Re: SSL and Malicious Hardware/Software
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven M. Bellovin Sent: 03 May 2008 00:51 To: Arcane Jill Cc: cryptography@metzdowd.com Subject: Re: SSL and Malicious Hardware/Software > > I can't think of a great way of alerting the user, > > I would be alerted immediately, because I'm using the Petname Tool > Firefox plugin. > > For an unproxied site, I get a small green window with my own choice > of text in it (e.g. "Gmail" if I'm visiting https://mail.google.com). > If a proxy were to insert itself in the middle, that window would turn > yellow, and the message would change to "(untrusted)". > Assorted user studies suggest that most users do not notice the color of random little windows in their browsers... The point is that the plugin does not trust the browser's list of installed CAs. The only thing it trusts is the fingerprint of the certificate. If the fingerprint is one that you, personally, (not your browser), have approved in the past, then the plugin is green. If not, the plugin is yellow. Without this plugin, identifying proxies is hard, because the proxy certificate will likely be installed in your browser, so it will just automatically pass the usual SSL checks, and will appear to you as an authenticated site. If you have an expectation that your web traffic will not be eavesdropped en route, then the sudden appearance of a proxy can flout that expectation. On the other hand, a system which checks /only/ that the certificate fingerprint is what you expect it to be does not suffer from the same disadvantage. This is a technical difference. There's more to it than just the color of the warning sign! (...though I do concede, a Red Alert siren would probably get more attention :-) ). - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: SSL and Malicious Hardware/Software
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan Phillips Sent: 28 April 2008 23:13 To: Cryptography Subject: SSL and Malicious Hardware/Software I can't think of a great way of alerting the user, I would be alerted immediately, because I'm using the Petname Tool Firefox plugin. For an unproxied site, I get a small green window with my own choice of text in it (e.g. "Gmail" if I'm visiting https://mail.google.com). If a proxy were to insert itself in the middle, that window would turn yellow, and the message would change to "(untrusted)". - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: PlayStation 3 predicts next US president
I'd be interested in seeing references to older work on chosen-prefix multicollisions. This has been on the web since at least July. http://www.cits.rub.de/MD5Collisions/ I'm sure it's not the only one either. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Fingerprint Firefox Plugin?
-Original Message- From: zooko [mailto:[EMAIL PROTECTED] Sent: 24 October 2007 06:52 To: Arcane Jill Cc: cryptography@metzdowd.com Subject: Re: Fingerprint Firefox Plugin? Please let us know how it works for you. My experience is very positive. It seems to be /exactly/ what I want, because I don't necessarily trust Verisign or Thwarte or any of the other hundreds of Root CAs which my browser trusts. I don't believe that every single one of them would say no if some government, or military, or corporation with enough money, asked/ordered them to issue a bogus certificate, but I do know that if that were to happen, the fingerprint would change, and Petname Tool would flag me a warning. It is an absolutely wonderful tool, as it moves trust from where it doesn't belong (a bunch of faceless organisations whom I have no more reason to trust than the websites I'm visiting) to where it does belong (in my own hands). I love it! I guess other people might want to know this, either because they need to adopt the same security principles (if they are sound), or to criticize it (if not). Arcane Jill - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Fingerprint Firefox Plugin?
Can anyone tell me... is there a Firefox plugin which allows one to view the fingerprint of the SSL certificate of each page you visit (e.g. in the status bar or address bar or something)? Better still if it can learn which ones you trust, but just being able to view them without having to jump through hoops would be a good start. Arcane Jill - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Protection against offline dictionary attack on static files
> for (int i=r; ; i=(i+1)%M) That's assuming integers of sufficient precision to store M, obviously. Jill - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Protection against offline dictionary attack on static files
Hi,
It's possible I may be reinventing the wheel here, so my apologies if
that's so, but it occurs to me that there's a defence against an offline
dictionary attack on an encrypted file. Here's what I mean: Say you have
a file, and you want to keep it secret. What do you do? Obviously you
either encrypt it directly, or you store it in an encrytped volume
(thereby encrypting it indirectly). Problem? Maybe an attacker can
somehow get hold of the encrypted file or volume ... maybe your laptop
gets stolen maybe other people have access to your machine. In
principle, you're protected by your passphrase, but if an attacker can
get hold of the file, they can try an offline dictionary attack to guess
your passphrase, so unless you're very good at inventing high entropy
passphrases /and remembering them without writing them down/, there may
still be a risk.
Here's the defence:
To encrypt a file:
Generate a random number R between 0 and M-1 (for some fixed M, a
power of 256)
Type in your passphrase P
Let S = R || P (where || stands for concatenation)
Let K = hash(S)
K is now your encryption key. R is to be thrown away.
To decrypt the same file:
Generate a random number r between 0 and M-1
Type in your passphrase P
for (int i=r; ; i=(i+1)%M)
{
Let S = I || P
Let K = hash(S)
Try to decrypt using key K
}
This places a computational burden on your PC at decrypt-time. The
larger you choose M, the more CPU time it will take to figure out K. So,
you choose M such that it takes your PC about one second to find K, then
your attacker will experience the same burden - but multiplied a
squillionfold (a "squillion" being the entropy of your passphrase). This
means that even if your passphrase consists of just two words from a
dictionary, /and/ your attacker suspects this, it will still take him or
her over a hundred and fifty years to decrypt (assuming your attacker
has a PC of equivalent power). Even if your attacker has a faster PC
than you, it will still be relatively easy to pick a
strong-yet-memorable passphrase, since better tech can only ease the
attacker's problem, not remove it. All of a sudden, weak passphrases
turn into strong ones, and strong passphrases turn into computationally
infeasible ones.
Is this useful?
Has anyone come up with it before? (Someone must have ... but I don't
recall seeing the technique used in applications)
Jill
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Open Source (was Simple SSL/TLS - Some Questions)
Okay, okay. I've got the message. I give in. The toolkit will be distributed with the most generous, most liberal license possible. This means that (basically) anyone can do pretty much anything with it, including release binaries compiled with it. I'm happy with this decision. It means that if Alice wishes to trust software written or modified by Eve (or Mallory, etc.)., then she is perfectly entitled to do so. It is up to Alice to choose her own threat model, not me. The bottom line is, everyone has the right to choose whom they trust ... even if they're wrong. (After all, I can hardly demand that right for myself and then deny it to others, can I?). Jill (Ramonsky ... sending from new email address) Oh yeah, one last thing > -Original Message- > From: Rich Salz [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2003 4:19 PM > To: Jill Ramonsky > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Open Source (was Simple SSL/TLS - Some Questions) > > > I think that rather than spending time on deciding what to call this > library that is to-be-written, and how to license this library that is > to-be-written, that time should be spent on, well, writing it. :) > /r$ Aha - I'm ahead of you there. I've already started. But more than one person advised me to not talk about code until at least one third of it was finished, in order to avoid real-time discussions about how code "should" be written. If I am silent on the coding progress, rest assured it doesn't mean I'm not doing anything. On the other hand, I /could/ post progress reports if people wanted. I have absolutely no idea whether that would be considered appropriate or not. I'm open to suggestion. Jill - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
