were falsified so that they
   made it look as if North Vietnam had attacked American destroyers
   on Aug. 4, 1964, two days after a previous clash.



http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB132/

The National Security Archive

The Gulf of Tonkin Incident, 40 Years Later
Flawed Intelligence and the Decision for War in Vietnam

Signals Intercepts, Cited at Time, Prove Only August 2nd Battle, Not 
August 4; Purported Second Attack Prompted Congressional Blank Check

for War

Johnson-McNamara Tapes Show Readiness to Escalate, Even on Suspect 
Intel; Top Aides Knew of Mistaken Signals, but Welcomed Justification

for Vote

National Security Archive Electronic Briefing Book No. 132

Edited by John Prados
Posted August 4, 2004

http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB132/tapes.htm

"...Thus the U.S. bombing of North Vietnam went forward based on the 
mistaken belief in a second attack in the Gulf of Tonkin. In a certain 
sense, because the resolution that passed Congress was used to justify 
the U.S. military commitment, the entire Vietnam War can be said to have 
been based on a misunderstanding. Just over a month afterward, when 
another pair of American warships in the Gulf of Tonkin also thought 
they had come under attack, LBJ began to express doubts about the 
reality of the August incident. In 1997, in Hanoi, Robert McNamara, in a 
conversation with Vietnamese Commander General Vo Nguyen Giap, also 
concluded that the August 4, 1964, incident had never occurred. That is 
now the general consensus among historians of the Vietnam War."




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]