| First off you have a basic problem in definition: You have to specify
| *one* hash with *one* output size, but NP-completeness has to do with
| asymptotic behavior. For any hash producing a fixed-size output string,
| there is a deterministic machine that runs in time O(1) that computes a
| A few weeks ago I asked for information on using the increasingly
| prevalent built-in TPM chips in computers (especially laptops) as a
| random number source. I got some good advice and want to summarize the
| information for the benefit of others.
|
| Thanks for the useful summary! For
| EE Times is carrying [a] story ... about attempts to use cryptography
| to protect chip designs from untrustworthy fabrication facilities,
| including a technology from Certicom.
|
| Unlike ordinary DRM, which I think can largely work in so far as it
| merely provides a (low) barrier to stop
Look up the paper Fingerprinting by random polynomials by Michael Rabin.
-- Jerry
On Fri, 25 Aug 2006, Travis H. wrote:
| Date: Fri, 25 Aug 2006 20:12:30 -0500
| From: Travis H. [EMAIL PROTECTED]
| To: Cryptography
| Fugitive executive is tracked down by tracing his Skype calls...
|
| http://arstechnica.com/news.ars/post/20060824-7582.html
...maybe. This article gets many fundamental details wrong. For
one thing, Alexander wasn't nabbed - the very article they linked
that word to simply says he was found.
| On 8/28/06, Ondrej Mikle [EMAIL PROTECTED] wrote:
| Take as an example group of Z_p* with p prime (in another words: DLP).
| The triplet (Z, p, generator g) is a compression of a string of p-1
| numbers, each number about log2(p) bits.
|
| Pardon my mathematical ignorance, but isn't Z just a
| Hi.
|
| If an attacker is given access to a raw RSA decryption oracle (the
| oracle calculates c^d mod n for any c) is it possible to extract the
| key (d)?
If I hand you my public key, I have in effect handed you an oracle that
will compute c^d mod n for any c. What you are asking is whether
| | If an attacker is given access to a raw RSA decryption oracle (the
| | oracle calculates c^d mod n for any c) is it possible to extract the
| | key (d)?
| If I hand you my public key, I have in effect handed you an oracle that
| will compute c^d mod n for any c. What you are asking is
| | It is known, that given such an oracle, the attacker can ask for
| | decryption of all primes less than B, and then he will be able to
| | sign PKCS-1 encoded messages if the representative number is B-smooth,
| | but is there any way to actually recover d itself?
|
| RSA is
| The problem is that _because there is an interface to poll the token for
| a code across the USB bus_, malicious software can *repeatedly* steal new
| token codes *any time it wants to*. This means that it can steal codes
| when the user is not even attempting to authenticate
I think this
|
http://www.newsday.com/news/printedition/stories/ny-wocode184896831sep18,0,7091966,print.story
|
| That isn't supposed to be possible these days... (I regard it as more
| likely that they were doing traffic analysis and direction-finding than
| actually cracking the ciphers.)
Newspaper
|
|10.2.3 Data decoding
|
|The data D shall be BER-decoded to give an ASN.1 value of
|type DigestInfo, which shall be separated into a message
|digest MD and a message-digest algorithm identifier. The
|message-digest algorithm identifier shall determine
| | I don't think it's a problem, you just take the ASN.1 DigestInfo
| | value, since the trailing garbage isn't part of the DigestInfo, you
| | ignore it. Specifically, the ASN.1 object is entirely
| | self-contained, so you can tell exactly where it ends and what it
| | contains. Anything
| Granted, one or more implementations got this wrong. (Has anyone
| looked to see if all the incorrect code all descends from a common
| root, way back when?)
|
| We have at least three independent widely used implementations that
| got things wrong: OpenSSL, Mozilla NSS, and GnuTLS.
|
|
| *That* is the Right Way To Do It. If there are variable parts (like
| hash OID, perhaps), parse them out, then regenerate the signature data
| and compare it byte-for-byte with the decrypted signature.
|
| You know, this sort of reminds me of a problem with signatures on
| tar.gz files.
| Circle Bank is using a coordinate matrix to let
| users pick three letters according to a grid, to be
| entered together with their username and password.
|
| The matrix is sent by email, with the user's account
| sign on ID in plaintext.
|
| Worse, the matrix is pretty useless for the
| Given how rare weak keys are in modern ciphers, I assert that code to cope
| with them occurring by chance will never be adequately tested, and will be
| more likely to have security bugs. In short, why bother?
Beyond that: Are weak keys even detectable using a ciphertext-only
attack (beyond
| This suggests that,
| rather than looking for weak keys as such, it might be worth it to
| do continuous online testing: Compute the entropy of the generated
| ciphertext, and its correlation with the plaintext, and sound an
| alarm if what you're getting looks wrong. This might be a
|
| ...Compusec is great for home / personal use. It is cheap i.e. $0.00
| (Free), and does not slow down the computer as much as the other
| products. But that is because it only support 128 bit AES, which is a
| major drawback as most enterprise settings require at least 256 bit
| AES
Just
| | ...Compusec is great for home / personal use. It is cheap i.e. $0.00
| | (Free), and does not slow down the computer as much as the other
| | products. But that is because it only support 128 bit AES, which is a
| | major drawback as most enterprise settings require at least 256 bit
| |
| | Just wondering about this little piece. How did we get to 256-bit
| | AES as a requirement? Just what threat out there justifies it? ...
|
| I can see it as useful if some bits of the key got leaked somehow.
| For example, if you're using a HWRNG to generate keys, and it's
| bits are
| On Wed, Nov 08, 2006 at 05:58:41PM -0500, Leichter, Jerry wrote:
| Sorry, that doesn't make any sense. If your HWRNG leaks 64 bits,
| you might as well assume it leaks 256. When it comes to leaks of
| this sort, the only interesting numbers are 0 and all.
|
| Nonsense. I can cite numerous
| From: [Name Withheld]
| To: cryptography@metzdowd.com
| Subject: Re: How important is FIPS 140-2 Level 1 cert?
|
| Paul Hoffman [EMAIL PROTECTED] wrote:
|
| At 11:25 AM -0500 12/21/06, Saqib Ali wrote:
| If two products have exactly same feature set, but one is FIPS 140-2
| Level 1
| http://news.zdnet.com/2100-1009_22-6142935.html
|
| British start-up Yuzoz has announced that it will be launching its
| beta service in the next two weeks--an online random-number generator
| driven by astronomical events.
|
| Heh heh. Pretty amusing. I guess the founders haven't really
| note that there have been (at least) two countermeasures to DES brute-force
| attacks ... one is 3DES ... and the other ... mandated for some ATM networks,
| has been DUKPT. while DUKPT doesn't change the difficulty of brute-force
| attack on single key ... it creates a derived unique key per
| ...One sometimes sees claims that increasing the salt size is important.
| That's very far from clear to me. A collision in the salt between
| two entries in the password file lets you try each guess against two
| users' entries. Since calculating the guess is the hard part,
| that's a savings
| ...I agree with you about intuitive cryptography. What you're
| complaining about is, in effect, Why Johnny Can't Hash. There was
| another instance of that in today's NY Times. In one of the court
| cases stemming from the warrantless wiretapping, the Justice
| Department is, in the holy
| |
| | ...There's an obvious cryptographic solution, of course: publish the
| | hash of any such documents. Practically speaking, it's useless.
| | Apart from having to explain hash functions to lawyers, judges,
| | members of Congress, editorial page writers, bloggers, and talk
| | show
| Currently I'm dealing
| with very large - though not as large as 4 gig - x-ray, MRI, and
| similar files that have to be protected for the lifespan of the
| person, which could be 70+ years after the medical record is
| created. Think of the MRI of a kid to scan for some condition
|
| Hey, quick question.
|
| If one wants to have multiple keys, but for ease-of-use considerations
| want to only have the user enter one, is there a preferred way to
| derive multiple keys that, while not independent, are computationally
| independent?
|
| I was thinking of hashing the
| somewhat related
| Study Finds Bank of America SiteKey is Flawed
| http://it.slashdot.org/it/07/02/05/1323243.shtml
Recall how SiteKey works: When you register, you pick an image (from a
large collection) and a phrase. Whenever you connect, the bank will
play back the image and phrase. You
On Tue, 13 Feb 2007, Anne Lynn Wheeler wrote:
| ...part of the problem was that the PKI financial model is out of
| kilter with standard business practices. nominally a relying party has
| some sort of relationship with the certification authority (i.e. what
| they are relying on) and there is
| Banks [use] a web interface, after the user logs in to their account.
|
| So, what's missing in the email PKI model is two-sidedness.
| Fairness.
|
| Not really. What's missing is, if you'll pardon the phrase, a central
| point of failure.
|
| If you can persuade everyone to use a single
| New Credit Cards May Leak Personal Information
|
http://news.yahoo.com/s/pcworld/20070216/tc_pcworld/129096;_ylt=A0WTUeOD9tVFrwkA7SwjtBAF
|
| from above:
|
| You may be carrying a new type of credit card that can transmit your personal
| information to anyone who gets close to you with a
Some of the messages in this stream have demonstrated why it can be
difficult to get non-crypto people to listen to advice from crypto
experts: Cryptography research is, by its nature, a pretty absolute
thing. We find attacks, we try to eliminate them. There's a strong
tendency to view *any*
| Suppose we use AES128-CBC with a fixed IV. It's clear that the only
| vulnerability of concern occurs when a key is reused. OK, where do
|
| No, remember that if the IV is in the clear, an attacker can
| make some controlled bit changes in the first plaintext block.
| (There has been no
| What problem does this (chaining IV from message to message) introduce
| in our case?
|
| See RFC4251:
|
|
|Additionally, another CBC mode attack may be mitigated through the
|insertion of packets containing SSH_MSG_IGNORE. Without this
|technique, a specific attack may be
| What the RFC seems to be suggesting is that the first block of every
| message be SSH_MSG_IGNORE. Since the first block in any message is now
| fixed, there's no way for the attacker to choose it. Since the attacker
|
| SSH_MSG_IGNORE messages carry [random] data.
|
| Effectively what the
| It would be amusing if the HD-DVD encryption key that has been the
| subject of the recent pseudo-takedown notices were to show up in a
| T-shirt for sale.
|
| Now that services like Cafe Press exist, someone could start selling
| such shirts almost as fast as they could put together a nice
| Frankly, for SSH this isn't a very plausible attack, since it's not
| clear how you could force chosen plaintext into an SSH session between
| messages. A later paper suggested that SSL is more vulnerable:
| A browser plugin can insert data into an SSL protected session, so
| might be
| Frankly, for SSH this isn't a very plausible attack, since it's not
| clear how you could force chosen plaintext into an SSH session between
| messages. A later paper suggested that SSL is more vulnerable:
| A browser plugin can insert data into an SSL protected session, so
| might be able
| | Frankly, for SSH this isn't a very plausible attack, since
| | it's not clear how you could force chosen plaintext into an
| | SSH session between messages. A later paper suggested that
| | SSL is more vulnerable: A browser plugin can insert data into
| | an SSL protected
| Just being able to generate traffic over the link isn't enough to
| carry out this attack.
|
| Well, it depends on if you key per-flow or just once for the link. If
| the latter, and you have the ability to create traffic over the link,
| and there's a 1-for-1 correspondence between
| Many protocols use some form of self describing data format, for
| example ASN.1, XML, S expressions, and bencoding.
|
| Why?
|
| Presumably both ends of the conversation have negotiated what protocol
| version they are using (and if they have not, you have big problems)
| and when they
Interesting-looking article on how users of P2P networks end up sharing
much more than they expected: http://weis2007.econinfosec.org/papers/43.pdf
-- Jerry
-
The
| Interesting-looking article on how users of P2P networks end up sharing
| much more than they expected: http://weis2007.econinfosec.org/papers/43.pdf
Earlier analysis by the USPTO:
http://www.uspto.gov/web/offices/dcom/olia/copyright/oir_report_on_inadvertent_sharing_v1012.pdf
| - Quantum Cryptography is fiction (strictly claims that it solves
|an applied problem are fiction, indisputably interesting Physics).
|
| Well that is a broad (and maybe unfair) statement.
|
| Quantum Key Distribution (QKD) solves an applied problem of secure key
|
| ...Apple is one vendor who I gather does include a TPM chip on their
| systems, I gather, but that wasn't useful for me.
Apple included TPM chips on their first round of Intel-based Macs.
Back in 2005, there were all sorts of stories floating around the net
about how Apple would use TPM to
All your data belong to us. From Computerworld.
-- Jerry
Trusted Computing Group turns attention to storage
Chris Mellor
June 24, 2007 (TechWorld.com) The Trusted Computing Group has announced
a draft specification aimed at helping
As always, banks look for ways to shift the risk of fraud to someone -
anyone - else. The New Zealand banks have come up with some interesting
wrinkles oh this process. From Computerworld.
-- Jerry
NZ banks demand a peek at customer PCs
| http://www.sciam.com/article.cfm?articleid=6670BF9B-E7F2-99DF-3EAC1C6DC382972F
|
| A company is selling a window film that blocks most RF signals. The
| obvious application is TEMPEST-shielding. I'm skeptical that it will
| be very popular -- most sites won't want to give up Blackberry and
|
| Leichter, Jerry writes:
| -+---
| | As always, banks look for ways to shift the risk of
| | fraud to someone - anyone - else. The New Zealand
| | banks have come up with some interesting wrinkles on
| | this process.
| |
|
| This is *not* a power play by banks
| | Given that all you need for this is a glorified pocket
| | calculator, you could (in large enough quantities) probably get
| | it made for $10, provided you shot anyone who tried to
| | introduce product-deployment DoS mechanisms like smart cards and
| | EMV into the picture. Now
From CIO magazine. For the record, I, like the author, am a Bank of
America customer, but unlike her I've started using their on-line
services. What got me to do it was descriptions of the increasing
vulnerability of traditional paper-based mechanisms: If I pay a
credit card by mail, I leave
| Crypto has been an IP minefield for some years. With the expiry of
| certain patents, and the availability of other unencumbered crypto
| primitives (eg. AES), we may see this change. But John's other
| points are well made, and still valid. Downloadable MP3 ring tones
| are a selling
So, you want to be able to prove in the future that you have some piece of
information today - without revealing that piece of information. We all
know how to do that: Widely publish today the one-way hash of the
information.
Well ... it turns out this idea is old. Very old. In the 17th
| Between encrypted VOIP over WIFI and eventually over broadband cell -
| keeping people from running voice over their broadband connections is
| a battle the telco's can't win in the long run - and just plain
| encrypted cell phone calls, I think in a couple of years anyone who
| wants secure
| The world's most secure USB Flash Drive: https://www.ironkey.com/demo.
What makes you call it snake oil? At least the URL you point to says
very reasonable things: It uses AES, not some home-brew encryption; the
keys are stored internally; the case is physically protected, and has
some kind of
Anyone know anything about the Yoggie Pico (www.yoggie.com)? It claims
to do much more than the Ironkey, though the language is a bit less
marketing-speak. On the other hand, once I got through the
marketing stuff to the technical discussions at Ironkey, I ended
up with much more in the way of
| Anyone know anything about the Yoggie Pico (www.yoggie.com)? It
| claims to do much more than the Ironkey, though the language is a bit
| less marketing-speak. On the other hand, once I got through the
| marketing stuff to the technical discussions at Ironkey, I ended up
| with much more in
| If you think about this in general terms, we're at the point where we
| can avoid having to trust the CPU, memory, disks, programs, OS, etc.,
| in the borrowed box, except to the degree that they give us access to
| the screen and keyboard. (The problem of securing connections that
| go
The movie studios live in fear of people stealing their product as it
all goes digital. There's, of course, always the analogue hole, the
point where the data goes to the display. The industry defined an
all-digital, all-licensed-hardware path through HDMI which blocks this
path. As we know,
| I often say, Rub a pair of cryptographers together, and you'll
| get three opinions. Ask three, you'll get six opinions. :-)
|
| However, he's talking about security, which often isn't quantifiable!
From what I see in the arguments, it's more complicated than that.
On one side, we have
Retail group takes a swipe at PCI, puts card companies 'on notice'
Jaikumar Vijayan
October 04, 2007 (Computerworld) Simmering discontent within the retail
industry over the payment card industry (PCI) data security standards
erupted into the open this week with the National Retail Federation
| But, opportunistic cryptography is even more fun. It is
| very encouraging to see projects implement cryptography in
| limited forms. A system that uses a primitive form of
| encryption is many orders of magnitude more secure than a
| system that implements none.
|
| Primitive form -
| A slightly off-topic question: if we accept that current processes
| (FIPS-140, CC, etc) are inadequate indicators of quality for OSS
| products, is there something that can be done about it? Is there a
| reasonable criteria / process that can be built that is more suitable?
Well, if you
No comment from me on the appropriateness. From Computerworld.
-- Jerry
Quantum cryptography to secure ballots in Swiss election
Ellen Messmer
October 11, 2007 (Network World) Swiss officials are using quantum
cryptography technology
| Date: Sat, 13 Oct 2007 03:20:48 -0400
| From: Victor Duchovni [EMAIL PROTECTED]
| To: cryptography@metzdowd.com
| Subject: Re: Quantum Crytography to be used for Swiss elections
|
| On Fri, Oct 12, 2007 at 11:04:15AM -0400, Leichter, Jerry wrote:
|
| No comment from me on the appropriateness
| ... What's wrong with starting
| with input SALT || PASSWORD and iterating N times,
|
| Shouldn't it be USERID || SALT || PASSWORD to guarantee that if
| two users choose the same password they get different hashes?
| It looks to me like this wold make dictionary attacks harder too.
As
| Xerox Unveils Technology That Blocks Access to Sensitive Data in
| Documents to Prevent Security Leaks
| http://www.parc.com/about/pressroom/news/2007-10-15-redaction.html
|
| The Innovation: The technology includes a detection software tool that
| uses content analysis and an intelligent user
Sometimes the side-effects are as significant as the direct effects
-- Jerry
Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/7091206.stm
Fears over online banking checks
By Mark Ward
Technology Correspondent,
Little progress on government-wide smart card initiative, and little
surprise
November 14, 2007 (Computerworld) More than three years after a
presidential directive requiring federal government agencies to issue
new smart-card identity credentials to all employees and contractors,
progress on
Flylogic Engineering does some very interesting tampering with tamper-
resistant parts. Most of those secure USB sticks you see around won't
last more than a couple of minutes with these guys.
See http://www.flylogic.net/blog
-- Jerry
| Exactly what makes this problem so difficult eludes me, although one
| suspects that the savage profit margins on consumables like
| keyboards and mice might have something to do with it.
|
| It's moderately complex if you're trying to conserve bandwidth (which
| translates to power) and
| There was a discussion on this list a year or two back about
| problems in using memset() to zeroise in-memory data, specifically
| the fact that optimising compilers would remove a memset() on
| (apparently) dead data in the belief that it wasn't serving any
| purpose.
|
| Then,
| What does it say about the integrity of the FIPS program, and its CMTL
| evaluation process, when it is left to competitors to point out
| non-compliance of evaluated products -- proprietary or open source --
| to basic architectural requirements of the standard?
I was going to ask the same
| The whole point of a notary is to bind a document to a person. That
| the person submitted two or more different documents at different
| times is readily observable. After all, the notary has the
| document(s)!
|
| No, the notary does not have the documents *after* they are notarized,
|
| It is, of course, the height of irony that the bug was introduced in
| the very process, and for the very purpose, of attaining FIPS
| compliance!
|
| But also to be expected, because the feature in question is
| unnatural: the software needs a testable PRNG to pass the compliance
| tests,
| Then the compiler can look at the implementation and prove that a
| memset() to a dead variable can be elided
|
| One alternative is to create zero-ing functions that wrap memset()
| calls with extra instructions that examine some of the memory, log a
| message and exit the application if
| However, that doesn't say anything about whether f is actually
| invoked at run time. That comes under the acts as if rule: If
| the compiler can prove that the state of the C (notional) virtual
| machine is the same whether f is actually invoked or not, it can
| elide the call. Nothing
| If the function is defined as I suggested - as a static or inline -
| you can, indeed, takes its address. (In the case of an inline, this
| forces the compiler to materialize a copy somewhere that it might
| not otherwise have produced, but not to actually *use* that copy,
| except when
| So... supposing I was going to design a crypto library for use within
| a financial organization, which mostly deals with credit card numbers
| and bank accounts, and wanted to create an API for use by developers,
| does anyone have any advice on it?
|
| It doesn't have to be terribly complete,
Virtualization has become the magic pixie dust of the decade.
When IBM originally developed VMM technology, security was not a primary
goal. People expected the OS to provide security, and at the time it
was believed that OS's would be able to solve the security problems.
As far as I know, the
| Date: Fri, 04 Jan 2008 16:38:07 +1300
| From: Peter Gutmann [EMAIL PROTECTED]
| To: cryptography@metzdowd.com
| Subject: DRM for batteries
|
| http://www.intersil.com/cda/deviceinfo/0,1477,ISL6296,0.html
|
| At $1.40 each (at least in sub-1K quantities) you wonder whether it's
| costing them
| http://www.google.com/patents?vid=USPAT6993661
|
| Gee, the inventor is Simson Garfinkel, who's written a bunch of books
| including Database Nation, published in 2000 by O'Reilly, about all
| the way the public and private actors are spying on us.
|
| I wonder whether this was research to see
Anyone know anything about these guys? (www.vaultid.com). They
are trying to implement one-time credit card numbers on devices
you take with you - initially cell phones and PDA's, eventually in
a credit card form factor. The general idea seems good, but their
heavy reliance on fingerprint
Commenting on just one portion:
| 2. VoIP over DTLS
| As Perry indicated in another message, you can certainly run VoIP
| over DTLS, which removes the buffering and retransmit issues
| James is alluding to. Similarly, you could run VoIP over IPsec
| (AH/ESP). However, for performance reasons,
| - Truncate the MAC to, say, 4 bytes. Yes, a simple brute
| force attack lets one forge so short a MAC - but
| is such an attack practically mountable in real
| time by attackers who concern you?
|
| In fact, 32-bit authentication tags are a feature
| So, this issue has been addressed in the broadcast signature context
| where you do a two-stage hash-and-sign reduction (cf. [PG01]), but
| when this only really works because hashes are a lot more efficient
| than signatures. I don't see why it helps with MACs.
Thanks for the reference.
|
| By the way, it seems like one thing that might help with client certs
| is if they were treated a bit like cookies. Today, a website can set
| a cookie in your browser, and that cookie will be returned every time
| you later visit that website. This all happens automatically. Imagine
| if a
Today's Dilbert -
http://www.unitedmedia.com/comics/dilbert/archive/images/dilbert23667240080211.gif
is right on point
-- Jerry
-
The Cryptography Mailing List
|SAN FRANCISCO -- Toshiba Corp. has claimed a major breakthrough in
|the field of security technology: It has devised the world's
|highest-performance physical random-number generator (RNG)
|circuit.
|
|The device generates random numbers at a data rate of 2.0 megabits
|a
| ...I imagine this will eventually have a big impact on the way organizations
| respond to stolen mobile device incidents. With the current technology, if a
| laptop or mobile device is on when it's stolen, companies will need to assume
| that the data is gone, regardless of whether or not
| Their key recovery technique gets a lot of mileage from using the
| computed key schedule for each round of AES or DES to provide
| redundant copies of the bits of the key. If the computer cleared
| the key schedule storage, while keeping the key itself when the
| system is in sleep mode, or
| Hi,
|
| This may be out of the remit of the list, if so a pointer to a more
| appropriate forum would be welcome.
|
| In Applied Crypto, the use of padding for CBC encryption is suggested
| to be met by ending the data block with a 1 and then all 0s to the end
| of the block size.
|
| Is this
| So at the company I work for, most of the internal systems have
| expired SSL certs, or self-signed certs. Obviously this is bad.
|
| You only think this is bad because you believe CAs add some value.
|
| Presumably the value they add is that they keep browsers from popping
| up scary
| As if the latest research (which showed that RAM contents can be
| recovered after power-down) was not enough, it seems as Firewire ports
| can form yet an easier attack vector into FDE-locked laptops.
|
| Windows hacked in seconds via Firewire
|
|...Convergent encryption renders user files vulnerable to a
|confirmation-of-a-file attack. We already knew that. It also
|renders user files vulnerable to a learn-partial-information
|attack in subtle ways. We didn't think of this until now. My
|search of the literature
| They extended the confirmation-of-a-file attack into the
| learn-partial-information attack. In this new attack, the
| attacker learns some information from the file. This is done by
| trying possible values for unknown parts of a file and then
| checking whether the result
Anyone know anything about a company called 2factor (2factor.com)?
They're pushing a system based on symmetric cryptography with, it
appears, some kind of trusted authority. Factor of 100 faster
than SSL. More secure, because it authenticates every message.
No real technical data I can find on
1 - 100 of 135 matches
Mail list logo