Quantum Crypto broken again

2008-10-24 Thread [EMAIL PROTECTED]
A failure in implementation leads to the ability to eavesdrop on a
quantum-secrecy based key exchange on 2/3 of the types of quantum
equipment used.

From: 
http://technology.newscientist.com/article/dn14866-laser-cracks-unbreakable-quantum-communications.html

Makarov and colleagues from Sweden and Russia have shown that Eve
could control
Bob's equipment, so that they both decode exactly the same digits
from Alice's
transmission...The method exploits the way a common type of photon
counter can have
its sensitivity reduced by a very bright flash of light. The
attack begins when Eve fires a
pulse of laser light to all four detectors in Bob's
equipment...[Eve leverages this into
getting the key] by sending on a sequence of encoded photons that
are identical to the
ones she receives from Alice, Eve can safely intercept a message
without leaving the
tell-tale quantum errors...Makarov and colleagues have now uncovered such
vulnerabilities in two of the three types of quantum equipment
commonly used. They
are now investigating ways to solve the flaw without introducing
more weaknesses.

A paper, Can Eve control PerkinElmer actively-quenched single-photon
detector? is available at
http://arxiv.org/ftp/arxiv/papers/0809/0809.3408.pdf.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Adam Savage talks about Mythbuster attempt at RFID

2008-09-02 Thread [EMAIL PROTECTED]
Apparently credit card institutions don't want Mythbusters near their
RFID technology.

Transcribed from http://www.youtube.com/watch?v=-St_ltH90Oc:

  Were going to do RFID on several levels, you know how hackable, how
reliable, how
  trackable, etc. etc. And we one of our researchers called up Texas
Instruments and
  they arranged a conference call between I think Tory and the head
producer for the
  other team Linda Wolkovitch and one of the technicians for Texas
Instruments. We
  were supposed to have a conference call to talk about the technology
on like Tuesday
  at 10am. On Tuesday at 10am Linda and Tory get on the phone and Texas
  Instruments comes on along with chief legal council for American
Express Visa,
  Discover, and everybody else. And I get chills just as I describe
it. They were way way
  outgunned. And they absolutely made it really clear to Discovery
that they were not
  going to air this episode talking about how hackable this stuff was.
And Discovery
  backed way down being a large cooperation being dependant on the
revenue of the
  advertisers. And its on Discovery's radar and they wont let us go
near it. So, I'm sorry
  its just one of those things but man that was..Tory still gets a
little white when he
  describes that phone conversation.

-Michael

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: road toll transponder hacked

2008-08-26 Thread [EMAIL PROTECTED]
On Tue, Aug 26, 2008 at 9:24 AM, Perry E. Metzger [EMAIL PROTECTED] wrote:

 http://www.technologyreview.com/Infotech/21301/?a=f

From the article: other toll systems, like E-Z Pass and I-Pass, need
to be looked at too

A couple years ago I got a letter from E-Z Pass a few days after I
used my transponder in my new car without registering my new car. They
gave me a grace period to register before making me pay some sort of
penalty.

So, I believe, at least for E-Z Pass, the attack would have to include
cloning the license plate and pictures may still be available whenever
a victim realizes they have been charged for trips they did not take.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [p2p-hackers] IETF rejects Obfuscated TCP

2008-08-20 Thread [EMAIL PROTECTED]

 May I ask what you're trying to accomplish?

I assume http://code.google.com/p/obstcp/ which uses the TCP
connection setup to do a key agreement. Slick but apparently
susceptible to DoS.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Voting machine security

2008-08-18 Thread [EMAIL PROTECTED]
On Fri, Aug 15, 2008 at 11:57 AM, John Ioannidis [EMAIL PROTECTED] wrote:
 This just about sums it up: http://xkcd.com/463/

Only slightly better then suggested by the comic. McAfee anti-virus
software was on the servers, not the DRE voting machines themselves.

From 
http://www.middletownjournal.com/n/content/oh/story/news/local/2008/08/06/ddn080608votingweb.html

  Premier spokesman Chris Riggall had not seen the
  counterclaim [breach-of-contract lawsuit counterclaim
  filed by the Ohio Secretary of State] and declined
  comment on it. But he blamed the vote tabulation
  problems on McAfee anti-virus software on computer
  servers.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Can we copy trust?

2008-06-03 Thread [EMAIL PROTECTED]
On Mon, Jun 2, 2008 at 12:37 PM, Ed Gerck [EMAIL PROTECTED] wrote:
 In the essay Better Than Free, Kevin Kelly debates which concepts hold
 value online, and how to monetize those values. See
 www.kk.org/thetechnium/archives/2008/01/better_than_fre.php

 Kelly's point can be very useful: *When copies are free, you need to sell
 things which can not be copied.*

 The problem that I see and present to this list is when he discusses
 qualities that can't be copied and considers trust as something that
 cannot be copied.

Kelly says trust cannot be copied at the top of his missive then
doesn't list it as one of the eight generatives (I may be missing
something but I think generative is the wrong word for something
that cannot be copied but Kelly makes up his own definition for
generative as something generated uniquely in place).

 Well, in the digital economy we had to learn how to copy trust and we did.
 For example, SSL would not work if trust could not be copied.

After this list has destroyed the as implemented SSL model of trust
over and over again, I'd be wary of claiming that SSL allows trust to
be copied.

Even so, SSL doesn't really copy trust, it works by only trusting the
root. You don't have to trust the target site's self assertions about
its own identity because you trust the root to only validate for sites
that are what they claim to be.

On Mon, Jun 2, 2008 at 3:29 PM, Ed Gerck [EMAIL PROTECTED] wrote:

 A copy is something identical. So, in fact you can copy that server cert to
 another server that has the same domain (load balancing), and it will work.
 Web admins do it all the time. The user will not notice any difference in
 how the SSL will work.

Copying server certificates isn't copying trust either. In this case
all servers with the same certificate are the same entity - at least
to whatever needs to trust it.

This whole thing with SSL and certificates is a red herring when it
comes to copying trust.

When I trust a site, that site doesn't have the trust, I do. To copy
that trust, albeit with low fidelity, I merely have to communicate
that trust to some other person.

There are sites on the net that allow me to communicate my trust to
others. eBay is probably making the most money at it with their seller
reputation system. Sellers with a better reputation will attract more
business and sell quicker and at higher prices. eBay makes more money
when more product moves at higher prices but it cannot inflate
seller's reputations because that would instantly be recognized by
buyers and eBay would become a pariah and some other site would take
over. Other sites like Amazon, Bizrate, and Angie's List provide
similar trust distribution services with different underlying business
models.

This is a trust model that appears to work. If a eBayish/Verisigny
company did an OCSP-like service that returned a current eBay-like
reputation number for the trustworthiness of the site in question, I
don't think we would need band aids like PetNames or even a
hierarchical PKI. Sites could just use self-signed certificates with a
field pointing to their reputation responder. Instead of trusted root
certificates, browsers could have trusted reputation responder
certificates. Microsoft would charge reputation responders to include
their certificates, reputation responders would charge companies to
maintain their reputations, everybody would make money. When a
reputation responder goes bad, slashdot would have fun, Microsoft
would pull their cert, there will be some vulnerable users that don't
ever get updated responder certificate lists, and the entities that
had trust housed at the bad responder will have to generate new certs
and rebuild their reputation elsewhere.

This, of course, doesn't have a chance of occuring because SSL works
good enough and people will ignore the bad reputation warnings just
like they ignore SSL warnings now.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Can we copy trust?

2008-06-03 Thread [EMAIL PROTECTED]
On Tue, Jun 3, 2008 at 1:05 PM, Ed Gerck [EMAIL PROTECTED] wrote:
 [EMAIL PROTECTED] wrote:

 We see that the trust relationship represented by that SSL cert can be
 copied without any loss, as many times as you wish

My understanding is that an SSL certificate is only a method to carry
the assertion that the holder of the private key is the the subject
named in the certificate (with possible limitations on the allowed
uses of the private key). By using the certificate, one does not trust
the subject - one does trust the signer of the certificate as an
entity that verified the subject named in the certificate represents
the actual subject (this is true even for self signed certificates
grin/).

Copying the SSL certificate does not copy trust but sometimes copying
some certificates do copy trust.

Say Alice browses around the web looking to buy a widget and when her
browser hits a particular HTTPS protected site, it pops up an
untrusted certificate warning. Alice goes  and moves on to
another site. Bob goes to the same site and his browser doesn't pop up
the warning because Microsoft has automatically updated his computer's
trusted CAs list. Bob's browser trusts the site and Bob trusts his
browser so Bob buys the widget. Alice's browser didn't trust the site,
and Alice, being a remarkable woman, actually paid attention to her
browser and moved on. So we see, the trusted CA certificates do
carry trust (heck, trusted is part of the name), and, when Microsoft
copied the new trusted CA certificate into Bob's computer, Microsoft
managed to copy trust.

IT departments put corporate trusted CA certificates in employees
computers. The US DoD puts their trusted root certificates in DoD
computers. All these actions copy trust with high fidelity. But this
method rings of an edict from on high, Thou shalt trust  These
methods still don't have the:

   // copy Alice's trust in Charlie to Bob
   Copy(Alice[trust--Charlie], Bob)

capability. The low fidelity ways of Epinions and eBay seem to be the
only examples I can come up with that allow for that type of trust
copying. For example:

   // copy the trust in Charlie a large group of eBayers has to Bob
   MaybeCopy(eBayClaim.LargeGroup[trust--Charlie], Bob)

The copy may or may not happen depending on Bob's feelings about the
size of the group or the extent of the trust. Of course, the eBayesque
trust copying happen in wetware. To move it to hardware would require
an online protocol and method to register trust. I can see shades of
the old PGP web-of-trust with added subtleties for timeliness and
dispute resolution.

 As to another point of your comment, the problem most people have with PKI
 is not that SSL does not work. SSL does not even need PKI.

I meant SSL as we use it - I believe the vast majority of SSL use
involves a hierarchical PKI. I have rarely seen the use of pre-shared
keys or self-signed certificates (which is technically still a PKI).

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Video of physical attack on smart card

2008-06-02 Thread [EMAIL PROTECTED]
In a video, Christopher Tarnovsky, shows a physical attack on a smart card:
   http://blog.wired.com/27bstroke6/2008/05/hacker-at-cente.html

I couldn't tell from the video how long it takes but it doesn't appear
to take more than an hour or so.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: 2factor

2008-04-18 Thread [EMAIL PROTECTED]
On Wed, Apr 9, 2008 at 12:59 PM, Leichter, Jerry
[EMAIL PROTECTED] wrote:
 Anyone know anything about a company called 2factor (2factor.com)?
 They're pushing a system based on symmetric cryptography with, it
 appears, some kind of trusted authority.  Factor of 100 faster
 than SSL.  More secure, because it authenticates every message.

 No real technical data I can find on the site, and I've never seen
 a site with so little information about who's involved.  (Typically,
 you at least get a list of the top execs.)  Some ex-spooks?  Pure
 snake oil?  Somewhere in between?

Google says:

2factor Inc.
1540 South Holland-Sylvania Road
Maumee, OH 43537

Mark O. Wittenmyer, Chairman
David M. Burns, Chief Executive Officer
Raymond A. Romagnolo, Executive Vice President

2factor, Inc. BOARD OF DIRECTORS
Mark O. Wittenmyer

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: 2factor

2008-04-18 Thread [EMAIL PROTECTED]
On Wed, Apr 9, 2008 at 12:59 PM, Leichter, Jerry
[EMAIL PROTECTED] wrote:
 Anyone know anything about a company called 2factor (2factor.com)?
 They're pushing a system based on symmetric cryptography with, it
 appears, some kind of trusted authority.  Factor of 100 faster
 than SSL.  More secure, because it authenticates every message.

 No real technical data I can find on the site, and I've never seen
 a site with so little information about who's involved.  (Typically,
 you at least get a list of the top execs.)  Some ex-spooks?  Pure
 snake oil?  Somewhere in between?

More googling and this seems to be the technology:

http://www.wipo.int/pctdb/en/wo.jsp?wo=2008030523
and
http://www.freshpatents.com/Method-and-system-for-performing-perfectly-secure-key-exchange-and-authenticated-messaging-dt20060216ptan20060034456.php

Which seem to be aimed at a drop in replacement for SSL (with a
working example using Firefox and Apache). They seem to rest on a key
exchange or agreement based on  a shared secret. Take this analysis
with a grain of salt - I just gave the patent and application a quick
scan.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [tahoe-dev] Surely M$ can patent this process?

2008-01-30 Thread [EMAIL PROTECTED]
On Jan 27, 2008 11:18 AM, zooko [EMAIL PROTECTED] wrote:
 [adding Cc: p2p-hackers and cryptography mailing lists as explained
 below; Please trim your follow-ups as appropriate.]

 On Jan 26, 2008, at 9:44 PM, Gary Sumner wrote:

  Surely there must be prior art on this technique to refute this
  patent?
 

 That's an interesting question, and I'm carbon-copying the p2p-
 hackers and cryptography mailing lists to ask if anyone knows.

FYI: http://www.opencm.org/papers/cpcms2001.pdf
  CPCMS: A Configuration Management System Based
  on Cryptographic Names. Jonathan S. Shapiro,  John
  Vanderburgh, Systems Research Laboratory, Johns
  Hopkins University. Appeared in the 2002 USENIX
  Annual Technical Conference

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Earliest indication of Prime numbers

2008-01-29 Thread [EMAIL PROTECTED]
From a fun article on the history of computing
http://www.neatorama.com/2008/01/25/the-wonderful-world-of-early-computing

The 20,000-year-old bone revealed that early civilization had
mastered arithmetic series and even the concept of prime
numbers.

This predates the Egyptian and Greek references to prime number
knowledge I have heard about by a wide margin. Unfortunately, the
article doesn't go into any more detail then the quote above.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: No PAL please, we're British

2007-11-16 Thread [EMAIL PROTECTED]
On Nov 15, 2007 2:55 PM,  [EMAIL PROTECTED] wrote:
 According to this BBC story until fairly recently the British
 military refused to have PALs on nuclear weapons.
 [SNIP]
From the story:

The Bomb is actually armed by inserting a bicycle lock
key into the arming switch and turning it through 90
   degrees.

I wonder if they knew how to defeat it with a Bic pen? (see
http://www.wired.com/culture/lifestyle/news/2004/09/64987)

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Rockville MD e-vote glitch

2007-11-08 Thread [EMAIL PROTECTED]
Not really crypto, but from
http://www.gazette.net/stories/110707/rocknew00608_32357.shtml

  election judges throughout the city noticed voters whose street
  addresses start with the number 5 were being denied their voter
  cards because the database wrongly counted them as absentee
  voters...Those whose street numbers start with the number 5
  were designated absentee ballot applicants as part of a state
  test program that should not have been forwarded for Election
  Day use.

Luckily it was an off-year election so:

   only about 10 people were either sent to City Hall to clear up
   the matter or walked away from the polls without casting a ballot

My house number starts with 3 :-)

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Elcomsoft trying to patent faster GPU-based password cracker

2007-10-24 Thread [EMAIL PROTECTED]
From:

   http://www.elcomsoft.com/EDPR/gpu_en.pdf

  Moscow, Russia - October 22, 2007 - ElcomSoft Co. Ltd. has
  discovered and filed for a US patent...Using the brute force
  technique of recovering passwords, it was possible, though
  time-consuming, to recover passwords from popular
  applications. For example...Windows Vista uses NTLM hashing
  by default, so using a modern dual-core PC you could test up to
  10,000,000 passwords per second, and perform a complete
  analysis in about two months. With ElcomSoft's new technology,
  the process would take only three to five days..Today's [GPU]
  chips can process fixed-point calculations. And with as much as
  1.5 Gb of onboard video memory and up to 128 processing
  units, these powerful GPU chips are much more effective than
  CPUs in performing many of these calculations...Preliminary
  tests using Elcomsoft Distributed Password Recovery product
  to recover Windows NTLM logon passwords show that the
  recovery speed has increased by a factor of twenty, simply by
  hooking up with a $150 video card's onboard GPU.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Bid on a SnakeOil Crypto Algorithm Patent

2007-10-05 Thread [EMAIL PROTECTED]
On 10/4/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 On 10/3/07, Saqib Ali [EMAIL PROTECTED] wrote:
 [SNIP]
 or both private keys but that never seems to get mentioned

I take it back, there is only one private key but math makes multiple
temporary public keys out of it.

-Michael

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-27 Thread [EMAIL PROTECTED]

On 6/25/07, Greg Troxel [EMAIL PROTECTED] wrote:


 1) Do you believe the physics?  (Most people who know physics seem to.)


For those who would like to know a little more about the physics, see:

http://www.icfo.es/images/publications/J05-055.pdf, Quantum Cloning,
Valerio Scarani, Sofyan Iblisdir, and Nicolas Gisin. This is a late
2005 review and of eavesdropping techniques for QKD. Much of the
terminology of quantum physics is unfamiliar to me but I think the
paper states that Eve could theoretically get 5/6 of the bits through
cloning and to keep this from happening, Alice and Bob have to assume
an eavesdropper if more than 11% of the bits have errors.

also:

http://w3.antd.nist.gov/pubs/Mink-SPIE-One-Time-Pad-6244_22.pdf,
One-Time Pad Encryption of Real-Time Video1, Alan Mink, Xiao Tang,
LiJun Ma, Tassos Nakassis, Barry Hershman, Joshua C. Bienfang, David
Su, Ron Boisvert, Charles W. Clark and Carl J. Williams - a more
accessible paper describing a working system where NIST claims bit
error rates in the 3% range while generating key material at greater
than 2Mb/s. Its not clear whether the bit error rate is before or
after an error correction stage but the paper discusses how bit error
rate reduces the overall result after privacy amplification so I
believe they have thought of Eve cloning photons in flight.

-Michael

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Site has flash file that shows Enigma operation as you type

2007-02-22 Thread [EMAIL PROTECTED]

http://enigmaco.de has a Flash-based example of the Enigma
processing with a short history and tutorial.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Private Key Generation from Passwords/phrases

2007-01-16 Thread [EMAIL PROTECTED]

On 1/11/07, Joseph Ashwood [EMAIL PROTECTED] wrote:


112 bits of entropy is 112 bits of entropy...anything else and you're
into the world of trying to prove equivalence between entropy and
work which work in physics but doesn't work in computation
because next year the work level will be different and you'll
have to redo all your figures.


Hmm. All we usually have protecting us is work.

Once a little bit of cipher text gets out, on an SSL session or a PGP
encrypted email or the like, that bit of cipher text is enough
information to unambiguously determine the key. It may take a lot of
work to determine the key but there is no uncertainty left in the key.
That is, once used for a bit of encrypting where the cipher text
becomes known, the entropy of that key is _zero_.

Since there is no unguessibility left in the key, the only thing
protecting the cipher text is the amount of work it takes to determine
the key.

It seems Matthias has realized, prudently, that his system has a weak
link at the passphrase and he is looking to strengthen that. The ways
to do that include requiring a ridiculously long passphrase or
increasing the work required to go from the passphrase to the key.
Both methods Matthias has chosen increase the work required to break
the system.

As James pointed out, the proposed 76-bit passphrase is a bit much to
expect anybody to remember and it is always better to not derive keys
from passwords when the system allows.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Clips] Read two biometrics, get worse results - how it works

2005-10-20 Thread [EMAIL PROTECTED]
On 10/19/05, R.A. Hettinga [EMAIL PROTECTED] wrote:

  [EDIT]
  Daugman presents
  (http://www.cl.cam.ac.uk/users/jgd1000/combine/combine.html) the two rival
  intuitions, then does the maths. On the one hand, a combination of
  different tests should improve performance, because more information is
  better than less information. But on the other, the combination of a strong
  test with a weak test to an extent averages the result, so the result
  should be less reliable than if one were relying solely on the strong test.

I believe the Daugman results are correct only when one accepts
results where the tests disagree. That is, if the first test returns
positive and the second test returns negative, you chose the overall
results to be positive or negative as opposed to do over until they
agree.

Of course, in real life with knowledge of the physics of the tests and
the ability to pull out non-boolean results, one may be able to remove
many of the do over results to keep from annoying the test subjects.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]