[Cryptography] psyops

2013-09-30 Thread David Honig




Bumber sticker:

Remember, the NSA is Backing You Up 


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: Linux-based wireless mesh suite adds crypto engine support

2004-10-05 Thread David Honig
At 03:25 PM 9/30/04 -0700, John Gilmore wrote:

Crypto hardware that generates random numbers can't be tested in
production in many useful ways.  My suggestion would be to XOR a
hardware-generated and a software-generated random number stream.  If
one fails, whether by accident, malice, or design, the other will
still randomize the resulting stream.  Belt AND suspenders will keep
your source of randomness from being your weakest link.

A good idea, but also: consider that hardware based RNGs are
not so hard to make.  An FM radio soundcard, audio digitizer, and
some homebrew (perhaps standard-crypto-hash-based) software
suffices for moderate bandwidth true RNG construction.  
Using an evaluation metric like Diehard and/or a Shannon or
Mauer entropy measure ices the cake (as well as being required
for initial and continuing monitoring).  (Insert the usual caveats
about PRNGs being undetectable, OS subversion, white vans driving
your FM hiss, etc.)  Very cheap and if you can master a hash
function component, not tricky.

Obviously too much trouble for Joe Sixpack, but I think that
certain online gambling houses (not US of course) have made
their own sources, and definately not too hard for anyone who codes
and has crypto-clue.  OTOH Joe can benefit from his radio-tuner
card plus off the shelf inspectable software since he ought not
to trust Bigcorp's embedded nominal RNG.  Joe Sixpack might also
be an abbreviation for a foreign government.  Should the Pakis
really trust Intel's RNG? 

PS: your belts and suspenders argument also applies to trusting
cipher algorithms.  Best to chain a few.  Also useful to twiddle
a few S-box bits, even if you get suboptimal properties, so as 
to deter cheap crackers using COTS cipher chips.  (Doing dictionary
regexp search, not the impractical exhaustive search, of course.)
This works particularly well in large random-S-box constructs like Blowfish
(et al) compared to the more spartan (thus degradable) DES S-boxes.

The weakest link will be bipedal for the forseeable future.










=
36 Laurelwood Dr
Irvine CA 92620-1299

VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP

ICBM: -117.7621, 33.7275
PGP PUBLIC KEY: by arrangement

Send plain ASCII text not HTML lest ye be misquoted.  Really.

--

Don't 'sir' me, young man, you have no idea who you're dealing with
Tommy Lee Jones, MIB



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: An interesting new computer security problem

2004-09-30 Thread David Honig
At 12:58 PM 9/27/04 -0600, Anne  Lynn Wheeler wrote:
At 11:03 PM 9/24/2004, Peter Gutmann wrote:
A few days ago I was chatting with some people working on a government IT
project who had a rather complex security problem that they needed help
with.
They have a large number of users with Windows dumb terminals (think Xterms
but for Windows) connected to a central ASP server, which runs various
mutually untrusted apps from different vendors.  Their problem was that they
needed a means of securing the individual apps from each other.

I told them that they were in luck, and this exact problem had already been
addressed before.  I'd drop off the detailed technical specs for the
solution
when I next saw them, they could recognise it by its bright orange cover.

Put each app on a separate machine, and don't put any networking
equiptment in the machines.  Simple.



=
36 Laurelwood Dr
Irvine CA 92620-1299

VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP

ICBM: -117.7621, 33.7275
PGP PUBLIC KEY: by arrangement

Send plain ASCII text not HTML lest ye be misquoted.  Really.

--

Don't 'sir' me, young man, you have no idea who you're dealing with
Tommy Lee Jones, MIB



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Approximate hashes

2004-09-01 Thread David Honig
At 06:02 PM 9/1/04 +0300, Marcel Popescu wrote:
From: Marcel Popescu [EMAIL PROTECTED]

 Hence my question: is there some approximate hash function (which I
could
 use instead of SHA-1) which can verify that a text hashes very close to
a
 value? So that if I change, say, tabs into spaces, I won't get exactly the
 same value, but I would get a good enough?

This is completely what secure hashes are supposed to prevent.  *Any* change
in the input will flip half the hash-bits on average.  Just like a block
cipher.  There is no input nearness preservation.  That's part of the point
of the algorithm.


I just had an idea. Would this work?

- let S be the input string, whose hash I want to verify
- make S uppercase
- remove everything but A-Z, 0-9, and common punctuation (!;:',.?)
- calculate the SHA1 hash of the result

This should keep any insignificant changes out of the final result. 

You can encode your message in some format which is not subject
to mangling, and use a hash of that encoding.  You can then
decode the encoding back into unicode or whatever funky but
net-fragile character set you like.  This is somewhat like
ascii-armoring of PGP-encrypted messages.





=
36 Laurelwood Dr
Irvine CA 92620-1299

VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP

ICBM: -117.7621, 33.7275
HTTP: http://68.5.216.23:81 (back up, but not 99.999% reliable)
PGP PUBLIC KEY: by arrangement

Send plain ASCII text not HTML lest ye be misquoted

--

Don't 'sir' me, young man, you have no idea who you're dealing with
Tommy Lee Jones, MIB



No, you're not 'tripping', that is an emu ---Hank R. Hill

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: titles

2004-08-26 Thread David Honig
At 12:34 AM 8/27/04 +0100, Ian Grigg wrote:

David Honig wrote:
  Security Engineer, according to Schneier...

I don't like that term for 3 reasons:  firstly, when we
build stuff, security should be top-to-bottom, integrated
in, and not seen as an add-on, an after-thought.  That
is, the overall engineer should build in the security as
required from the beginning, so it is a skill that all
need, and not something thrown over the wall to the guy
with security in his title.

It should be, but usually isn't.  In fact, the security
dude often has to make recommendations out of his
prescribed niche, to others.  Often on a project which
is already under way.

E.g., I recently contracted to implement a crypto protocol.
When I suggested that, if a pad of paper be provided for
folks to write their passphrases down, it be a single 
glass-backed sheet (lest impressions be taken), much
laughter ensued.  But if its worth encrypting, it must
be interesting, right?   


Secondly, anything to do with security has a very strong
hype-to-value ratio, so much so that it's quite hard to
find a security company selling good security stuff.

Security is much more than crypto, I've learned, so 
I don't have a problem with the word.  Security includes
human and physical security, and although they're not
cool comp sci or math, they are vital.  Crypto being
fairly refined, its not the weakest link any more.  And a 'security'
mindset (being able to think like the adversary, much
like in tic-tac-toe or chess) is important, but not
so common.

Its not like things titled crypto aren't often marianated in snake oil...
:-)

Thirdly, good security engineering, as it should be done,
doesn't necessarily involve crypto.  The art is in using
as little crypto as possible - in precise and well placed
doses.  IMHO.  

Yes.

Applications can't be any more secure than their
operating system. -Bram Cohen

Oftentimes, however, security engineers
start from the pov that crypto is a hammer, and their
job is to go find a nail to encrypt.

I'll admit to this tunnel vision when I started my interest,
over a decade ago when I learned how the IP worked and
got into dissecting crypto algorithms to find the magic.
Since then I've learned that other things are more 
important to understand; crypto components are just black 
boxes to an engineer, like a sorting routine or the like.

Cryptoplumber is cute, in a self-depreciating way, but
its all engineering, albeit less mature than say civil
engineering, which stopped building bridges that collapse
some time ago.

The ultimate in paranoia is not when everyone is against you but when
everything is against you. --PKD


=
36 Laurelwood Dr
Irvine CA 92620-1299

VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP

ICBM: -117.7621, 33.7275
HTTP: http://68.5.216.23:81 (back up, but not 99.999% reliable)
PGP PUBLIC KEY: by arrangement

Send plain ASCII text not HTML lest ye be misquoted

--

Don't 'sir' me, young man, you have no idea who you're dealing with
Tommy Lee Jones, MIB



No, you're not 'tripping', that is an emu ---Hank R. Hill

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: RPOW - Reusable Proofs of Work

2004-08-21 Thread David Honig
At 04:34 PM 8/20/04 -0500, Matt Crawford wrote:
 I'm wondering how applicable RPOW is.  

If you think of POW as a possible SPAM mitigation

As spam mitigation, it might work better than
hashcash.  As cash, it lacks the anonymity of 
bearer-documents (tm) since there is one
clearing house.  This might be improved via
support for a system of mostly independent
clearing houses which also interchange at 
interchange places.  However, those would likely
be regulated by the Powers That Be, ergo not
alleviating my concerns about anonymity.

My 2 dinars.


=
36 Laurelwood Dr
Irvine CA 92620-1299

VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP

ICBM: -117.7621, 33.7275
HTTP: http://68.5.216.23:81 (back up, but not 99.999% reliable)
PGP PUBLIC KEY: by arrangement

Send plain ASCII text not HTML lest ye be misquoted

--

Don't 'sir' me, young man, you have no idea who you're dealing with
Tommy Lee Jones, MIB



No, you're not 'tripping', that is an emu ---Hank R. Hill

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: should you trust CAs? (Re: dual-use digital signature vulnerability)

2004-08-01 Thread David Honig
At 02:09 PM 7/28/04 -0400, Adam Back wrote:
The difference is if the CA does not generate private keys, there
should be only one certificate per email address, so if two are
discovered in the wild the user has a transferable proof that the CA
is up-to-no-good.  Ie the difference is it is detectable and provable.

Who cares?  A CA is not legally liable for anything they
sign.  A govt is not liable for a false ID they issue
a protected witness.  The emperor has no clothes, just
a reputation, unchallenged, ergo vapor.




=
36 Laurelwood Dr
Irvine CA 92620-1299

VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP
VOX: (949) 462-6726 (work -don't leave msgs, I can't pick them up)
   mnemonic: WIZ GOB MRAM
ICBM: -117.7621, 33.7275
HTTP: http://68.5.216.23:81 (back up, but not 99.999% reliable)
PGP PUBLIC KEY: by arrangement

Send plain ASCII text not HTML lest ye be misquoted

--

Don't 'sir' me, young man, you have no idea who you're dealing with
Tommy Lee Jones, MIB

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Is finding security holes a good idea?

2004-06-16 Thread David Honig
At 08:40 AM 6/16/04 -0700, Eric Rescorla wrote:
 the search patterns used by blackhats - we are all human and are likely
 to be drawn to similar bugs. 

Prof Nancy Levenson once did a study where separate teams coded
solutions to the same problem.  The different teams' code often erred
in the same places (eg corner cases).  This was taken as
an argument against N-version programming IIRC.  It supports
the argument that H. saps are succeptible to common cogntive
flaws.  While this was a code *generation and test* experiment,
it does bear on the evaluate for bugs question too.

As far as whether finding holes is a good idea, remember that
the Pros do not report what they find.  
No means or methods, remember? 




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: my periodic rant on quantum crypto

2004-04-14 Thread David Honig
At 03:37 PM 4/12/04 -0400, Perry E. Metzger wrote:

QC can only run over a dedicated fiber over a short run, where more
normal mechanisms can work fine over any sort of medium -- copper, the
PSTN, the internet, etc, and can operate without distance limitation.


Nice essay.  I especially liked the discussion of authentication.

Its also the case AFAIK that the quantum-carrying fiber
can only carry one photon at a time.  (Perhaps you can multiplex
different frequencies, if your demultiplexor doesn't change the
quantum properties).  Now while there *is* a lot of dark fiber,
sending one photon at a time is a pretty good way to keep the
construction crews digging up roads :-) 

Similar quantum-hype is sometimes argued in RNG discussions
by those with very narrow views of what an RNG needs and
consists of.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Microsoft publicly announces Penny Black PoW postage project

2003-12-28 Thread David Honig
At 09:13 AM 12/26/03 -0800, Steve Schear wrote:
http://news.bbc.co.uk/2/hi/technology/3324883.stm


Mr Wobber and his group calculated that if there are 80,000
seconds in a day, a computational price of a 10-second levy
would mean spammers would only be able to send about 8,000
messages a day, at most. 

Spammers are sending tens of millions of e-mails, so if they had
to do that with all the messages, they would have to invest
heavily in machines. 


Replace invest with trojan and remind Mr. W. that he
works for the major facilitator of trojaned machines.







-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: SSL, client certs, and MITM (was WYTM?)

2003-11-12 Thread David Honig
At 07:11 PM 10/22/03 -0400, Perry E. Metzger wrote:

Indeed. Imagine if we waited until airplanes exploded regularly to
design them so they would not explode, or if we had designed our first
suspension bridges by putting up some randomly selected amount of
cabling and seeing if the bridge collapsed. That's not how good
engineering works.

No.  But how quickly we forget how many planes *did* break up,
how many bridges *did* fall apart, because engineering sometimes
goes into new territory.

Even now.  You start using new composite materials in planes, and wonder why
they fall out of the sky when their tails snap off.  
Eventually (though not yet) Airbus et al
will get a clue how they fail differently from familiar metals.  
Even learning about now-mundane metal fatigue in planes involved
breakups and death.

(Safety) engineering *is* (unfortunately, but perhaps by practical necessity)
somewhat reactive.  It tries very hard not to be, but it is.

dh





-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Open Source (was Simple SSL/TLS - Some Questions)

2003-10-11 Thread David Honig
At 12:08 AM 10/10/03 +0800, Ng Pheng Siong wrote:
I believe SSL VPNs are easier than IPsec to deploy 

For the former, you give a password or two --maybe
reuse a POP3 that your users already have-- and all your
users get in fairly securely, and you can verify them.  
Easy for them because they already have a browser.  

(And some browsers, I recently found out, will accept a self-cert
for life, as well as remember your passwords.  Can you guess
which company made that convenience-vs-security tradeoff?)

For IPsec, you have to walk each of them through
installing the stack, etc.  Not fun, esp on multiple
platforms.

and operate for the road
warrior accessing corporate resources. This may eventually restrict IPsec's
utility to site-to-site tunneling (useful when, e.g., one wishes to run
OSPF over the tunnel), which _should_ be far easier to configure without
needing the help of some whizbang AI.

Things *should* get easier for IPsec when its part of the default
client system, whether *nix or otherwise.  Then everything reverts
back to simple :-) key management.


He say I know you, you know me
He got x509 he got intrusion detection
He got secure DNS he got spam filter
He say One and one and one is three
Got to be spoofed 'cause he's so hard to see 

From Link Together
J0hn L3nn0n





-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: anonymous DH MITM

2003-10-06 Thread David Honig
At 03:38 PM 10/6/03 -0400, Ian Grigg wrote:
I'm asking myself whether anonymous DH is confusingly named.
Perhaps it should be called psuedonymous DH because it creates
psuedonyms for the life of the session?  Or, we need a name
that describes the creation of psuedonyms, de novo, from
an anonymous starting position?

Think of an identity is one endpoint of a communication link.

Identities can have varying degrees of persistance
and varying degrees of association with meatspace/bank accounts.
These are orthogonal dimensions.

An endpoint can maintain a reputation (persistant identity)
but need not be linked to meatspace entity.  A nom-de-plume
is a traditional example.

By itself, DH exchange only assures that the endpoints
remain constant (plus, via the typical symmetric key
exchange, also provides confidentiality) for the session.
If there is a MITM, the endpoints are not what the
distal endpoints (Alice  Bob) might think.

RSA-certs as administered by Verislime have very little
meatspace linkage --you can't sue Verislime if their
signed-claims about a meatspace entity are untrue, and
the certholder ran off with your money, or if the 
cert was copied and your DNS cache poisoned.

Similarly, publishing a RSA public key and email address
does not guarantee anything.  And since trust is *not*
transitive, the so-called web of trust does little
to help, because your personally trusted associates may have
been compromised.

And of course single meatspace entities may have several RSA
keys which others do not know have a common user.








-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Can Eve repeat?

2003-09-24 Thread David Honig
At 08:34 AM 9/24/03 -0400, Greg Troxel wrote:
A consequence of the infinite CPU assumption is that ciphers like AES,
hash functions like SHA-1, etc. are all considered useless by the
purist QC community.  Thus, people talk about doing authentication
with families of universal hash functions.  This has the practical
problem that the original (courier-transported) secret keying material
for authentication is used up, and the typical scheme talked about is
using some of the agreed-upon QKD bits to replenish the authentication
keying material.  This does not seem very robust.  

Those couriers are carrying one-time pad CDs, in a QC world.

Do not try to pet their dogs, BTW.





-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Code breakers crack GSM cellphone encryption

2003-09-08 Thread David Honig
At 05:04 PM 9/8/03 -0400, Trei, Peter wrote:
Why the heck would a government agency have to break the GSM encryption
at all? The encryption is only on the airlink, and all GSM calls travel
through 
the POTS land line system in the clear, where they are subject to 
warranted wiretaps.

Breaking GSM is only of useful if you have no access to the landline
portion of the system.

You forget that some regimes want to listen to GSM calls
in places that they don't control.







-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Code breakers crack GSM cellphone encryption

2003-09-07 Thread David Honig
At 03:32 PM 9/7/03 -0400, R. A. Hettinga wrote:
If the cellphone companies in 197 countries want to correct the code errors
that expose them to trickery and abuse, they will have to call in each
customer to make a change in the cellphone's programming, or replace all of
the cellular phones used by their subscribers.

I've read that the lifecycle of a cell phone is about 2 years, 
FWIW.

During a kids-channel TV show, I saw that if you buy 4 dolls
you get a prepaid phone free.  Took me a while to get over
that future-shock.

A copy of the research was sent to GSM authorities in order to correct the
problem, and the method is being patented so that in future it can be used
by the law enforcement agencies.

Laughing my ass off.  Since when do governments care about patents? 
How would this help/harm them from exploiting it?   Not that
high-end LEOs haven't already had this capacity ---Biham et al
are only the first *open* researchers to reveal this.









-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: U.S. seeks OSCE pact on biometric passports

2003-09-03 Thread David Honig
At 04:50 PM 9/2/03 -0400, Duncan Frissell wrote:
Anyone have any pointers to non destructive methods of rendering Smart
Chips unreadable?  Just curious.

DCF

Perhaps I'm being dense but how could this be non-destructive? 

Do you mean non-obvious?   Or reversible?

If the usual microwave games don't apply, perhaps sufficient
acceleration or ionic fluids would work.  Thermal stress
for the liquid nitrogen folks?  The flash unit from
a $4 disposable camera does a nice job of vaporizing a spot of 
metal from a coin or screwdriver shorting the cap.

Do any europeans have experience leaving smartcards in the laundry?

One question would be how to discretely test/verify the new read-not mode :-)







-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: traffic analysis (was: blackmail / stego)

2003-08-28 Thread David Honig
At 01:01 PM 8/27/03 -0700, Jim McCoy wrote:
While IANL, it seems that the whole anonymity game has a flaw that 
doesn't even require a totalitarian regime. I would direct you to the 
various laws in the US (to pick a random example :) regarding 
conspiracy. Subscribing to an anonymity service might not become 
illegal, but if anyone in your crowd was performing an illegal action 
you may be guilty of conspiracy to commit this action.  

Ok, so you have a EULA in which you prohibit offensive behavior.
A crowd-member might violate this, but any chaff crowd-member
would have a legal defense ---Hey, I used the foobar service
to avoid hackers finding my IP, its not my fault if someone threatened the
king

A real police state would just Tomahawk the servers.  After rubber
hosing the operators.  Anything less than a Total Police State
would have to acknowledge innocent subscribers.  

Kinda like (ca. 1980) yeah, I have a cell phone, its because I
am on the road ---I'm not a pharmdealer, even if half the carrier's
traffic is dubious.

Or, moving into this century, yeah, I use KaZaa++, but its to 
download unrecognized indie bands, not MetalliMadonna
(assuming K++ were anonymous..)

Of course, its becoming easier and easier to be a total police state..









-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Information-Theoretic Analysis of Information Hiding

2003-07-15 Thread David Honig
At 12:30 AM 7/15/03 -0400, Don Davis wrote:
An electrical engineer at Washington University
 in St. Louis has devised a theory that sets the
 limits for the amount of data that can be hidden
 in a system and then provides guidelines for how
 to store data and decode it. Contrarily, the
 theory also provides guidelines for how an
 adversary would disrupt the hidden information.

But the theory answers the questions, what is the optimal attack..

There are ways of preventing any modification (attack) of the
carrier.  E.g., sign the carrier (with the private
half of a widely published public key).  Although this
technique would attract attention until widespread.

Note that Disney has to do this as well as Osama,
lest someone post Disney content, with the not ok to copy freely
watermark mutated.  Otherwise a downloader would
protest, but the file said it was free, and the
included-file-hash said it was intact!  (Because
the mutator also provided a new hash.)

(Disney's situation is worse, of course, because 
even the pristine, Disney-signed content is copyable at the
analog (etc) level.  And Osama can use multiple images as carriers
for a single message.)






-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: basic question: semantics of map, tie, etc in PKI

2003-07-08 Thread David Honig
At 11:40 AM 7/8/03 -0600, Anne  Lynn Wheeler wrote:
A hardware token that requires a PIN/password to operate can be considered 
two-factor authentication (something you have and something you know). 

I was going to comment on how a simple plastic debit card
that includes a photo provides the third something you are.
(More reliably than the signature, which is also something 
you are, but readily forged/ignored.)  

Then it occurred to me: as cameras become ubiquitous
(e.g., in cell phones) some extra security could be obtained
by sending a trusted photo of the account holder plus a live picture
of the card user.

A picture glued into the card could be forged, but a 
smartcard (with more data area than a magstripe)
could include a picture of the account holder,
so a thief has no idea what to look like.  But the vendor can
check the encrypted smartcard face to the face on the phone
or webcam.  For high-value remote transactions, this might
be viable in a few years.  

This is already standard practice
on high-security building-entry cards (and passports?), 
with the guard comparing the card-embedded face to the one before him.  
Ubiquitous cameras will bring that to remote transactions,
reducing cost due to lower fraud.









-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Keyservers and Spam

2003-06-15 Thread David Honig
At 03:41 PM 6/13/03 -0700, Bill Frantz wrote:

The HighFire project at Cryptorights
http://www.cryptorights.org/research/highfire/ is planning on building a
web of trust rooted in the NGOs who will be using the system.  Each NGO
will have a signing key.  A NGO will sign the keys of the people working
for it.  In this manner, we have way of saying, The John Jones who works
for Amnesty International.  A NGO may decide to sign another NGO's signing
key.  Now we have a way to say to someone in Amnesty, Send a message to
Steve Smith in Médecins Sans Frontières.  The plan is to show the trust
relationship in the UI as a path of keys.

I would appreciate your comments.

Threat model: NGO_Alice is compromised and signs GESTAPO key, leading
to NGO_Bob's demise.

Possible counters: 

NGO_Alice's NGO key is a split key, so 1 person needs
be rubber hosed.  I don't know if PGP supports this, I don't think so.

Short key expirations, in the limit trusted for just 1 day.  Already
possible, just document this.



Also, how do you counter the GESTAPO from seeing queries to the 
key servers?   It might be enough to jail anyone making such an
inquiry.  Possible solutions would include having the keyserver
perform some innocuous function, and use SSL for all connections
to it.  Also SSL proxying and stego of course.









-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: An attack on paypal

2003-06-12 Thread David Honig
At 03:38 PM 6/11/03 -0600, Anne  Lynn Wheeler wrote:
even before e-commerce, the real 
BBB process was that people called up the BBB and got realtime information 
 i.e. it was an online, realtime process.

the equiivalent for an online, internet paradigm (as opposed to something 
left over from the offline email genre of at least 10--15 years earlier) 
was that the browswer tab;e pf trusted entities were of online authorities 
(as opposed to certificate manufacturing) and if you cared, you clicked 
thru to the BBB and got realtime information about the merchant in question 
(being equivalent to when people call the BBB to actually get some level of 
real input  as opposed to just a fuzzy comfort fealing).

When I buy $20 of gas with non-bearer credentials (ie, credit card), 
the vendor does a real-time check on me.  Seems fair/useful to be able
to do same on them.  I suppose eBay's feedback suffices... if their
last N feedbacks are negative, I might go elsewhere.







-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Keyservers and Spam

2003-06-12 Thread David Honig
At 05:47 PM 6/11/03 -0700, Bill Frantz wrote:
To try to reflect some of David's points with a real-world situation.  I
was at work, with a brand new installation of PGP.  I wanted to send some
confidential data home so I could work with it.  However I didn't have my
home key at work, so I didn't have a secure way to send either the data, or
the work key.  I didn't even have the fingerprint of the home key.

My solution was to pull Carl Ellison's business card out of my pocket.  It
had his key fingerprint on it, and I remember getting it directly from him,
so I could trust the fingerprint.  Now Carl had signed my key, so when I
downloaded it from the key server, I could verify that it was indeed mine
(to the extent I trusted Carl).  Carl's signature, and the key server
allowed me to bootstrap trust into my own key.


But with a key server, I didn't have to bother Carl to send me my key.  Or
depend on him being online when I needed it.

True, although: 
1. you could have had your own key-fingerprint on your own bizcard
and done the same.  

2. you needn't have had your valid email address there (going back
to the spam-thread), perhaps just your regular name.  In fact you
could have your key on your home server, not in a public 
server which serves as spambait.  Your home server could be
unlisted by using an alternate port.  (I do this to get around
ISP blocking, but then I'm not trying to publish papers on my
home server.)  Or use CGI, or a password mechanism, to deter spam-spiders.

The point with spam and publishing your email address
is that its like having a public
physical storefront: anyone can pay the price of a cigarette 
to a stream of homeless people to
clog your physical store.  Or form a huge line if you have bouncers
at the door.  That's what having a public interface means.

3. I think you also trusted that Carl has not been compromised
and re-signed a bogus key *after* he first signed it.  (Not picking
on Carl here :-)





-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Keyservers and Spam

2003-06-10 Thread David Honig
At 12:43 PM 6/10/03 -0400, Jeffrey Kay wrote:
number (which I now use Call Intercept to avoid telephone solicitors).

But for privacy reasons, some folks will not automatically forward
their phone number.  You either deny them access or require them 
to jump through extra hoops (redial w/ special control codes 
that send their ID).  Analogy w/ email  PGP left as an exercise..







-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]