Re: Password hashing

2007-10-13 Thread Jun-ichiro itojun Hagino
> A proposal for a new password hashing based on SHA-256 or SHA-512 has  
> been proposed by RedHat but to my knowledge has not had any rigorous  
> analysis. The motivation for this is to replace MD-5 based password  
> hashing at banks where MD-5 is on the list of "do not use" algorithms.  
> I would prefer not to have the discussion "MD-5 is good enough for  
> this algorithm" since it is not an argument that the customers  
> requesting these changes are going to accept.

blowfish anyone?
http://www.usenix.org/events/usenix99/provos/provos_html/

itojun

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: improving ssh

2007-07-19 Thread Jun-ichiro itojun Hagino
i'm an OpenBSD developer, so i have some knowlege but could be biased.

> SSH (OpenSSH) is routinely used in secure access for remote server
> maintenance. However, as I see it, SSH has a number of security issues
> that have not been addressed (as far I know), which create unnecessary
> vulnerabilities.
> 
> Some issues could be minimized by turning off password authentication,
> which is not practical in many cases. Other issues can be addressed by
> additional means, for example:
> 
> 1. firewall port-knocking to block scanning and attacks
> 2. firewall logging and IP disabling for repeated attacks (prevent DoS,
> block dictionary attacks)

i guess it can be handled in lines of spamd (greylisting) on OpenBSD.

> 3. pre- and post-filtering to prevent SSH from advertising itself and
> server OS

is there any point in this as you can fingerprint OS both actively 
(nmap)
and passively (p0f)?

> 4. block empty authentication requests
> 5. block sending host key fingerprint for invalid or no username
> 6. drop SSH reply (send no response) for invalid or no username

i can understand your desire, but this is a feature used by some of the
anonymous services such as anonymous CVS.  i'd leave it to openssh
developers.

itojun

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


How the Chinese internet is tapped.

2007-07-16 Thread Jun-ichiro itojun Hagino
on a similar topic as Greek.

i was in Shinsen and DongAng, mainland china (right next to HongKong).
i was able to experience GSM/GPRS Internet as well as hotel wired
Internet (both are IPv4, sigh).

in both cases, TCP port 80 (http) was sucked into transparent web proxy
(squid).  i was careful enough not to type offensive words, but
zh.wikipedia.org was invisible (squid raises some kind of connection
error, always).  ja.wikipedia.org and en.wikipedia.org were visible.
luckily TCP port 22 was open.  the hotel net was behind NAT so i could
not use IPsec VPN.  i did not have enough time to configure NAT
traversal stuff.

from my past experience with chinese academic network operated in
some university in Beijing (i forgot the name of the network/
university), i know that every connectivity from china goes out of
Beijing.  at least in year 2000-2002 timeframe.
so if it is still true (inject me some clue if you know about the
current situation), all the traffic that go out of china are tapped
in Beijing.  i'm wondering what kind of server farm they are
operating which are able to suck all TCP port 80 traffic from the
entire china...  i forgot to run nmap OS fingerprint :-(

also, my friend in china was using Skype from Tom Online on top of
Windows.  i did not believe it until i see it, but ContentFilter.exe
was really there.  it is the backdoor process for Tom Online Skype
which transmits cleartext content to somewhere, which is likely to be
some law enforcement or government organization.  otherwise, Skype
traffic is totally encrypted - see "silver needle in skype" paper.

i was informed that it is a common practice for south east asian
nations to run censorship on the internet.  for instance, in thai
www.youtube.com is not accessible.  they have never seen dodolook,
very cute taiwanese girl from canada (IIRC) i guess.

for more info, the following URL would be useful.  Japanese content
and English content are a bit different so if possible be sure to
check both of them (and other languages if possible).  the email is
encoded in iso-2022-jp (Japanese standard encoding for email) but when
you click it please click it Japanese URL in utf-8.

http://en.wikipedia.org/wiki/Golden_Shield_Project
http://ja.wikipedia.org/wiki/

Re: SSL accel cards

2004-05-26 Thread Jun-ichiro itojun Hagino
> Does anyone know of an SSL acceleration card that actually works under
> Linux/*BSD? I've been looking at vendor web pages (AEP, Rainbow, etc), and
> while they all claim to support Linux, Googling around all I find are people
> saying "Where can I get drivers? The ones  shipped only work on RedHat
> 5.2 with a 2.0.36 kernel." (or some similar 4-6 year old system), and certainly
> they don't (gasp) make updated versions available for download. Because someone
> might... what, steal the driver? Anyway...

with openbsd, http://www.openbsd.org/crypto.html#hardware

itojun

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]