Re: [Cryptography] Why prefer symmetric crypto over public key crypto?
Symetric cryptography does a much easier thing. It combines data and some mysterious data (key) in a way that you cannot extract data without the mysterious data from the result. It's like a + b = c. Given c you need b to find a. The tricks that are involved are mostly about sufficiently mixing data, to make sure there's enough possible b's to never guess it correctly and that all those b's have the same chance of being the one b. Preferably even when you have both A and C, but that's really hard. So I'd say Bruce said that in an effort to move to more well understood cryptography. It is also a way to move people towards simply better algorithms, as most public key systems are very, very bad. Funny. I would have said exactly the opposite: public key crypto is much better understood because it is based on mathematical theorems and reductions to (admittedly presumed) hard problems, whereas symmetric crypto is really a black art that mixes some simple bit wise operations and hopes for the best (yes, I know this is a bit of caricature...) Jaap-Henk ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why prefer symmetric crypto over public key crypto?
Public-key cryptography is less well-understood than symmetric-key cryptography. It is also tetchier than symmetric-key crypto, and if you pay attention to us talking about issues with nonces, counters, IVs, chaining modes, and all that, you see that saying that it's tetchier than that is a warning indeed. You have the same issues with nonces, counters, etc. with symmetric crypto so I don't see how that makes it preferable over public key crypto. Jaap-Henk ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why prefer symmetric crypto over public key crypto?
I have also, in debate with Jerry, opined that public-key cryptography is a powerful thing that can't be replaced with symmetric-key cryptography. That's something that I firmly believe. At its most fundamental, public-key crypto allows one to encrypt something to someone whom one does not have a prior security relationship with. That is powerful beyond words. I share that belief. Hence my desire to fully understand Bruce's remark. Strictly speaking you need some kind of security relationship: you need to be sure the public key belongs to the intended recipient (and is under his sole control). So public key crypto allows you to bootstrap from some authentic piece of information (public key belongs to X) to a confidential communication channel (with X). Jaap-Henk ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Why prefer symmetric crypto over public key crypto?
In this oped in the Guardian http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance Bruce Schneier writes: Prefer symmetric cryptography over public-key cryptography. The only reason I can think of is that for public key crypto you typically use an American (and thus subverted) CA to get the recipients public key. What other reasons could there be for this advice? Best, Jaap-Henk (I apologise for typos and being terse; this mail was written on an iPad) -- Jaap-Henk Hoepman TNO, Groningen Dept. of Computer Science Radboud University Nijmegen (m) j...@cs.ru.nl (w) www.cs.ru.nl/~jhh (m) jaap-henk.hoep...@tno.nl (t) +31 6 20619554 (t) @xotoxot___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: serious threat models
I wondered about that too. Do commonly used mobile phone switches have built-in functionality to divert (or rather split) calls to another phone; could this be done using phone conference facilities? or could you easily use lawfull interception fucntionality...? In other words, could it be done by reconfiguring the switch? Or would it require more drastic changes (software/hardware) to the switch (which makes the number of people that could actually do this much smaller...) Jaap-Henk (who should have paid more attention to phone switches when he worked at a telco... but everybody did internet there then ;-) On Thu, 02 Feb 2006 21:28:31 -0500 Steven M. Bellovin [EMAIL PROTECTED] writes: I hate to play clipping service, but this story is too important not to mention. Many top Greek officials, including the Prime Minister, and the U.S. embassy had their mobile phones tapped. What makes this interesting is how it was done: software was installed on the switch that diverted calls to a prepaid phone. Think about who could manage that. http://www.guardian.co.uk/mobile/article/0,,1701298,00.html http://www.globetechnology.com/servlet/story/RTGAM.20060202.wcelltap0202/BNStory/International/ --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Jaap-Henk Hoepman | I've got sunshine in my pockets Dept. of Computer Science | Brought it back to spray the day Radboud University Nijmegen |Gry Rocket (w) www.cs.ru.nl/~jhh | (m) [EMAIL PROTECTED] (t) +31 24 36 52710/53132 | (f) +31 24 3653137 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Face and fingerprints swiped in Dutch biometric passport crack (anothercard skim vulnerability)
Actually, the international standards for the Machine Readable Travel Documents (passports, aka MRTDs) are written by the International Civil Aviation Organisation (ICAO). Both the US and EU passports comply to the ICAO standards. However, EU passports will be further protected by a so called Extended Access Control procedure. This procedure provides, among others, terminal authentication to the passport, to reduce the risk that biometric data is read by rogue readers. Also, there are many small details in which the passports from different countries may differ. For instance, the 'RFID' anti-collision identifier used when setting up a connection between the passport and the reader may either be fixed or generated randomly for each session. Or, as is indeed the case in the Dutch passport, the passport number may correlate with the issuing date, reducing the entropy of the key derived from the Machine Readbale Zone (MRZ). The Riscure attack is based on this correlation; they estimate the remaining entropy of the data on the MRZ to be roughly 2^35. This MRZ data is used to derive the symmetric session keys. Their attack works by recording (ie eavesdropping) a succesful communication session between a passport and a reader. Then, all possible combinations of the MRZ data can be tried off line to generate the corresponding session keys and check whether that succesfully decrypts the recorded session. Note that straighforward skimming, ie trying to access a passport with a fake terminal by trying all possible combinations of MRZ data is still impossible because the chip in the passport is slow to respond; even if you could try one MRZ access code every millisecond (totally unrealistic), you'd be busy half a year. This limits the usefulness of the attack a bit. Also note that an encrypted key exchange like protocol for deriving the session key from the MRZ access code would also have prevented this attack... Jaap-Henk On Thu, 2 Feb 2006 12:37:24 -0500 Adam Shostack [EMAIL PROTECTED] writes: On Wed, Feb 01, 2006 at 02:03:10PM -0500, [EMAIL PROTECTED] wrote: | Anne Lynn Wheeler pointed out: | | Face and fingerprints swiped in Dutch biometric passport crack | http://www.theregister.co.uk/2006/01/30/dutch_biometric_passport_crack/ | | Didn't the EU adopt the same design that the US uses? Passport standards are written by the International Air Travel Association (IATA). | Am I right to presume that the passport RFID chip used by the Dutch is the | same -- or functions the same -- as the one used in the new US digital | passports? | | From what I've read, it seems that the sequential numbering scheme the | Dutch use on their passports may have made this attack easier -- but it | was already feasible, and will be against the passports of other nations | which did not so helpfully minimize their obfuscation technique with | sequential numbering? | | Anyone got more details than those offered in the Rinscure press release? | Thoughts? The papers explain the attack in fair detail. I blogged every useful linksI could find a few days ago at http://www.emergentchaos.com/archives/002355.html, and there's more links in comments. Adam | _Vin | | | | The crack is attributed to Delft smartcard security specialist Riscure, | which explains that an attack can be executed from around 10 metres and | the security broken, revealing date of birth, facial image and | fingerprint, in around two hours. | | .. snip .. | | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Jaap-Henk Hoepman | I've got sunshine in my pockets Dept. of Computer Science | Brought it back to spray the day Radboud University Nijmegen |Gry Rocket (w) www.cs.ru.nl/~jhh | (m) [EMAIL PROTECTED] (t) +31 24 36 52710/53132 | (f) +31 24 3653137 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Unforgeable dialog.
That is a nice trick, but that still may not work entirely: if i make sure my untrusted app always opens in maximized mode, the untrusted decoration (in your case a big black border which actually _disappears_) may be unnoticed along the edges of the screen; if my app then simulates the whole desktop as it was before it started, it can draw a trusted-looking dialog anywhere on the screen... Jaap-Henk On Thu, 2 Feb 2006 18:20:21 -0500 Trei, Peter [EMAIL PROTECTED] writes: Piers Bowness wrote: This is concept is surprisingly complex. Once the attacker sees the secure dialog, what prevents them from using the same techniques and/or code to create a visuallyidentical spoof? (Hi Piers!) I actually dealt with this in a former job, where I wrote a proxy for Xwindows which did similar decoration for trusted and untrusted X clients. The trick is to invert the indicators - your rendering engine (whether an Xwindows server, browser, or a windowing OS) has final say over the outermost frame of all windows. You mark the *untrusted* ones in the outer frame - a malicous client can do whatever it wants inside its windows, but it can't overwrite and hide the untrusted indicators in the outer frame. (We put a fat black border around them). Of course, if you run on an OS where any app can modify any binary, you're SOL. Peter Trei - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Jaap-Henk Hoepman | I've got sunshine in my pockets Dept. of Computer Science | Brought it back to spray the day Radboud University Nijmegen |Gry Rocket (w) www.cs.ru.nl/~jhh | (m) [EMAIL PROTECTED] (t) +31 24 36 52710/53132 | (f) +31 24 3653137 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Is there any future for smartcards?
I believe smartcards (and trusted computing platforms too, btw) aim to solve the following problem: How to enforce your own security policy in a hostile environment, not under your own physical control? Examples: - Smartcard: electronic purse: you cannot increase the amount on your e-purse (unless reloading at the bank). - Trusted computing: DRM: my content cannot be illegally copied on your machine. As soon as the environment is under your won physical control, software only solutions suffice. Regards, Jaap-Henk On Wed, 07 Sep 2005 18:08:25 -0400 Pat Farrell [EMAIL PROTECTED] writes: Is there a real problem that they uniquely solve, sufficient to drive the building of the needed infrastructure? I don't see it, and I'd love to be made smarter. -- Pat Farrell http://www.pfarrell.com -- Jaap-Henk Hoepman | I've got sunshine in my pockets Dept. of Computer Science | Brought it back to spray the day Radboud University Nijmegen |Gry Rocket (w) www.cs.ru.nl/~jhh | (m) [EMAIL PROTECTED] (t) +31 24 36 52710/53132 | (f) +31 24 3653137 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: the limits of crypto and authentication
Only problem is that cell phones have become so utterly complex (hosting several processors and a plethora of software components) that it will never become the trusted device that we once thought it could be... Personal it is though Jaap-Henk On Sat, 09 Jul 2005 18:56:22 -0700 James A. Donald [EMAIL PROTECTED] writes: -- Ian Grigg [EMAIL PROTECTED] In the payments world we've known how to solve all this for some time, since the early 90s to my knowledge. The only question really is, have you got a business model that will pay for it, because any form of token is very expensive, and the form of token that is needed - a trusted device to put the application, display, keypad and net connection on - is even more expensive than the stop-gap two-factor authentication units commonly sold. Such a device sounds like a cell phone. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG 5nMEZ3YWGEUKZWzEprv/E7vI+8j9jzBNX8GWiJiO 4nb4BSDrVGLfq42fHktPRSAfFO3N0uGBnezGRNWrS - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Jaap-Henk Hoepman | I've got sunshine in my pockets Dept. of Computer Science | Brought it back to spray the day Radboud University Nijmegen |Gry Rocket (w) www.cs.ru.nl/~jhh | (m) [EMAIL PROTECTED] (t) +31 24 36 52710/53132 | (f) +31 24 3653137 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: the limits of crypto and authentication
Actually, Dutch banks already give users the option to recieve one-time pass-codes by SMS to authenticate internet banking transactions (instead of sending a list of those codes on paper by ordinary mail in advance). So it's less unrealistic than you think. Jaap-Henk On Sat, 09 Jul 2005 20:38:38 +0200 Florian Weimer [EMAIL PROTECTED] writes: You send the pass code in an SMS to the user's mobile phone, together with some information on the transaction. (If the SMS delay is a problem, use a computer-generated phone call.) The pass code is then entered by the user to authorize the transaction. This will eventually break down, once PCs and mobile phones are integrated tightly, but in the meantime, it's reasonably secure even if the client PC is compromised. I'm not sure if users will accept it, though. What's worse, the costs for sending the SMS message (or making the phone call) are so significant that it's unrealistic we'll see widespread use of such technologies. (Manually transferring cryptographic tokens which depend on the transaction contents seems to be infeasible, given the number of bits which must be copied.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Jaap-Henk Hoepman | I've got sunshine in my pockets Dept. of Computer Science | Brought it back to spray the day Radboud University Nijmegen |Gry Rocket (w) www.cs.ru.nl/~jhh | (m) [EMAIL PROTECTED] (t) +31 24 36 52710/53132 | (f) +31 24 3653137 -- -- Jaap-Henk Hoepman | I've got sunshine in my pockets Dept. of Computer Science | Brought it back to spray the day Radboud University Nijmegen |Gry Rocket (w) www.cs.ru.nl/~jhh | (m) [EMAIL PROTECTED] (t) +31 24 36 52710/53132 | (f) +31 24 3653137 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: quantum hype
I always understood that QKD is based on a hard problem of which the theory of physics says it is impossible to find a solution (if not, then i'd like to know). Then if QKD breaks, the current theory of physics was wrong. On the other hand, if DH or RSA breaks, factoring or the discrete log turn out to be polynomial. This is earthshattering, but doesn't imply our theory of computing was wrong. Whether one is a stronger foundation than the other is really a philosophical question (and a an interesting one too... ;-) Jaap-Henk On Sun, 21 Sep 2003 16:39:17 +0200 martin f krafft [EMAIL PROTECTED] writes: Has anyone *proven* that there is no way to read a quantum bit without altering it? no. its the underlieing hard problem for QC. If there is a solution to any of the Hard Problems, nobody knows about them. right, so it's no better than the arguable hard problem of factoring a 2048 bit number. -- Jaap-Henk Hoepman | I've got sunshine in my pockets Dept. of Computer Science | Brought it back to spray the day University of Nijmegen |Gry Rocket (w) www.cs.kun.nl/~jhh | (m) [EMAIL PROTECTED] (t) +31 24 36 52710/531532 | (f) +31 24 3653137 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Security of DH key exchange
In practice the following method of exchanging keys using DH is used, to ensure
bit security of the resulting session key. If alice and bob exchange g^a and
g^b, the session key is defined as h(g^{ab}). This is mentioned in many
textbooks, but i can't find a reference to a paper discussing the security of
this in the following sense. If g^a etc. are computed over a field F of order
p, and h hashes F to {0,1}^n, under which conditions is h(g^{ab}) given g^a and
g^b indistinguishable from a randomly selected session key k? (where
indistinguishable would mean that the advantage of the adversary of
distinguishing h(g^{ab}) from k is negligible in _n_).
References to this are much appreciated.
Regards,
Jaap-Henk
--
Jaap-Henk Hoepman | I've got sunshine in my pockets
Dept. of Computer Science | Brought it back to spray the day
University of Nijmegen |Gry Rocket
(w) www.cs.kun.nl/~jhh | (m) [EMAIL PROTECTED]
(t) +31 24 36 52710/531532 | (f) +31 24 3653137
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Maybe It's Snake Oil All the Way Down
I thought the 3G (UMTS) cellphones at least were going to use reasonably good crypto; don't know about the overall security architecture though. Jaap-Henk On Fri, 06 Jun 2003 14:30:04 -0400 Ian Grigg [EMAIL PROTECTED] writes: John Kelsey wrote: So, what can I do about it, as an individual? Make the cellphone companies build good crypto into their systems? Any ideas how to do that? Nope. Cellphone companies are big slow moving targets. They get their franchise from the government. If the NSA wants weak crypto, they do weak crypto. -- Jaap-Henk Hoepman | I've got sunshine in my pockets Dept. of Computer Science | Brought it back to spray the day University of Nijmegen |Gry Rocket (w) www.cs.kun.nl/~jhh | (m) [EMAIL PROTECTED] (t) +31 24 36 52710/531532 | (f) +31 24 3653137 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
