Re: Anyone know anything about the new ATT encrypted voice service?

2010-10-06 Thread David G. Koontz
On 7/10/10 11:19 AM, Perry E. Metzger wrote:
 ATT debuts a new encrypted voice service. Anyone know anything about
 (Hat tip to Jacob Applebaum's twitter feed.)
JavaScript needs to be enabled:
ATT to Offer First Carrier-Provided, Two Factor Encryption Service for

ATT Encrypted Mobile Voice Service uses Powerful Combination of Hardware
and Software to Enable Voice Calls with High-Level Security
Dallas, Texas, October 06, 2010

ATT to Offer First Carrier-Provided, Two Factor Encryption Service for

ATT Encrypted Mobile Voice Service uses Powerful Combination of Hardware
and Software to Enable Voice Calls with High-Level Security
Dallas, Texas, October 06, 2010

ATT* today launched ATT Encrypted Mobile Voice, the first carrier-provided
two factor encryption service, which provides high-level security features
for calls on the ATT wireless network. The service is targeted at
government agencies, law enforcement organizations, financial services
institutions and international businesses.
ATT Encrypted Mobile Voice combines KoolSpan’s TrustChip® and SRA
International’s One Vault Voice™ into the first carrier-provided two-factor
encryption solution. TrustChip is a fully hardened, self-contained crypto
engine inserted into the smartphone’s microSD slot. Embedded with ATT
TrustGroup, the KoolSpan TrustChip offers the strength of additional
hardware authentication, enables encrypted calling interoperability with a
defined group of other ATT TrustGroup users and can be managed over-the-air.
ATT Encrypted Mobile Voice supports BlackBerry® smartphones and Windows®
Phones on the ATT wireless network. Unlike other encrypted voice systems,
ATT Encrypted Mobile Voice is not limited by availability of legacy Circuit
Switched Data coverage and can operate in the over 190 countries globally
where ATT provides data roaming.

ATT Encrypted Mobile Voice meets the government information classification
standards for Controlled Unclassified Information, offering The National
Institute of Standards and Technology (NIST) FIPS – 140-2 validation.
It would appear to be susceptible to the FBI's proposed law on making plain
text available.

It's OEM'd:

Linux is supported in the TrustChip Developer Kit


The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Re: Obama administration revives Draconian communications intercept plans

2010-09-27 Thread David G. Koontz
On 28/09/10 1:26 AM, Perry E. Metzger wrote:

 From the New York Times, word that the Obama administration wants to
 compel access to encrypted communications.

Someone should beat up the FBI for using specious arguments:

 But as an example, one official said, an investigation into a drug cartel 
 earlier this year was stymied because smugglers used peer-to-peer software,
 which is difficult to intercept because it is not routed through a central
 hub. Agents eventually installed surveillance equipment in a suspect’s
 office, but that tactic was “risky,” the official said, and the delay
 “prevented the interception of pertinent communications.”

You could note that the communications either went through a phone system or
through an ISP. The qualifier 'delay prevented the interception of
pertinent communications' means they couldn't get a wiretap instantly.
Seems they wouldn't either if they asked for a court order first.

This sort of argumentation is why privacy advocates won in the Clipper
debate.  The FBI isn't arguing 'for' rationally, but then again they'd
probably have a hard time winning without resorting to propaganda.

 And their envisioned decryption mandate is modest, they contended, because
 service providers — not the government — would hold the key.

 “No one should be promising their customers that they will thumb their nose
  at a U.S. court order,” Ms. Caproni said. “They can promise strong
 encryption. They just need to figure out how they can provide us plain text.”

Sounds like an effort to legitmize and institutionalize the ability of
government to perform SSL MITM with service providers footing the bill.

There's also a Declan McCullagh article Report: Feds to push for Net
encryption backdoors.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Obama administration wants encryption backdoors for domestic surveillance

2010-09-27 Thread David G. Koontz

A good first point of interest clearinghouse site for the issue can be found
on Boing Boing.

It points to a Green Greenwald article on Salon and the ACLU.

There's also a nice piece at the Cato Institute
Designing an Insecure Internet

Feds Frustrated With Their Inability to Wiretap This Here New-Fangled
Internet Thing

Seems the underdogs in the Crypto Wars still has strong feelings, and now a
lot of them are part of mainstream media.

Government Seeks Back Door Into All Our Communications

The CDT and EPIC web sites haven't been updated yet.

I'd expect once a lot of people get the chance to do some digging will see
some 'entertaining' articles show up on the web.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Re: Intel plans crypto-walled-garden for x86

2010-09-14 Thread David G. Koontz
On 14/09/10 3:58 PM, John Gilmore wrote:
 In describing the motivation behind Intel's recent purchase of McAfee
 for a packed-out audience at the Intel Developer Forum, Intel's Paul
 Otellini framed it as an effort to move the way the company approaches
 security from a known-bad model to a known-good model. Otellini went
 on to briefly describe the shift in a way that sounded innocuous
 enough--current A/V efforts focus on building up a library of known
 threats against which they protect a user, but Intel would live to
 move to a world where only code from known and trusted parties runs on
 x86 systems.

The 'approved application' security model doesn't have to be ubiquitous
anymore than the IOS application restrictions on iDevices extend to Mac OS
X.  Just yesterday I tripped across a media item saying Nvidia's Tegra 2 was
being replace by an Intel Atom CE4100 (due to lack of performance for Full
HD output).

If you look in the August 20th Business Week article

  “As we look at all of the growth areas for Intel silicon, one of the
  consistent purchase criteria for both IT managers and consumer is
  security,” Renee James, the head of Intel’s software division, said in an
  interview yesterday. “This is a pretty natural step for us.”

Growth areas for Intel silicon aren't in the PC market, which is saturated,
Intel is producing silicon to compete with ARM CPUs in mobile and appliance

  “The number of new security threats identified every month continues to
  rise,” Otellini said. “We have concluded that security has now become the
  third pillar of computing, joining energy-efficient performance and
  Internet connectivity in importance.”

Energy-efficient implies portability.  And:

  Intel will have to persuade customers they need security in non-PC
  electronics in much the same way it has convinced businesses and
  consumers that they required chips that speed computing tasks or ensure
  seamless wireless connections.

Owning an antivirus software company is probably a good license to
scaremonger. It's likely McAfee will suddenly start detecting threats and
offering solutions.


  “As we move from a PC-centric era to a mobile-centric era, Intel needs to
  take advantage of every opportunity to expand its footprint into that

The gist of the article is that the intent is for new Intel markets.  In
other words there's more to mobile and appliance computing than dreamed
about in Mr. Gates philosophy, wherein Microsoft has moved in the antivirus
market for PCs, haven't they?  (Microsoft Security Essentials).  In a
saturated PC market the McAfee adoption rate has probably been stagnating or
dropping signaling the need for new markets, hence the company being
available for purchase.

There doesn't appear to be enough information to state what Intel plans
authoritatively, but it does bring into question Windows Mobile 7 adoption

Also when (web) content contains programming (javascript, etc.) you'd be
faced with the necessity of certifying everyone's content (including blogs)
or impinging on First Amendment uses of the Internet.  It's unlikely the
entire Internet would be transformed into commercial outlets for goods and
services, while providing the means for walled city marketing in specific
products appears the hot new thing.

While vigilance to impingement of rights is always a good thing, there's
evidence for the meat of the issue to fall on the other side of the razor's

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Re: About that Mighty Fortress... What's it look like?

2010-08-17 Thread David G. Koontz
On 18/08/10 3:46 AM, Peter Gutmann wrote:
 Alexander Klimov writes:
 Each real-time check reveals your interest in the check. What about privacy

 (Have you ever seen a PKI or similar key-using design where anyone involved in
 speccing or deploying it genuinely cares about privacy implications?  Not only
 have I never seen one, I've even been to a talk at a conference where someone
 was criticised for wasting time on privacy concerns).

(You may have opened your question too wide).

Privacy against whom?  There were enough details revealed about the key
escrow LEAF in Clipper to see that the operation derived from over the air
transfer of keys in Type I applications.  The purpose was to keep a back
door private for use of the government.  The escrow mechanism an involution
of PKI.

There were of course concerns as evinced in the hearing under the 105th
Congress on 'Privacy in the Digital Age: Encryption and Mandatory Access
Hearings', before the Subcommittee on the Constitution, Federalism, and
Property Rights, of the Committee on The Judiciary, United States Senate in
March 1998.  These concerns were on the rights of privacy for users.

Clipper failed primarily because there wasn't enough trust that the privacy
wouldn't be confined to escrow agents authorized by the Judiciary.  The
Federal government lost credibility through orchestrated actions by those
with conscience concerned over personal privacy and potential government abuse.

Privacy suffers from lack of legislation and is only taken serious when the
threat is pervasive and the voters are up in arms.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Re: Cars hacked through wireless tire sensors Another paper plus USENIX SEC10 proceedings

2010-08-15 Thread David G. Koontz
What looks like to be an applicable paper.  Not the same set of authors as
the earlier reference to USENIX.

Experimental Security Analysis of a Modern Automobile
Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, and
Tadayoshi Kohno
Department of Computer Science and Engineering University of Washington
Seattle, Washington 98195–2350 Email:
Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham,
and Stefan Savage
Department of Computer Science and Engineering University of California San
Diego La Jolla, California 92093–0404 Email:

Abstract—  Modern automobiles are no longer mere mechanical devices; they
are pervasively monitored and controlled by dozens of digital computers
coordinated via internal vehicular networks. While this transformation has
driven major advance- ments in efficiency and safety, it has also introduced
a range of new potential risks. In this paper we experimentally evaluate
these issues on a modern automobile and demonstrate the fragility of the
underlying system structure. We demonstrate that an attacker who is able to
infiltrate virtually any Electronic Control Unit (ECU) can leverage this
ability to completely circumvent a broad array of safety-critical systems.
Over a range of experiments, both in the lab and in road tests, we
demonstrate the ability to adversarially control a wide range of automotive
functions and completely ignore driver input — including disabling the
brakes, selectively braking individual wheels on demand, stopping the
engine, and so on. We find that it is possible to bypass rudimentary network
security protections within the car, such as maliciously bridging between
our car’s two internal subnets. We also present composite attacks that
leverage individual weaknesses, including an attack that embeds malicious
code in a car’s telematics unit and that will completely erase any evidence
of its presence after a crash. Looking forward, we discuss the complex
challenges in addressing these vulnerabilities while considering the
existing automotive ecosystem.

Appears in 2010 IEEE Symposium on Security and Privacy. See for more information.

There's also a FAQ on the paper:

Add electronic throttle and steer by wire (ala Lexus LS460) and I see an App
Store app getting popular for those James Bond back seat drivers.

The USENIX Security Symposium
lists the paper referenced in Ars Technia under Real-World Security as

Security and PRivacy Vulnerabilities of In-Car Wireless Networks: A Tire
Pressure Monitoring System Case Study (P. 323)

Ishtiaq Rouf, University of South Carolina, Columbia; Rob Miller, Rutgers
University; Hossen Mustafa and Travis Taylor, University of South Carolina,
Columbia; Sangho Oh, Rutgers University; Wenyuan Xu, University of South
Carolina, Columbia; Marco Gruteser, Wade Trappe, and Ivan Seskar, Rutgers

The USENIX SEC10 Paper
Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire
Pressure Monitoring System Case Study

Ishtiaq Rouf et. al. is available at:

It is also found in the two page layout PDF of the USENIX SEC10 proceedings
 (20 MB)

(Referred papers are available individually)

or the epub versions:  (16 MB)

Readable with the Firefox EPUBReader add-on the epub is not encrypted
meaning you can extract quotes or cites easily and access the papers as HTML
files found in the epub (zip) archive.  The quality is excellent.

Also in  a mobi version, the proceedings are just chocka full of other
interesting things, too.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

After spyware fails, UAE gives up and bans Blackberries

2010-08-02 Thread David G. Koontz
By John Timmer

Discussing in general terms RIM's Blackberry email server connections to
their servers in Canada's encryption resistance to United Arab Emirates
monitoring efforts when used by enterprise customers (bankers).

From the article:

  Why the apparent ire is focused on the devices themselves rather than
  the general approach isn't clear. An SSL connection to an offshore e-mail
  server would seem to create just as much trouble as RIM's approach, but
  there don't seem to be any efforts afoot to clamp down on other
  smartphone platforms.

The first thing that comes to mind is SSL MITM interception.  Has the UAE
compelled Etisalat to aid in MITM?

You might expect a government to be a bit more subtle dancing around
plausible deniability.  Enough concerns and the 'marks' just may develop
alternative means.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Re: Crypto dongles to secure online transactions

2009-11-10 Thread David G. Koontz
Jerry Leichter wrote:
 On Nov 8, 2009, at 2:07 AM, John Levine wrote:
 At a meeting a few weeks ago I was talking to a guy from BITS, the
 e-commerce part of the Financial Services Roundtable, about the way
 that malware infected PCs break all banks' fancy multi-password logins
 since no matter how complex the login process, a botted PC can wait
 until you login, then send fake transactions during your legitimate
 session.  This is apparently a big problem in Europe.

 I told him about an approach to use a security dongle that puts the
 display and confirmation outside the range of the malware, and
 although I thought it was fairly obvious, he'd apparently never heard
 it before.
 Wow.  *That's* scary.
IBM Zone Trusted Information Channel (ZTIC)
A multi line display and two buttons (approve/disapprove)

More and more attacks to online banking applications target the user's home
PC, changing what is displayed to the user, while logging and altering key


In order to foil these threats, IBM has introduced the Zone Trusted
Information Channel (ZTIC), a hardware device that can counter these attacks
in an easy-to-use way. The ZTIC is a USB-attached device containing a
display and minimal I/O capabilities that runs the full TLS/SSL protocol,
thus entirely bypassing the PC's software for all security functionality.

The ZTIC achieves this by registering itself as a USB Mass Storage Device
(thus requiring no driver installation) and starting a pass-through proxy
configured to connect with pre-configured (banking) Websites. After starting
the ZTIC proxy, the user opens a Web browser to establish a connection with
the bank's Website via the ZTIC. From that moment on, all data transmitted
between browser and server pass through the ZTIC; the SSL session is
protected by keys maintained only on the ZTIC and, hence, is inaccessible to
malware on the PC (see usage and technical operation animations, which
illustrate how the ZTIC works).



There's a video clip. (HD and low

It puts the onus on the user for approval of malware driven transactions.
(animated illustration)

Our Land Transport New Zealand agency (, like the DMV) uses
POLi for making on line transactions.  Apparently POLi uses the very same
techniques to provide transaction confirmation to a third party, as are used
by malware to interject data into transactions or steal information.

There should be no reason a ZTIC like device couldn't be used to provide
authentication to a third party as well, the idea being your car license
renewal etc. transaction isn't confirmed until the bank completes the
payment transaction.

Browsers compartmentalizing connections in the equivalent of sandboxes like
as done by Chrome would while defending against malware attacks make POLi
impossible without something like ZTIC.  POLi currently has other
dependencies on Windows.  It strikes me as insecure today, using the same
features exploited by malware.  (POLi, centricom used to do routers and the like)
The POLi service now operates in three countries around the world:
Australia, New Zealand and the UK.

You'd think the solution would be cost sensitive.

Internet banking is big here too.  As is phone banking and cell phone
message based transactions.  You have to subscribe (thankfully).  We get our
share of fake ATM fronts and the like.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Re: full-disk subversion standards released

2009-02-01 Thread David G. Koontz
Peter Gutmann wrote:
 John Gilmore writes:
 The theory that we should build good and useful tools capable of monopoly
 and totalitarianism, but use social mechanisms to prevent them from being
 used for that purpose, strikes me as naive.
 There's another problem with this theory and that's the practical
 implementation issue.  I've read through... well, at least skimmed through the
 elephantine bulk of the TCG specs, and also read related papers and
 publications and talked to people who've worked with the technology, to see
 how I could use it as a crypto plugin for my software (which already supports
 some pretty diverse stuff, smart cards, HSMs, the VIA Padlock engine, ARM
 security cores, Fortezza cards (I even have my own USG-allocated Fortezza ID
 :-), and in general pretty much anything out there that does crypto in any
 way, shape, or form).  However after detailed study of the TCG specs and
 discussions with users I found that the only thing you can really do with
 this, or at least the bits likely to be implemented and supported and not full
 of bugs and incompatibilities, is DRM.

You could note a certain overlap between the promoters of Digital Content
Protection and the Trusted Computing Group:
Nearly 400 leading companies license the technology, including the following:
Semiconductor: PC Companies:Consumer Electronics:

AMD HP  Panasonic
Analog Devices  Microsoft   Samsung
Intel   Lenovo  Sony
Silicon Image   Toshiba
Full List of Licensees: Click here  
(Fuji Xerox Co., Ltd.)

Current Members
  Promoter  Contributor

Fujitsu Limited Panasonic
IBM Samsung Electronics Co.
Infineon   ...
Intel Corporation   Sony Corporation
Lenovo Holdings Limited...
Microsoft   Toshiba Corporation
Seagate Technology
Sun Microsystems, Inc.
Wave Systems

The costs and economy of scale say at some point all the disk drives will be
capable of FDE, whether or not it is enabled (whether or not you pay for the
'extra' feature).  The distinction is the added cost of testing the
encryption versus the cost of two different testing regimes, when silicon is
typically pin bound defining area and cost.   The same integration cost
advantages makes the like of HDMI close to zero cost to the television media

Enterprise 'platform owners' have the capability of assuming control of the
attestation chain, while 'personal computing' might have few opportunities
other than to allow the likes of an operating system vendor to provide
control 'in loco parentis' for the naive consumer.  Loss of control of
personal computing would come about by seduction - the offer of benefits in
exchange for more of the camel edging under the tent skirt.  More's the pity
if it offers competitive advantage excluding open source.  You'd think video
content providers would be anxious for a way to provide secure delivery of
content via download.  Being able to stick video onto a disk protected by a
plus thirteen Mage DMCA spell would be a definite benefit.

I'd also imagine we'll see vulnerabilities that will allow content recovery.
Getting 'secure' computing requires a secure operating system.  Building a
computer secure against end user tampering would incur high adoption costs
that wouldn't be supportable in the marketplace.  To borrow and mutilate a
turn of phrase from Bruce, what we get is Kabuki security theater with the
commiserate tendency toward prostitution.

All that said and done, people may still well end up with better security -
data encrypted at rest.  I'd think fighting DRM would be a separate battle
from opposing FDE.  It may be worthwhile to show systemic vulnerabilities
that despite the encryption endanger threaten 'content protection', because
while DRM's proponents like to provide a stylized threat model the real
world doesn't match up.   The enterprise is able to leverage further
behavioral limits on users actions during platform operation and the Trusted
Computing threat model allows users within the cryptographic boundary
(undoubtedly due to the cost of exclusion).  Additional behavioral limits
aren't available for the DRM usage model, and there is nothing stopping the
malevolent end user from monitoring unencrypted data from a drive for example.

Trusted Computing may never be suitable for DRM either.  I'd expect an
enterprise would field a careful selected configuration that they could
manage to make work for their purposes.   DRM has to work for any

Re: Obama's secure PDA

2009-01-29 Thread David G. Koontz
Jerry Leichter wrote:

 I commented earlier that $3200 seemed surprisingly cheap.  One of the
 articles on this claimed this was absurdly expensive - typical DoD gold
 plating.  Well ... the real price of a standard Blackberry is a couple
 of hundred dollars, and put one in a room with a speaker phone and
 listen to the famous Blackberry buzz.  Shielding these things, even to
 avoid obvious interference, is *not* easy.  Getting it to Tempest specs
 must take some impressive engineering.  For a non-mass-market device
 with that kind of engineering, $3200 seems pretty cheap.

Quite a few TEMPEST approved devices are rather innocuous looking these
days, the PDA a case in point.  Having been present during the big TEMPEST
adoption in the military (early 70's) and the introduction of FCC Part 15
(late 70's) I'd think that shielding requirements for compromising
emanations are at least extremely closely related to EMI prevention. There's
also Red/Black separation, electrical and physical isolation between
circuitry carrying classified signals and those not.  If I were to hazard a
guess TEMPEST requirements are close to those found for VDE/CE approval
today (a bit more stringent than FCC).

I would expect that the reason for 'approved' cables has to do with insuring
construction to an approved standard perhaps with some actual testing thrown
in.  The amount of shielding  required in cabling is on par with the use of
shielded twisted pairs.   The additional cost of TEMPEST approved equipment
primarily comes from design testing and certification.  The engineering is
otherwise on par with COTS best practices (today).

I used to work on a non HY-11 CVSD secure voice link utilizing a KG-13/TSEC
Key Generator, used in support of what we publicly know now as the National
Reconnaissance Office.  Got a late night call from the security officer
complaining about picking up an AM radio station on the secure phone
handset.  The installation had a plan, nice Red/Black separation, ferrous
conduits enclosing cabling, physical distance separations, power line
filtering and separate power circuits, the whole nine yards.  To make a long
story short it was picking up the radio station because of a ground loop in
the shield for the receive phone pair and a cold solder joint.  Re-flowing
the solder joint was sufficient to stop the impromptu crystal radio, and I
broke the ground loop as well and sent off an annotated copy of the
installation wiring diagram to the engineer who did the installation plan.
The ground loop mixed inside and outside grounds exposing the shield for the
receive pair to broadcast signals, this particularly strong local AM station
in point.  The cold solder joint acted as a rectifier.

Working a few years later for a local video game company, one late night I
had occasion to listen to the same AM station on the speaker of an arcade
video game we were prototyping.  That was cured by twisting a pair in the
wiring harness.  The next year FCC Part 15 was slated to go into effect and
was causing all sorts of industry panic. A year or two later we were still
seeing significant EMI from computer equipment.  My upstairs neighbor's
Apple II used to cause some serious interference with my TV reception using
a pair of rabbit ears, some of the biggest EMI culprits for the longest time
were power supplies.

Today your desktop or laptop PC is generating a significant amount of power
across various portions of the spectrum including up into the Giga Hertz
range.  The amount of EMI produced is closely on par with TEMPEST approved
equipment, and the greatest threat to producing EMI or compromising
emanations (following the demise of CRT displays) is cabled peripherals. The
difference is that it isn't TEMPEST certified, nor has it necessarily been
design with Red/Black separation in mind.

There'd be strong motivation to use tested and approved cables in classified
data handling equipment.  While the reduction in EMI for any equipment is
largely due to management of signal and power return paths, reduction in
power by using smaller signal amplitudes, lower edge rates (rise and fall
times as opposed to data rate) filtering and where necessary shielding.
Connect one little cheap cable and the next thing you know someone is
complaining about receiving AM broadcasts on their fancy (and expensive)
secure voice system, or worse, being surveilled without knowing it.

I'm not surprised you can hear a Blackberry with a speaker phone.  It's got
a radio transmitter, and more than likely the speaker phone has an RJ-11
connector on a long straight conductor cable.  As a guess we'd be talking
about a Blackberry within a couple of meters, and that phone wire strung
across a conference table before reaching the floor.

You could note a preponderance of phone sensitivity due to proximity (Page
10).  A secure handset will do the same thing.  

Researchers Show How to Forge Site Certificates |

2008-12-30 Thread David G. Koontz

 By Ed Felten - Posted on December 30th, 2008 at 11:18 am

Today at the Chaos Computing Congress, a group of researchers (Alex Sotirov,
Marc Stevens, Jake Appelbaum, Arjen Lenstra, Benne de Weger, and David
Molnar) announced that they have found a way to forge website certificates
that will be accepted as valid by most browsers. This means that they can
successfully impersonate any website, even for secure connections.


Through the  use of MD5 collisions.  The slides from the presentation are
available here:

The presentation entitled MD5 considered harmful today, Creating a rogue CA

The collisions were found with a cluster of 200 PlayStation 3's. (slide
number 3, see slide number 25 for a picture of the cluster, a collision
taking one to two days)

They apparently did a live demo using forged certificates in a man in the
middle attack using a wireless network during the demonstration with access
by the audience. (slide number 5)

 CAs still using MD5 in 2008:  (slide number 19)
  ? RapidSSL
  ? FreeSSL
  ? TrustCenter
  ? RSA Data Security
  ? Thawte

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Researchers Use PlayStation Cluster to Forge a Web Skeleton Key

2008-12-30 Thread David G. Koontz

More coverage on the MD5 collisions.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Steve Bellovin on the MD5 Collision attacks, more on Wired

2008-12-30 Thread David G. Koontz

Steve mentions the social pressures involved in disclosing the vulnerability:

Verisign, in particular, appears to have been caught short. One of the CAs
they operate still uses MD5. They said:

The RapidSSL certificates are currently using the MD5 hash function
  today. And the reason for that is because when you're dealing with
  widespread technology and [public key infrastructure] technology, you have
  phase-in and phase-out processes that cane take significant periods of
  time to implement.

[4 years?]

Legal pressure? Sotirov and company are not hackers; they're respected
researchers. But the legal climate is such that they feared an injunction.
Nor are such fears ill-founded; others have had such trouble. Verisign isn't
happy: We're a little frustrated at Verisign that we seem to be the only
people not briefed on this. But given that the researchers couldn't know
how Verisign would react, in today's climate they felt they had to be cautious.

This is a dangerous trend. If good guys are afraid to find flaws in fielded
systems, that effort will be left to the bad guys. Remember that for
academics, publication is the only way they're really paid. We need a
legal structure in place to protect security researchers. To paraphrase an
old saying, security flaws don't crack systems, bad guys do.


The researchers provided information under NDA to browser manufacturers and
Microsoft contacted Verisign providing no real details
( , the Wired article.):

Callan confirms Versign was contacted by Microsoft, but he says the NDA
prevented the software-maker from providing any meaningful details on the
threat. We're a little frustrated at Verisign that we seem to be the only
people not briefed on this, he says.

The researchers expect that their forged CA certificate will be revoked by
Verisign following their talk, rendering it powerless. As a precaution, they
set the expiration date on the certificate to August 2004, ensuring that any
website validated through the bogus certificate would generate a warning
message in a user's browser.


The 2007 paper

Chosen-prefix Collisions for MD5 and Colliding X.509 Certificates for Different
Identities, Marc Stevens , Arjen Lenstra , and Benne de Weger

(also from the Wired article)


Nate Lawson's comments
To paraphrase Gibson, “Crypto security is available already, it just isn’t
equally distributed.”

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Re: CPRNGs are still an issue.

2008-12-18 Thread David G. Koontz
Charles Jackson wrote:

 I probably should not be commenting, not being a real device guy.  But,
 variations in temperature and time could be expected to change SSD timing.
 Temperature changes will probably change the power supply voltages and shift
 some of the thresholds in the devices.  Oscillators will drift with changes
 in temperature and voltage.  Battery voltages tend to go down over time and
 up with temperature.  In addition, in some systems the clock frequency is
 purposely swept over something like a 0.1% range in order to smooth out the
 RF emissions from the device.  (This can give a 20 or 30 dB reduction in
 peak emissions at a given frequency.  There is, of course, no change in
 total emissions.)
 Combine all of these factors, and one can envision the SSD cycles taking
 varying numbers of system clock ticks and consequently the low order bits of
 a counter driven by a system clock would be random.  However, one would
 have to test this kind of entropy source carefully and would have to keep
 track of any changes in the manufacturing processes for both the SSD and the
 processor chip. 
 Is there anyone out there who knows about device timing that can say more?  

As a chip wonk, without addressing SSD operational timing directly how much
a clock can change is dependent on the accuracy over a period of time
sufficient to be off by one or more clocks, implying long counter chain
timing - slow entropy accumulation at best.  Worse still, the error value
when compared to an outside clock source would tend to be at a fixed rate,
although you see minor variations based on temperature and voltage.  The
same things that make power analysis a valid attack also influence
temperature and voltage.  I'd expect you could  manipulate second order
effects by how the system is operated. Other than effects on frequency,
temperature and voltage affect switching thresholds which can cause
variability in delay in particular when crossing clock domains.  These
threshold delays can be strongly correlated.

Dithered clocks are intended to only fool spectrum analyzers measuring peak
power and are not based on entropy or second order effects.  A PLL feedback
pattern is typically masked by applying the output of a counter and look up
table or combinatoric circuit.  There is no disparity generated long term in
clock high and low bauds, the counter makes the dithering periodic.  Think
short PRNG cyclically applying clock edge offsets and hitting all the
positive and negative offsets equally.

The two don't strike me as sufficient to construct an adequate ergodic system.

Using a HDD as an 'entropy' source is based on operating an ergodic system
where the preceding state is not readily predictable.   The variability is
based in part on sectors and cylinders, angular velocity, disk position and
head position.  All that variability can collapse in an SSD.  Trying to rely
on remaining secondary effects for loss of predictability could be countered
by eliminating or reducing them.  We design systems to not be readily
influenced by secondary effects in the first place.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Re: Why the poor uptake of encrypted email? [Was: Re: Secrets and cell phones.]

2008-12-08 Thread David G. Koontz
JOHN GALT wrote:
 StealthMonger wrote:
 This may help to explain the poor uptake of encrypted email.  It would
 be useful to know exactly what has been discovered.  Can you provide
 The iconic Paper explaining this is Why Johnny Can't Encrypt available

Available from the Authors:

(For those of us not ACM members and not having Library or affliate access).

There's also a power point presentation on the cognitive dissonance involved:

And something done at Carnegie Mellon:

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Lifting Some Restrictions on Encryption Exports

2008-12-05 Thread David G. Koontz
Ali, Saqib wrote:
 Does anyone have more info on the following:
 I couldn't find any other article that talked about it. The pay per
 news is the only item I found.

It was tough to google for, because of all of the new references to Clinton
era articles.

google 'encryption export restrictions  2008' (past month)

From this article you can see that the restrictions have had the effect of
driving cryptographic software development offshore:

(Mostly European companies, I understand)

The first link has a link to the Federal Register to 'see the word of the law':
Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / Rules and
Regulations  Pages 57495 through 57512

The PDF file is 124 KB.

17 pages plus a couple of column inches on the 18th page, too long to copy

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: EFF press release on the gag order being lifted.

2008-08-19 Thread David G. Koontz
Perry E. Metzger wrote:

You wonder if it was MTBA exhibit 4 that tipped their case against the
MTBA's injunction, using Roblimo's article on Sklyarov, quoting reactions to
Dmitry Sklyarov's arrest for a DMCA violation on July 16, 2001, wherein:

  Jennifer Granick, the clinical director of Stanford University's Center
  for Internet and Society, has also criticized the move by the software
  industry and the FBI.

  American corporations have never been shy about using taxpayer money to
  enforce their rights, she said.

Using a news article containing a quote from the defense's representation
counter to your position doesn't sound like a winning strategy.  Ms. Granick
is the Civil Liberties Director with the EFF and has filed a declaration in
the case.

The Wikipedia article has a
succinct summary of the Sklyarov case, where charges against him were
dropped in exchange for testimony (against his employer).  In December 2002,
Elcomsoft (the employer) was found not guilty of violating the DMCA in a
jury trial.

Most notably:

  On July 19, 2001, the Association of American Publishers issued a press
  release announcing their support of his arrest. Adobe initially supported
  the arrest, but after a meeting with the Electronic Frontier Foundation,
  they issued a joint press release on July 23, 2001, recommending his
  release. However, Adobe still supports the case against ElcomSoft.

The MTBA had no organization or employer to fall back on in prosecution, and
are still alleging CFAA violations against the defendants, undoubtedly
stemming from the initial conference description of their presentation,
mentioning free fares, and the slide presentation showing MTBA operations
centers, possibly counterfeit transit authority identification, and
surreptitious access to computing facilities.  The problem being either one
of a bit too much security theater on the part of the defendants, or
possible violations of the CFAA.

It is notable that there is no criminal case to date.  One could also wonder
if the MTBA is taking corrective actions to protect their system both
through physical plant security and proper inclusion of cryptographic
protection of their ticketing system, as well.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Kiwi expert cracks chip passport

2008-08-17 Thread David G. Koontz

Peter Gutmann has gotten himself in the news along with Adam Laurie and
Jeroen van Beek for altering the passport microchip in a passport.

Think of this as a local boy makes good piece of news, well worth it for the
picture of Peter:

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Judge approves TRO to stop DEFCON presentation

2008-08-10 Thread David G. Koontz
Jim Youll wrote:
 these have been circulating for hours, but they are content-free title
 On Aug 9, 2008, at 7:38 PM, Ivan Krstić wrote:
 On Sat, 09 Aug 2008 17:11:11 -0400, Perry E. Metzger
Las Vegas - Three students at the Massachusetts Institute of
Technology (MIT) were ordered this morning by a federal court
judge to cancel their scheduled presentation about vulnerabilities
in Boston's transit fare payment system, violating their First
Amendment right to discuss their important research.

There's also the synopsis as an exhibit to the case found in the Wired
article.  Note the recommendations for corrective action are familiar from
the  previous reported weaknesses to the MIFARE system.
DefCon: Boston Subway Officials Sue to Stop Talk on Fare Card Hacks --
Update: Restraining Order Issued; Talk Cancelled
Vulnerability Assessment of the MTBA System (Exhibit 1 to Case

A report on the Dutch Public Transit Card:

Recently updated Dutch information by Andy Tanenbaum:

The fellows at Raboud University Nijmegan:

(Where we'll probably be able to find the Esorics 2008 presentation.
'Dismantling MIFARE Classic', in October.)

I'd imagine there is sufficient information available to replicate the
attack, there's info on the MIFARE Classic cryptographic algorithm.

Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic

Security Evalution of the disposable OV-chipkaart v1.7  updated 13 April 08
(which has a description of the memory structure found on the cards as well
as a lot of useful protocol information.)

And the Translink Netherlands report on why disclosure doesn't matter:
(translation: security through obscurity? still obscure enough)

And of course we've seen the Raboud video link found on Youtube:

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Surveillance, secrecy, and ebay, monor correction.

2008-07-28 Thread David G. Koontz
David G. Koontz wrote:
 Sherri Davidoff wrote:

You know how memory is, little things get squishy with the passage of years.
As soon as I saw the post up on cryptography I asked myself was that 1972 or

Privacy Act of 1972

That should be 1974.

Public law 93-579  The Privacy Act of 1974
5 USC 552a  Records maintained on individuals.

(10) establish appropriate administrative, technical, and physical
safeguards to insure the security and confidentiality of records and to
protect against any anticipated threats or hazards to their security or
integrity which could result in substantial harm, embarrassment,
inconvenience, or unfairness to any individual on whom information is

The quoted section (10) being the basis for finding harm on disclosure.

I remember seeing the Federal Register notice for the Digital Encryption
Standard, in 1977, mind you.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Surveillance, secrecy, and ebay

2008-07-27 Thread David G. Koontz
Sherri Davidoff wrote:
 Matt Blaze wrote:
 Once sensitive or personal data is captured, it stays around forever,
 and the longer it does, the more likely it is that it will end up
 somewhere unexpected.
 Great point, and a fundamental lesson-of-the-moment for the security
 industry. To take it one step further: The amount of sensitive
 information an organization stores is roughly proportional to the number
 of data leaks it initiates. We already know that information wants to
 be free, and if you keep information around, sooner or later, it's going
 to leak out. (There's probably some mathematical way to describe this
 Rather than expecting companies to keep data totally secure and then
 send apologetic letters when it gets lost, perhaps we should start
 taxing companies in proportion to the amount of sensitive information
 they store, and use that tax to assist victims of identity theft. This
 would have the double benefit of giving companies immediate incentive to
 reduce the amount of information they store, and would also provide
 appropriate public funding for incident recovery.

Encryption with a resistance to cryptanalytic techniques requiring on the
order of the useful lifetime of the 'secrets' being protected to overcome is
a perfectly valid way to secure private data.  This resulted following the
Privacy Act of 1972, in the release of the Digital Encryption Standard
detailing the Digital Encryption Algorithm commonly known as DES in 1977 and
published as FIPS PUB 46.

Immediately the U.S. government started providing itself with waivers to the
use of encryption for at rest storage of data, that are only being overcome
today.  During the same era, the nation's security agencies exhibited a
strong desire to prevent the disbursement of security technology for private
and business use, as it foils the gathering of economic intelligence and
provides strong encryption to foreign military and security concerns. I'm of
the opinion that DES didn't provide much advantage to 'adversaries' of the
U.S. government, but it's spread was effectively limited to the banking
industry for a considerable length of time.

During it's life time the cost of breaking DES has reduced steadily, to the
point a recent low cost implementation could attack a DES system in between
5 and 32 hours using $1000 dollars worth of commercial FPGA hardware[1], or
a totally brute force attack yielding a key in 7.8 days at the cost of
$10,000[2].  Note that this has resulted in changes  to approved algorithms,
with resulting increase in resistance to brute force attacks by dramatically
increasing the key space.  We now worry about the near mythical quantum
computer's ability to break any current encryption scheme.

While Matt was relating the inadvertent disbursement of information relating
to a criminal investigation, you'd think that could be under the aegis of
the court system, perhaps by tinkering with the rules of evidence.  After
all encrypted storage is an effective means of preventing unauthorized
access, duplication and altering of evidence.  Bar associations would appear
a logical place to influence protecting client-data and client attorney

We also see the Department of Defense requiring at rest encrypted storage of
data, the requirement becoming universal over time.  You'd have to wonder if
the requirement was extended to the rest of the U.S. government, just how
long it would take to protect data.  Couldn't be more than a decade.

State and local governments, you run into unfunded mandates.  It helps that
they already have a duty under various privacy laws to protect data, as do
private companies.  Perhaps the problem is not that we need more laws, but
that the laws we have aren't be adhered to?

Is the resistance to data protection today predicated on cost?  We see
secure disk products that when the costs are amortized across volume for a
couple of kilobytes of code, a slightly faster processor, or one with
security co-processor, the cost of developing software interface controls
and finally certification costs, should add a cost burden of a couple of
dollars but are being sold at a premium, all the market can bear.

What's not apparent is the cost of data loss, other than bad press.  We find
interesting cases, such as in aviation security where we find from Professor
Mueller that the cost in terms of lives saved with the Transportation
Security Agency is 15 times higher than their value by protection by other
means[3], indicating we have an enormous white elephant, there.  How do we
prevent the inadvertent replication of waste in another large area of
government mandated security?

Balancing the apparent lack of adherence to current privacy laws and the
potential cost of a bureaucracy dedicated to measuring quanta of privacy
data, regulating the balance of taxes owed, offsets by encryption, tracking
the acquisition of privacy data, it's proper and approved retirement or

Re: Permanent Privacy - Are Snake Oil Patents a threat?

2008-07-09 Thread David G. Koontz
Ali, Saqib wrote:
 Quoting the Foxbusiness article:
 Permanent Privacy (patent pending) has been verified by Peter
 Schweitzer, one of Harvard's top cryptanalysts, and for the inevitable
 cynics Permanent Privacy is offering $1,000,000 to anyone who can
 decipher a sample of ciphertext.

I did a quick check to look for patent applications or patents by them and
didn't find any.  This isn't definitive if a patent application isn't
published.  The newest published patent application I found on encryption
had an application date of 11 Dec 2007.  Some recently published patent
applications are 6 or 7 years old, too.

While there I updated my periodic search for recent patents and applications
on cryptography.  It's surprising the number of questionable patent
applications and patents you can find.  Aside from propping up marketing
claims with patents as has been done throughout history, the primary threat
poor quality patents present is the ability of patent trolls to tax
'innovation'.  The volume of crypto related patents and applications is
increasing lately and there is no clear sign the quality is rising.  Crypto
patents used to be primarily a competition method between defense
contractors, now its just about everyone as use expands.

There was one recent application from a chip company on an architecture and
instruction set for implementing the Advanced Encryption Standard , where
the architecture is that of a modern processor and the instruction set isn't
covered in the claims, rather a description of the algorithm for executing
AES is given.  While it would be well suited for a defensive patent
portfolio, imagine the havoc if granted and this patent were to fall into
the hands of a patent troll claiming it covered all implementations on a

Being a bit of a hardware wonk, a lot of these patents appear obvious.  For
instance Rainbow inherited a patent on the use of dual rank shift registers
to allow overlapping data I/O and cryptographic operations.  It does perform
the useful function of bringing down the clock rate needed to sustain some
throughput, but it was hardly a non-obvious innovation at the time it was
filed.  Rate buffers had been used as long before the patent was filed to
balance communications throughput.  I also recall one on MIMD execution of
DES to increase throughput, hardly non-obvious though granted.

Obviously patents could be improved by searching further across disciplines
for prior art and by having more USPTO expertise.  We're also seeing a
dumbing down of the 'Persons Having Ordinary Skill In the Art' as the number
of practitioners expand rapidly.

Has anyone been feeling the heat or see a future threat?

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Why doesn't Sun release the crypto module of the OpenSPARC?

2008-06-13 Thread David G. Koontz
zooko wrote:
 On Jun 12, 2008, at 4:35 PM, David G. Koontz wrote:
 There's the aspect of competition.
 I've also wondered if a reason they didn't release it is because they
 the 'IP' from someone.
 Those are good guesses, David, and I guessed similar things myself and
 inquired of various Sun folks if this was the real reason.  Nobody
 could give me any definite answer, however, until Sridhar Vajapey wrote:
  US export control regulations prevent Sun from opensourcing the crypto
 portion of N2..

You've got to admit, that the work load for implementation is quite a bit
higher without the PCI-E, 10GE MACs, and crypto, for a piece of competitive
silicon.  All the sudden you don't have that 'Server On a Chip' that Sun

The net result is still that you can't compete directly with Sun, but you
can still expand the range of applications for Sun processors, and oh by the
way, Sun's silicon works perfectly well in any new markets.  It still walks
like a duck.

For the record I don't begrudge Sun captive markets, it supports a fairly
decent 64 bit architecture and isn't Intel.  What they have released isn't
what they sell.  They're demonstrably Rice Christian open source advocates.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Why doesn't Sun release the crypto module of the OpenSPARC? Competition?

2008-06-12 Thread David G. Koontz
Lawerence Spracklen's Blog:

  Detailed T2 crypto info

  Very detailed info on the UltraSPARC T2 cryptographic accelerators can be
  found here on the OpenSPARC website (the pertinent info can be found in
  chapter-21 of the doc)

  Posted on: Sep 11, 2007

With a rebuttal that the Ch 21 in the document found there contained the PCI
Express Interface Unit:

  Unfortunately, it looks like the accelerator details have been removed :-(
  The SPU is not technically part of OpenSPARC

  Posted by Lawrence Spracklen on November 05, 2007 at 11:39 AM PST #

There's the aspect of competition.  The on core crypto gives one heck of a
competitive edge for networking applications, and performance figures found
on Dr. Spracklen's site show that the crypto stream processors across the
CMT can keep up with the 10G Ethernet ports.  I can't see them giving a
potential competitor everything needed to compete directly.  It'd be
reminiscent of IBM and Amdahl clones, captive markets and margins for
hardware threatened as easily as National's memory boards.  I'm sure Sun is
wiley enough to have some key patents, too.  A case of encouraging help to
enlarge the ecosystem, but not empowering direct competition.  They don't
mind if you develop more markets, after all Sun can play there, too.

I've also wondered if a reason they didn't release it is because they bought
the 'IP' from someone.  There are other instances - parts of the System on a
Chip.  In the OpenSPARC T2 System on a Chip Micro Architecture pdf there is
a disclaimer on page 3:

  Note ? OpenSPARC T2 currently does not include PCI-Express and 10Gigabit
  Ethernet design implementation due to current legal restrictions.
  Equivalent models may be available in the subsequent releases of OpenSPARC

If the real reason is competition, it's always nice to have a good excuse,

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: NSA approves secure smart phone

2008-03-21 Thread David G. Koontz
Steven M. Bellovin wrote:

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: NSA approves secure smart phone

2008-03-21 Thread David G. Koontz
Steven M. Bellovin wrote:

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Unique locks on microchips could reduce hardware piracy

2008-03-15 Thread David G. Koontz

The technique is called EPIC, short for Ending Piracy of Integrated
Circuits. It relies on established cryptography methods and introduces
subtle changes into the chip design process. But it does not affect the
chips' performance or power consumption.

There's also the paper:

Random number generators, public keys, remote attestation, oh my!

There appears to be an assumption that a potential 'pirate' isn't inside the
cryptographic boundary  which includes the chip design and tools,
fabrication process, and programming/testing facility.  I'm not sure the
vulnerability assessment includes all the threat models for gray market ICs.
 There seems to be a bit of hand waving involved.  It may narrow the avenues
available to the potential pirate.  From the article:

 However, even in U.S. facilities, working chips are sometimes reported
defective by individual employees and later sold in gray markets,
Koushanfar said.

By itself it doesn't stop silicon from being diverted after unlocking, for
instance.  I'd imagine the things you would do to increase threat coverage
might be sufficient in and of themselves to preclude the need for this lock

An attack on the random number generator appears a likely vector.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Unique locks on microchips could reduce hardware piracy

2008-03-15 Thread David G. Koontz
David G. Koontz wrote:

Two more articles:
This one has a bit of the technical description,chip-lock-aims-to-end-hardware-piracy.aspx

This has some comments including:

Ok, so ow the hardware has to 'phone home'; before it will work. does this
mean that worldwide legitimate chip production has to halt every time the
patent holder has a server failure?
secondly, if someone has the capability of turning design documents into
working silicon, they also have the capability to make changes to the
design. what's to stop them from simply removing the lock circuitry from the
design before making the chips?
It seems to me that this DRM is like all other DRM. It causes problems for
the legal users, and won't do anything to stop the illegal users.

Posted by Kelly Gray, 8/03/2008 1:26:23 AM

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Unique locks on microchips could reduce hardware piracy

2008-03-15 Thread David G. Koontz

Two papers of interest in evaluating the paper
EPIC: Ending Piracy of Integrated Circuits
Jarrod A. Roy?, Farinaz Koushanfar? and Igor L. Markov?
?The University of Michigan, Department of EECS, 2260 Hayward Ave., Ann
Arbor, MI 48109-2121
?Rice University, ECE and CS Departments, 6100 South Main, Houston, TX 77005

The two papers:
Active Hardware Metering for Intellectual Property Protection and Security
Yousra M. Alkabani and Farinaz Koushanfar, Rice University
Remote Activation of ICs for Piracy Prevention and Digital Right Management
Yousra Alkabani Computer Science Dept., Rice University
Farinaz Koushanfar Electrical  Computer Engineering and
Computer Science Depts., Rice University
Miodrag Potkonjak Computer Science Dept.,
University of California, Los Angeles

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

RFID-hack hits 1 billion digital access cards worldwide

2008-03-15 Thread David G. Koontz

The Dutch government has issued a warning about the security of access keys
that are based on the widely used Mifare Classic RFID chip.

The warning comes in a week when two research teams independently
demonstrated hacks of the chip's security algorithm.

Criminals can use the hack to clone cards that use the Mifare Classic chip,
allowing them to create copies of building access keys or commit identity theft.

The chip is used in payment systems worldwide, such as the Oyster Card in
the UK and the CharlieCard that is used in Boston. Both offer payment
systems that allow for wireless transactions.

The chip is the basis of a national proof-of-payment system for public
transport. A recently published government-issued study by the Netherlands
Organisation for Applied Scientific Research dismissed the potential
security threat, claiming that hackers would take at least two years to
crack the security codes.

(The article is short enough it is hard to do fair-use justice.)

The cryptanalysis:

A March 12th Press Release from Radboud University Nijmegen:

A link to a demo video on Youtube:

Run time is 1:55, 4.9 MB and a Flash Video
The demo is an attack on a door security system.

A recent report stating that it would take at least two years for the
cryptographic algorithm to be broken and used casually (From the video I'd
say this is optomistic by almost two years):

A Mifare+ fix for the security weaknesses is announced (Mar 12th):

On Monday NXP Semiconductors said they plan to release a new version of the
Mifare chip; the chip that has gained fame lately after its security was
broken by researchers at U. VA. Dubbed the Mifare Plus, the new chip
addresses the exact security problems that its predecessor the Mifare
Classic faced. The new NXP offering is boasting 128-bit encryption over the
original 48-bit.

The NXP press release:

There are a couple of things of note.  They are seeking EAL-4+ evaluation
rating (which Windows 2000 has), it uses AES 128 bit encryption, and it has
backward compatibility with the 48 bit encryption,  Also the new cards won't
be available until Q4.

The cost of infrastructure upgrade (equipment cost versus card processing
delay) might cause an adoption lag.

NXP Semiconductors also claims to lead the car access and immobilzation markets.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Toshiba shows 2Mbps hardware RNG

2008-02-13 Thread David G. Koontz
Hal Finney wrote:
 Looking at the block diagram for the new Toshiba circuit, and comparing
 with the Intel design, one concern I have is with attacks on the device
 via external electromagnetic fields which could modulate current flows
 and potentially influence internal random numbers. Intel attempted
 to mitigate this attack by using a pair of resistors spaced close
 together, and taking differentials between them. I don't see any such
 countermeasures in the (admittedly crude) block diagram in the Toshiba
 press release.

From the EE Times article, the stochastic noise source for the Toshiba RNG
is from a trap layer of Silicon Nitride in a MOSFET transistor.  An Analog
to Digital Converter is used as a gating amplifier and the random noise bit
rate is dependent on the conversion speed instead of transformer etc.impulse
response.  The difference in size between the 2 Mb/s  and 10 Mb/s RNG appear
to be due to A/D converter area (from the ISSCC session 22 advanced program).

It's a floating gate structure.

  it is clear from the figure that the SiN MOSFET device generates greater
current fluctuation. This is presumably because more frequent occurrence of
electron capture and emission between the Si channels and dangling bonds
owing to the remarkably large number of the traps that cause noise
generation makes possible generation of a large amount of noise. Also, the
SiN MOSFET?s ID fluctuation makes it possible to generate a larger amount of
random noise due to the respective parameter designs of the devices (gate
length, gate width, tunnel oxidized film thickness (Tox), the Si/N atomic

The more signal, the higher the noise immunity, presumably.  The
description reminds me of tube thermionic noise.   I'd suspect it would
benefit from a drawing done on a rotated axis showing the Trap layer as a 2D

You get a random noise source that doesn't require the cryptographic
boundary be pushed into instruction/procedural space or across chip
boundaries for RNG generation, avoiding those pesky predictable random
numbers as attributed to a Microsoft software implementation recently.

Military silicon already has RNG on chip (e.g. AIM, Advanced INFOSEC
Machine, Motorola), you wonder if someone would consider an FPGA with a good
RNG hard core cell on chip, now that someone has figured out how to do
red/black separation in an FPGA compiler.  Wonder how cheap it is to spot
dope SiN or will we have to switch to anti-fuse FPGAs to take advantage?

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Jihadi software promises secure web communication

2008-01-20 Thread David G. Koontz

An Islamist website often used by al Qaeda supporters is promoting
encryption software which it says will help Islamic militants communicate
with greater security on the internet.

The Mujahideen Secrets 2 software was promoted as the first Islamic program
for secure communications through networks with the highest technical level
of encoding.

The software, available free on the password-protected site
which often carries al Qaeda messages, is a newer version of Mujahideen
Secrets issued in early 2007 by the Global Islamic Media Front, an al
Qaeda-linked web-based group.

This special edition of the software was developed and issued by ...
Ekhlaas in order to support the mujahideen (holy war fighters) in general
and the (al Qaeda-linked group) Islamic State in Iraq in particular, the
site said.


On the other hand, imagine if the software were compromised by a TLA in the
spirit of the recent revival of interest of Crypto AG?  What a coup that
would be.  Of course vulnerabilities can be simply a matter of using the
wrong random number generator...

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

News on stolen Australian Law Enforcement Secure Radios

2007-09-02 Thread David G. Koontz,23599,22345160-2,00.html

APEC security arrangements have been thrown into disarray with the theft of
  digitally encrypted police radios and a bullet-proof vest.

The Sunday Telegraph reports that statewide memos have been issued to police
working during the APEC weekend to advise against using special frequencies
that can be picked up by the missing radios.

The loss of the vital pieces of equipment poses a major headache for NSW
Police, who are under extreme pressure from both the State and Federal
governments to ensure there are no security breaches over the APEC weekend.


What no Over The Air Re-keying for net exclusion, or perhaps the radios
aren't unique?  It's my  understanding that the Project 25 stuff used in the
U.S. wouldn't be similarly vulnerable on two counts:  OTAR with remote key
management and role based security.

more in the Australian news article:

Worth around $5000 each, the digital encryption system radios cannot be
picked up by regular scanners.

The NSW Government has spent an estimated $18 million in the past three
years to convert the old police radio network to a digital system.

The source said it was understood several digital radios had also been
stolen from NSW Fire Brigade stations in the inner west in recent weeks.


I'd imagine if they are actually vulnerable as a result of the radio
thefts, they've bought the wrong equipment, or at least certainly paid too much.

Note the contrast with the Olympics:
Radio theft 'doesn't compromise' Games security

Posted Wed Aug 11, 2004 9:54pm AEST

Thieves have stolen six communication radios used by Olympic Games
organisers but police say the state-of-the-art devices pose no security risk.


They were taken on the night of August 4 from cardboard boxes that
contained other equipment, but they cannot be used by anyone now, Mr
Economou said.


What appears to have rendered them harmless is that they weren't keyed.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Skype new IT protection measure

2007-08-21 Thread David G. Koontz
Peter Thermos wrote:
 Interesting comment from Skype:
 The disruption was triggered by a massive restart of our users' computers
 across the globe within a very short timeframe as they re-booted after
 receiving a routine set of patches through Windows Update.
 We can confirm categorically that no malicious activities were attributed
 or that our users' security was not, at any point, at risk. 

Or as the New Zealand Herald put it:

Windows blamed for Skype crash - 21 Aug 2007 - NZ Herald: Technology News
from New Zealand and around the World

Skype has now identified and already introduced a number of improvements to
its software to ensure that our users will not be similarly affected in the
unlikely possibility of this combination of events recurring, said the blog.


If the unlike event is referring to Windows users automatic updates, I
wouldn't bet on it.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Free Rootkit with Every New Intel Machine

2007-06-30 Thread David G. Koontz

Vipin Kumar of of NVLabs had announced a break of TPM and a
demonstration of a break into Bitlocker, (presumably using TPM) to be
presented at Black Hat 2007.  The presentation has been pulled.

Significance to the exchanges on cryptography under this subject stem
from the abstract of the announcement.  It references a paper on
implementing Trusted Computing:

From Which Kumar interpolates the graph shown in figure 4 to make the
claim that through the end of 2007 there will be 150 million TPM devices
shipped. The preceding paragraph to figure 4 makes a claim of 20 million
TPM devices shipped in 2005.  The paper is produced by Endpoint
Technologies Associates, Inc., and doesn't give references for how the
numbers were promulgated.  The graph shows a number of TPM devices
shipped per year to exceed 250 million by the years 2010.

The point being that's a lot tchotchkes, even if the claimed numbers are
inflated in a fashion reminiscent of how fast the internet was growing
before the internet bubble burst.

Even conservatively there is in the tens of millions of these devices
sold, although we have no indication how many were actually used for
Trusted Computing purposes.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Free Rootkit with Every New Intel Machine

2007-06-30 Thread David G. Koontz
Looking for TPM enterprise adoption.

The current version of TPM was adopted in March o f 2006, which should
have limited TPM up take.

There's an article in Network World

from September 2006 talking about a restaurant chain being a pioneer in
the use of TPM, apparently a poster boy for Dell.

There's also

July 26, 2006, talking about the Army mandating TPM in all their small
computers (PCs), a relatively large enterprise customer.

A 10-Q filed by Wave Systems in May provides providence for the numbers
quoted in NVLabs abstract on their TPM breaker:

† Adoption of TPMs and Trusted Computing technology is also growing -
according to industry analyst, IDC, shipments of TPMs are expected to
grow from under 25 million units in 2005 to over 250 million units in
2010. More information is available from the IT Compliance Institute.

(looking at the IT Compliance Institute doesn't seem to help)

The IDC is the quoted source for TPM adoption, figuring prominently on
the web site and articles derived from publicity.

There's an Executive Summary from IDC:

Predicting TPM 75 percent penetration for world wide Desktop PCs in
2009, 85 percent for mobile computing, and 80 percent for servers.
The only other data point is for 2005, showing a couple of percent for
Desktop PC, three percent for Servers, and 37 percent for mobile PCs

There's a claim the Bitlocker in Vista provided the tipping point for
TPM uptake in:

The IDC reference is Worldwide PC Interface and Technologies 2007-2010
Forecast  February 2007, Doc #205155, a Market Analysis

At $4500, a bit steep for curiosity's sake.

TPM is the focus of a chapter or section on Security, as seen in the
table of contents

The Papa Gino's Restaurants example for Network World,is indeed a Dell
real world example, one of several mentioned:

The real world examples include a Japanese pharmaceutical company with
20,000 seats

Papa Gino's Pizzas

A US auto rental agency of indeterminate size using HP's security solution.

Three projects underway in Japan, the Japanese Ministry of Economy,
Trade and Industry  funded security initiatives for:

  Sendai Wellness Consortium  (sounds like an HMO)
  IBM's Tokyo Research Laboratory
  Nagoya University Medical Center

The size of these aren't known, but should qualify as respectably sized

This paper is from Endpoint Technologies, again and intended to allay
naysayers of Trusted Computing adoption rates:

Some market watchers may feel that the entire Trusted Computing
movement, championed by the Trusted Computing Group (TCG) with its
Trusted Platform Module (TPM) and related security technologies, is just
a straw man and that it will be years before large numbers of companies
and even individuals adopt TPM based secure computing. For example, IDC
cites, in Trusted Platform Module: Adoption Dynamics, August 30, 2006,
a complex system dynamics model that shows that only the PC hardware
OEMs and the smallest security vendors are fully engaged with the TPM,
and that Microsoft and the major security players remain at best tepid
in their support. Particularly, the authors cite a lack of user pull in
TPM deployment. They conclude that, although many TPM modules will ship
on client systems over the next few years, most will remain inactive.

[There's also anecdotal evidence IDC hasn't always had their cheery
outlook for TPM uptake.]

There are other developments mentioned in the paper:

   The NSA uses TPM for encrypted disk drives

   The US Army is mentioned herein requiring TPM on PCs

   The Federal Deposit Insurance Corporation has recommended that their
   member banks adopt TPM.

 Also, Microsoft appears to have actually jumped on the TPM bandwagon,
supplying impetous over the tipping point:
February 2005, Validation of Hardware Security in PC Clients, sponsored
by IBM and Microsoft

TPM is pretty much required for PC biometric authentication (fingerprints)

  There are a few more poster children marched out:

  A large international pharmaceutical company (perhaps different from


  A Large Apparel Manufacturer, mentions Sarbannes-Oxley, and
fingerprint access.

We're being underwhelmed with hard numbers and numerous examples of
enterprise adoption.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe 

Re: Free Rootkit with Every New Intel Machine

2007-06-26 Thread David G. Koontz
Peter Gutmann wrote:
 David G. Koontz [EMAIL PROTECTED] writes:
 There are third party TPM modules, which could allow some degree of
 As I said in my previous message, just because they exist doesn't mean they'll
 do anything if you plug them into a MB with the necessary header (assuming you
 have a MB with the header, and it's physically compatible, and electrically
 compatible, and the BIOS is compatible, and ...).
 Which MBs have you plugged one of these TPMs into and had it work?

I don't have the luxury of buying tchotchkes to prove a point.  (Ya,
I have no use for this stuff either).  In view of Peters insistence it
was worth looking harder.

I picked on one motherboard, a Gigabyte GA-P3-DQ6 which has the 20 pin
header for the IEI TPM pluggable. After an extensive investigation I
found no direct evidence you can actually do as Peter states and roll
your own building a TPM enabled system. That includes downloading the
BIOS and trying to search it.  Found evidence of a TPM driver, no hard
proof though.  Why the emphasis on doing this as an end user anyway?
Heck you should have seen how hard it was to get DVDs to work with
Windows98 on an Intel D815 motherboard as an end user.  If took the same
level of investigation, and I still got lucky.  The information
necessary is available to OEMs, not generally end users.  Looking across
various vendors motherboards you see statements in the specifications
stating TPM v1.2 support which I'd be inclined to think means BIOS

I looked for mention of the IEI motherboards, and found distributors, no
mention of anyone actually using them other than for industrial use.
The Fujitsu-Siemens motherboards with TPM were similarly for industrial
use.  The idea of system integrity makes sense for say industrial
robotics.  Wonder if someone thought of using ECC memory?

I found a Foxconn motherboard with the same 20 pin connector.  Didn't
find it on their G33 motherboard (Bearlake).  There was no mention of
TPM support in any documentation for the G33 board.  I downloaded the
BIOS for the board with the connector, de-lharc'd it and searched for
strings indicating TPM support.  Didn't find any references at all.  It
appears to be an older Phoenix BIOS.   Same story for Peter - no proof
you could actually use it, worse still, nothing in the BIOS.

I found a Supermicro C2SBA mother board (another G33 Bearlake) that you
can buy today.  TPM enabled, theres a jumper described in the manual to
enable TPM, which allows the BIOS page for it to show up.  Sounds like
solid support.  The manual only has the topside layout.  The jumper is
near the system front edge, and the closest silicon is the ICH9
Southbridge.  Note that the LPC bus is on the Southbridge anyway and
would interconnect to a TPM chip (as well as BIOS FLASH/ROM), There's a
candidate chip near the front panel stuff not to close to the BIOS chip,
I couldn't find a high enough resolution photo to read the label.  There
is no through hole connector footprint for an external TPM manual visible.

If I wanted to buy a TPM motherboard today, I could, a brand new one,
too.  The manual has pictures of the TPM pages in the BIOS console.  The
BIOS should work.  Around $164 in the U.S., real pretty too with all the
copper cooling on it.

Theres also indication of whitebox integrators using the intel
motherboards with TPM in-built.  No indications of volume, which is
probably the real question.

 TPM may well end up being present ubiquitously.
 Smart cards may well end up being present ubiquitously.
 Hardware RNGs may well end up being present ubiquitously.
 NIC-based crypto may well end up being present ubiquitously.
 Biometric readers may well end up being present ubiquitously.
 Home taping is killing mus... oops, wrong list.
 Been there, done that, got the tchotchkes to prove it.

 I've seen zero evidence that TPMs are going to be anything other than a repeat
 of hardware RNGs, NIC-based crypto, biometric readers, and the pile of other
 failed hardware silver bullets that crop up every few years.  Wait a  year or
 two and there'll be some other magic gadget along to fix all our problems.

I found a FIPS 140-2 compliance statement from Phoenix dated July 2006,
that mentions all your silver bullets except the biometric readers and
encrypting NIC.

Someone doesn't think they are all relegated to tchotchkes, just yet. I
was surprised to hear Intels random number chip is still marketed, must
still be used in Type 1 COMSEC stuff.

There is indication that TPM is tied to fingerprint scanners on laptops,
they could be a passing fad.  It'd be nice to see someone demonstrating
spoofing one.

Found something else that supports Peters point of view.  Found a web
page claiming that Intels vPRO doesn't require a TPM chip.  It isn't
clear how closely aligned vPRO is to DMTF.  As far as TPM and DMTF, most
of the hits relating to the two can be traced

Re: Free Rootkit with Every New Intel Machine

2007-06-26 Thread David G. Koontz
David G. Koontz wrote:

 I picked on one motherboard, a Gigabyte GA-P3-DQ6 which has the 20 pin
 header for the IEI TPM pluggable. After an extensive investigation I
 found no direct evidence you can actually do as Peter states and roll
 your own building a TPM enabled system. That includes downloading the
 BIOS and trying to search it.  Found evidence of a TPM driver, no hard
 proof though.  Why the emphasis on doing this as an end user anyway?
 Heck you should have seen how hard it was to get DVDs to work with
 Windows98 on an Intel D815 motherboard as an end user.  If took the same
 level of investigation, and I still got lucky.  The information
 necessary is available to OEMs, not generally end users.  Looking across
 various vendors motherboards you see statements in the specifications
 stating TPM v1.2 support which I'd be inclined to think means BIOS

I found another Gigabyte board GA-N680SLI-DQ6 with TPM, available from
Ascent here in New Zealand.  I looked at the BIOS for it.  It was close
to brand new and mentioned it would take loadable drivers and didn't
have reference to TPM.   This leads creedence to the requirement for OEM
access to enable TPM.  The TPM driver wasn't available on the download
page for the board.  This board has the IEI 20 pin connector on it.

The IEI page provides no links to documentation.  The page shows various
software management interfaces that are specific to TPM chip vendors, so
I looked for them up.  There are three modules based on infineon, atmel
and sinosun TPM chips.

Looking at the Infineon TPM v1.2 page we see the complete information
isn't publicly available.  There is no indication of how to do PC-BIOS
integration, no in depth datasheet/manual, etc.  It's probably not
possible to to implement under windows without a partnership.

I checked the Atmel site and the public information there was sparse.

The Sinosun site has some basic information on management software.
These would require your're are in partnership, although I found an
advertisement for the Sinosun TPM software management tools ($26.99 US)
Orbit Micro is a system integrator and IEI distributor and probably can
provide a white box solution.

You're still at the mercy of the Motherboard/PC vendor for BIOS support.

The Supermicro motherboard with integrated TPM has a BIOS that is TPM
aware..  It probably uses an ST19WP18-TPM-C from Standard Microsystems
(Found by searching their FAQ, another board with TPM).

There is some information on software development environment:

This compares the three TPM chip versions:$$view=tablequerycriteria=RNP139=1120.0
and prompted examination of the their pdf files, the sections on the
back on software.

The drivers are actually in ROM on the ST chips, with a flag system for
the host BIOS, allowing the same BIOS to work with or without TPM.  This
may explain  some of the lack of visibility in some BIOS images. The
windows drivers are embedded, too.  The -TMP-C version used by the
Supermicro motherboard talks about the use of Embassy Security Center
suite from Wave Systems.  There is a right to use license transfered
with the chip:
also mentioned:
The last link gives insight into the Atmel software, too.

The IEI pluggable TPM module web page shows software interfaces from
three different vendors for the three different chips it uses.  The
Winbond chip is shown being administered by Wave's ESC.  No indication
of licensing terms.

For open source/linux afficionados there's jtpmtools:  (probably ripe for a tcl wrapper)

And information on the Open Trusted Computing web site:

(  describes the
currently available TPM products from various system vendors.)

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Free Rootkit with Every New Intel Machine

2007-06-25 Thread David G. Koontz
Peter Gutmann wrote:
 Ian Farquhar (ifarquha) [EMAIL PROTECTED] writes:
 For example: the Gigabyte GA-965QM-DS2 (rev 2.0) which features security
 enhancement by TPM.  More common (ASUS, Foxconn) was the TPM Connector,
 which seemed to be a hedged bet, by replacing the cost of the TPM chip with
 the cost of a socket.
 Those are actually misleading, since there's no certainty that you'll be able
 to find anything that'll actually plug into them.  That is, not only are the
 TPM whatever-they-are-that-goes-there's almost impossible to find, but if you
 do find one there's no guarantee that it'll actually work when plugged into
 the header. In practice this is just a way of adding the TPM keyword to your
 marketing without having to actually do anything except include a dummy header
 on the MB.

There are third party TPM modules, which could allow some degree of

The IEI TPM module is used in their own motherboards and some VIA
motherboards.  They actively market the pluggable modules.  Thinkpads
appear to use a different connector:
30 pins instead of 20 pins.  The Low Pin Count bus is an ISA bus
replacement is specified as the TPM interface, and isn't defined for
connector use, so a connector pin out isn't standardized.  (the spec)

 (For people who don't work with the innards of PCs much, most motherboards
 have assorted unused headers, sites for non-installed ICs, and so on, as a
 standard part of the MB.  The TPM header is just another one).

In addition to pluggable modules, TPM can also be an assembly bill of
materials option, where you have a  chip and a few passive components
not stuffed for non-enterprise PCs or notebooks.  The advantage of a
pluggable module would be to allow late binding build configurations
when you can't adequately forecast demands.

Even the low costs of TPM hardware, patent licenses, BIOS licenses,
etc., are probably enough to prevent blanket inclusion in personal
computers not intended for enterprise use today.  TPM can also be built
into chip sets like Intels Bearlake, which removes the hardware cost.
TPM may well end up being present ubiquitously.

One of the driving forces for TPM adoption going forward will be
enterprise remote or distributed management.
Doing distributed management with TPM allows some degree of security
that would otherwise be missing. Distributed management is  the purpose
of Intels vPro and iAMT initiatives.  Note that the distributed
management push is relatively recent, going mainline in the last year or
so and may  signal an upcoming acceleration in TPM adoption.  Also of
note is that the membership list for the Distributed Management Task
Force contains most of the big name PC sellers.

Distributed management can be OS 'gnostic, the driving need is the
ability to handle large volumes of software updates and security
patches. While some OS's require large volumes of security patches,
others are evolving fast enough to require automated  updates. We're
pretty much guaranteed to see see enterprise adoption across all platforms.

Linux supports TPM devices directly, as will Solaris.  Apple (mis)uses
TPM to unsuccessfully prevent OS X from running on non-Apple Hardware.
All Apple on Intel machines have TPM, that's what 6 percent of new PCs?
 There is a virtual TPM in Xen, IBM would tell you that you can't
operate a trusted computer with out a security server for providing
virtual TPM storage.  They're willing to sell you one and Microsoft
doesn't want you to operate Vista virtually without a trustworthy
Trusted Platform Module.

It may be inappropriate to build a system with absolute trust in TPM to
protect intellectual property.  There are other architectures that can
do better, say a blade server running a virtual copy of an OS.  The
element providing greater security is removing the potentially malicious
end-user from physical access, and not allowing access beyond the
virtual machine.  Thin clients and web applications come to mind for
protecting corporate secrets, too.  TPM is predicated on the notion that
the corporate universe is comprised of fully capable computers.  The
idea for Trusted Computing comes mainly from hardware vendors, so the
bias isn't surprising.

No one likes the idea of TPM on their personal machines,it's really
driven by enterprise needs, although you could imagine a market for a
service intended to keep your personal Windows PC updated.  There can be
useful side effects to having TPM on personal computers.  TPM could
provide secure storage for keys to software or hardware encrypted disk
drives, the alternative might imply uncovering the equivalent of master
keys over questionable channels during boot up. Secure Disks with

Re: can a random number be subject to a takedown?

2007-05-04 Thread David G. Koontz
Hal Finney wrote:
 My question to the assembled: are cryptographic keys really subject to
 DMCA subject to takedown requests? I suspect they are not
 copyrightable under the criterion from the phone directory
 A sample demand letter from the AACS Licensing Authority appears at:
From what I can see, there is no claim that the key is copyrighted.
 Rather, the letter refers to the provisions of the DMCA which govern
 circumvention of technological protection measures.  It demands that
 the key be taken down in order to avoid legal liability.
 This seems odd to me because my understanding of the DMCA's
 anti-circumvention provisions is that they are criminal rather than civil
 law.  Violations would lead to charges from legal authority and not from a
 copyright owner.  So it's not clear that AACSLA has any power to enforce
 these demands, other than trying to get some government agency involved.
 The letter specifically cites 17 USC 1201(a)2 and (b)1, which can be read

From an explanation of the justification for the take down notices:

  Fred von Lohman, an attorney at the Electronic Frontier Foundation,
  said in his blog that sites which carry the code or links to it are
  unlikely to be able to use a traditional defence of 'safe harbor'.

  While no court has ruled on the issue, AACS will almost certainly
  argue that the DMCA safe harbors do not protect online service
  providers who host or link to the key, he said. The DMCA safe
  harbors apply to liabilities arising from 'infringement of copyright.'
  Several courts have suggested that trafficking in circumvention tools
  is not 'copyright infringement,' but a separate violation of a
  'para-copyright' provision.

  The AACS takedown letter is not claiming that the key is
  copyrightable, but rather that it is (or is a component of) a
  circumvention technology, said von Lohman. The DMCA does not require
  that a circumvention technology be, itself, copyrightable to enjoy

One would think that the recent SCOTUS findings in Microsoft v. ATT
would demonstrate that intangibiles such as software (and perhaps large
integers) were not components or parts thereof, unless in place in a

  f : a piece of equipment or a mechanism designed to serve a special
  purpose or perform a special function an electronic device


17 USC 1201:

  (b) Additional Violations. -

  (1) No person shall manufacture, import, offer to the public,
provide, or otherwise traffic in any technology, product,
service, device, component, or part thereof, that -

 o (A) is primarily designed or produced for the purpose of
circumventing protection afforded by a technological measure
that effectively protects a right of a copyright owner under
this title in a work or a portion thereof;
 o (B) has only limited commercially significant purpose or use
other than to circumvent protection afforded by a
technological measure that effectively protects a right of a
copyright owner under this title in a work or a portion
thereof; or
 o (C) is marketed by that person or another acting in concert
with that person with that person's knowledge for use in
circumventing protection afforded by a technological measure
that effectively protects a right of a copyright owner under
this title in a work or a portion thereof.

I'd strongly suspect that most if not all of the 2 million hits would
not reveal another acting in concert with that person's knowledge.
While this instance is not indicative of a trend to the lawyer
equivalent of judicial activism, I don't see any protection under the
DMCA against distributing the Processing Keys as what appears to be a
political statement (which could be held to be protected speech).


Freds blog entry:

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

A processor that can do a DES round in 1 clock

2006-02-12 Thread David G. Koontz
I've seen this quite some time in the past, it wasn't for public 
disclosure.  Periodically I've looked for a copy on the internet.

This is from Strech Inc., their Software Configurable Processor.

The stuff on DES encryption starts on page 44.

The processor is based on a Tensilica Xtensa processor, which can be 

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: NY Times reports: NSA falsified Gulf of Tonkin intercepts

2005-11-01 Thread David G. Koontz

Perry E. Metzger wrote:

   WASHINGTON, Oct. 28 - The National Security Agency has kept secret
   since 2001 a finding by an agency historian that during the Tonkin
   Gulf episode, which helped precipitate the Vietnam War,
   N.S.A. officers deliberately distorted critical intelligence to
   cover up their mistakes, two people familiar with the historian's
   work say.

   The historian's conclusion is the first serious accusation that
   communications intercepted by the N.S.A., the secretive
   eavesdropping and code-breaking agency, were falsified so that they
   made it look as if North Vietnam had attacked American destroyers
   on Aug. 4, 1964, two days after a previous clash.

The National Security Archive

The Gulf of Tonkin Incident, 40 Years Later
Flawed Intelligence and the Decision for War in Vietnam

Signals Intercepts, Cited at Time, Prove Only August 2nd Battle, Not 
August 4; Purported Second Attack Prompted Congressional Blank Check

for War

Johnson-McNamara Tapes Show Readiness to Escalate, Even on Suspect 
Intel; Top Aides Knew of Mistaken Signals, but Welcomed Justification

for Vote

National Security Archive Electronic Briefing Book No. 132

Edited by John Prados
Posted August 4, 2004

...Thus the U.S. bombing of North Vietnam went forward based on the 
mistaken belief in a second attack in the Gulf of Tonkin. In a certain 
sense, because the resolution that passed Congress was used to justify 
the U.S. military commitment, the entire Vietnam War can be said to have 
been based on a misunderstanding. Just over a month afterward, when 
another pair of American warships in the Gulf of Tonkin also thought 
they had come under attack, LBJ began to express doubts about the 
reality of the August incident. In 1997, in Hanoi, Robert McNamara, in a 
conversation with Vietnamese Commander General Vo Nguyen Giap, also 
concluded that the August 4, 1964, incident had never occurred. That is 
now the general consensus among historians of the Vietnam War.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]