Re: SSL and Malicious Hardware/Software

2008-05-06 Thread Arcane Jill

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Steven M. Bellovin

Sent: 03 May 2008 00:51
To: Arcane Jill
Cc: cryptography@metzdowd.com
Subject: Re: SSL and Malicious Hardware/Software


  I can't think of a great way of alerting the user,

 I would be alerted immediately, because I'm using the Petname Tool
 Firefox plugin.

 For an unproxied site, I get a small green window with my own choice
 of text in it (e.g. Gmail if I'm visiting https://mail.google.com).
 If a proxy were to insert itself in the middle, that window would turn
 yellow, and the message would change to (untrusted).

Assorted user studies suggest that most users do not notice the color
of random little windows in their browsers...




The point is that the plugin does not trust the browser's list of installed 
CAs. The only thing it trusts is the fingerprint of the certificate. If the 
fingerprint is one that you, personally, (not your browser), have approved in 
the past, then the plugin is green. If not, the plugin is yellow.


Without this plugin, identifying proxies is hard, because the proxy certificate 
will likely be installed in your browser, so it will just automatically pass 
the usual SSL checks, and will appear to you as an authenticated site. If you 
have an expectation that your web traffic will not be eavesdropped en route, 
then the sudden appearance of a proxy can flout that expectation.


On the other hand, a system which checks /only/ that the certificate 
fingerprint is what you expect it to be does not suffer from the same 
disadvantage. This is a technical difference. There's more to it than just the 
color of the warning sign! (...though I do concede, a Red Alert siren would 
probably get more attention :-) ).


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Fingerprint Firefox Plugin?

2007-10-23 Thread Arcane Jill
Can anyone tell me... is there a Firefox plugin which allows one to view the 
fingerprint of the SSL certificate of each page you visit (e.g. in the status 
bar or address bar or something)?


Better still if it can learn which ones you trust, but just being able to view 
them without having to jump through hoops would be a good start.


Arcane Jill

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Protection against offline dictionary attack on static files

2003-11-12 Thread Arcane Jill
Hi,

It's possible I may be reinventing the wheel here, so my apologies if 
that's so, but it occurs to me that there's a defence against an offline 
dictionary attack on an encrypted file. Here's what I mean: Say you have 
a file, and you want to keep it secret. What do you do? Obviously you 
either encrypt it directly, or you store it in an encrytped volume 
(thereby encrypting it indirectly). Problem? Maybe an attacker can 
somehow get hold of the encrypted file or volume ... maybe your laptop 
gets stolen  maybe other people have access to your machine. In 
principle, you're protected by your passphrase, but if an attacker can 
get hold of the file, they can try an offline dictionary attack to guess 
your passphrase, so unless you're very good at inventing high entropy 
passphrases /and remembering them without writing them down/, there may 
still be a risk.

Here's the defence:

To encrypt a file:
   Generate a random number R between 0 and M-1 (for some fixed M, a 
power of 256)
   Type in your passphrase P
   Let S = R || P (where || stands for concatenation)
   Let K = hash(S)
K is now your encryption key. R is to be thrown away.

To decrypt the same file:
   Generate a random number r between 0 and M-1
   Type in your passphrase P
   for (int i=r; ; i=(i+1)%M)
   {
   Let S = I || P
   Let K = hash(S)
   Try to decrypt using key K
   }
This places a computational burden on your PC at decrypt-time. The 
larger you choose M, the more CPU time it will take to figure out K. So, 
you choose M such that it takes your PC about one second to find K, then 
your attacker will experience the same burden - but multiplied a 
squillionfold (a squillion being the entropy of your passphrase). This 
means that even if your passphrase consists of just two words from a 
dictionary, /and/ your attacker suspects this, it will still take him or 
her over a hundred and fifty years to decrypt (assuming your attacker 
has a PC of equivalent power). Even if your attacker has a faster PC 
than you, it will still be relatively easy to pick a 
strong-yet-memorable passphrase, since better tech can only ease the 
attacker's problem, not remove it. All of a sudden, weak passphrases 
turn into strong ones, and strong passphrases turn into computationally 
infeasible ones.

Is this useful?
Has anyone come up with it before? (Someone must have ... but I don't 
recall seeing the technique used in applications)

Jill

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Open Source (was Simple SSL/TLS - Some Questions)

2003-10-08 Thread Arcane Jill
Okay, okay. I've got the message. I give in.

The toolkit will be distributed with the most generous, most liberal 
license possible. This means that (basically) anyone can do pretty much 
anything with it, including release binaries compiled with it.

I'm happy with this decision. It means that if Alice wishes to trust 
software written or modified by Eve (or Mallory, etc.)., then she is 
perfectly entitled to do so. It is up to Alice to choose her own threat 
model, not me. The bottom line is, everyone has the right to choose whom 
they trust ... even if they're wrong. (After all, I can hardly demand 
that right for myself and then deny it to others, can I?).

Jill (Ramonsky ... sending from new email address)

Oh yeah, one last thing

 -Original Message-
 From: Rich Salz [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, October 07, 2003 4:19 PM
 To: Jill Ramonsky
 Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: Re: Open Source (was Simple SSL/TLS - Some Questions)


 I think that rather than spending time on deciding what to call this
 library that is to-be-written, and how to license this library that is
 to-be-written, that time should be spent on, well, writing it. :)
 /r$
Aha - I'm ahead of you there. I've already started. But more than one 
person advised me to not talk about code until at least one third of it 
was finished, in order to avoid real-time discussions about how code 
should be written. If I am silent on the coding progress, rest assured 
it doesn't mean I'm not doing anything.

On the other hand, I /could/ post progress reports if people wanted. I 
have absolutely no idea whether that would be considered appropriate or 
not. I'm open to suggestion.

Jill

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]