Re: Solving password problems one at a time, Re: The password-reset paradox

2009-02-24 Thread Ed Gerck
silky wrote: On Sun, Feb 22, 2009 at 6:33 AM, Ed Gerck edge...@nma.com wrote: (UI in use since 2000, for web access control and authorization) After you enter a usercode in the first screen, you are presented with a second screen to enter your password. The usercode is a mnemonic 6-character

Re: Solving password problems one at a time, Re: The password-reset paradox

2009-02-24 Thread Ed Gerck
, if they so want and are motivated to, or learn to be motivated. Mark Twain's cat was afraid of the cold stove. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord

Re: Solving password problems one at a time, Re: The password-reset paradox

2009-02-24 Thread Ed Gerck
silky wrote: On Tue, Feb 24, 2009 at 8:30 AM, Ed Gerck edge...@nma.com wrote: [snip] Thanks for the comment. The BofA SiteKey attack you mention does not work for the web access scheme I mentioned because the usercode is private and random with a very large search space, and is always sent

Solving password problems one at a time, Re: The password-reset paradox

2009-02-23 Thread Ed Gerck
regards, Ed Gerck e...@gerck.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: The wisdom of the ill informed

2008-07-01 Thread Ed Gerck
by Dan is to /not/ allow weak passwords in the first place! But, because this is not really possible with PIN systems (even with 6 digits), the security designer can detect attack patterns and use them to trigger a block even for an a priori unknown IP. Cheers, Ed Gerck

Re: The wisdom of the ill informed

2008-07-01 Thread Ed Gerck
[Moderator's note: I'll let Ed have the last word. I'm sure everyone knows what I'd say anyway. --Perry] Perry E. Metzger wrote: Ed Gerck [EMAIL PROTECTED] writes: In any case, there are a large number of reasons US banks don't (generally) require or even allow anyone to enter PINs

Re: The wisdom of the ill informed

2008-06-30 Thread Ed Gerck
time you need to try enough combinations so that you can succeed. I'm not defending the designers of that email system, as I do not know any specifics -- I'm just pointing out that what you mention is not necessarily a problem and may be even safer than secure online banking today. Cheers, Ed

Re: The wisdom of the ill informed

2008-06-30 Thread Ed Gerck
[EMAIL PROTECTED] wrote: Ed Gerck writes: -+-- | ... | Not so fast. Bank PINs are usually just 4 numeric characters long and | yet they are considered /safe/ even for web access to the account | (where a physical card is not required). | | Why? Because after 4 tries

Re: The wisdom of the ill informed

2008-06-30 Thread Ed Gerck
. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Can we copy trust?

2008-06-03 Thread Ed Gerck
is indeed expressed by relationships. And those relationships can be transmitted with proper consideration -- just not in your example. In the case of SSL certs, a simple file copy is enough. Cheers, Ed Gerck Addendum: Did you have a chance yet to read Kelly's paper? In that paper, he is looking

Re: Can we copy trust?

2008-06-03 Thread Ed Gerck
in our social interactions, not just in our digital interactions. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Can we copy trust?

2008-06-03 Thread Ed Gerck
IanG wrote: Ed Gerck wrote: When you look at trust in various contexts, you will still find the need to receive information from sources OTHER than the source you want to trust. You may use these channels under different names, such as memory which is a special type of output that serves

Re: Can we copy trust?

2008-06-03 Thread Ed Gerck
end-user certs. This trust, limited by this extent, can be used in automating use of certs from that CA -- for example, only accept signatures from end-user certs of that CA if the cert is less than 31 days old (or, 15 days -- whatever your risk model says). Cheers, Ed Gerck

Can we copy trust?

2008-06-02 Thread Ed Gerck
will trust. This is how SSL works. The site provides a digital certificate signed by a CA that most browsers trust, providing an independent channel to verify that the web address is correct -- in addition to what the browser's location line says. Cheers, Ed Gerck (*) Trust as qualified reliance

Re: Can we copy trust?

2008-06-02 Thread Ed Gerck
post). Similarly, we have to do it right when we transmit data (for example, if we don't have enough bandwidth or if there is too much noise, the data will be not be 100% transferred). Cheers, Ed Gerck - The Cryptography Mailing

Re: Can we copy trust?

2008-06-02 Thread Ed Gerck
Bill Frantz wrote: [EMAIL PROTECTED] (Ed Gerck) on Monday, June 2, 2008 wrote: To trust something, you need to receive information from sources OTHER than the source you want to trust, and from as many other sources as necessary according to the extent of the trust you want. With more trust

Re: User interface, security, and simplicity

2008-05-05 Thread Ed Gerck
as a synergy: with more usability in a secure system, security increases. With less usability in a secure system, security decreases. A secure system that is not usable will be left aside by users. Cheers, Ed Gerck

Re: Designing and implementing malicious hardware

2008-04-28 Thread Ed Gerck
we call trust), negative (distrust), and zero (atrust -- there is no trust value associated with the information, neither trust nor distrust). More in [*]. Cheers, Ed Gerck References: [*] www.nma.com/papers/it-trust-part1.pdf www.mcwg.org/mcg-mirror/trustdef.htm [**] Ken's paper title (op

Re: Designing and implementing malicious hardware

2008-04-28 Thread Ed Gerck
Perry E. Metzger wrote: Ed Gerck [EMAIL PROTECTED] writes: Each chip does not have to be 100% independent, and does not have to be used 100% of the time. Assuming a random selection of both outputs and chips for testing, and a finite set of possible outputs, it is possible to calculate what

Re: Designing and implementing malicious hardware

2008-04-28 Thread Ed Gerck
that the error-correcting channel has enough capacity to counter-react within that reaction time. For chip fabrication, this may be quite long. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe

Re: 2factor

2008-04-18 Thread Ed Gerck
Leichter, Jerry wrote: No real technical data I can find on the site, and I've never seen a site with so little information about who's involved. (Typically, you at least get a list of the top execs.) Some ex-spooks? Pure snake oil? Somewhere in between? He's likely called Paul McGough, of

Still locked up Shannon crypto work?

2008-04-16 Thread Ed Gerck
/hamming.pdf (BTW, this was a great talk!) Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: SSL/TLS and port 587

2008-01-23 Thread Ed Gerck
Paul Hoffman wrote: At 10:38 AM -0800 1/22/08, Ed Gerck wrote: The often expressed idea that SSL/TLS and port 587 are somehow able to prevent warrantless wiretapping and so on, or protect any private communications, is IMO simply not supported by facts. Can you point to some sources

Re: SSL/TLS and port 587

2008-01-23 Thread Ed Gerck
wiretapping and so on, why any private communications should be in the clear I just don't know. Even my MTA offers up SSL or TLS to other MTA's when advertising its capabilities. The RFC is there, use it as they say. - Cheers, Ed Gerck

Re: SSL/TLS and port 587

2008-01-23 Thread Ed Gerck
Steven M. Bellovin wrote: On Tue, 22 Jan 2008 21:49:32 -0800 Ed Gerck [EMAIL PROTECTED] wrote: As I commented in the second paragraph, an attack at the ISP (where SSL/TLS is of no help) has been the dominant threat -- and that is why one of the main problems is called warrantless wiretapping

Re: SSL/TLS and port 587

2008-01-23 Thread Ed Gerck
email submission. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

SSL/TLS and port 587

2008-01-22 Thread Ed Gerck
. It is misleading to claim that port 587 solves the security problem of email eavesdropping, and gives people a false sense of security. It is worse than using a 56-bit DES key -- the email is in plaintext where it is most vulnerable. Cheers, Ed Gerck

Re: 2008: The year of hack the vote?

2007-12-26 Thread Ed Gerck
the e-commerce security problem, by putting in insurance. We can not solve it that way [for elections]. (from my Brookings Symposium comment, Washington, DC, January 2000). Cheers, Ed Gerck - The Cryptography Mailing List

Re: PlayStation 3 predicts next US president

2007-12-13 Thread Ed Gerck
frameworks that can be used to bind the key to a person. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Flaws in OpenSSL FIPS Object Module

2007-12-11 Thread Ed Gerck
(entirely on their own and not by a mandate) to point out non-compliance of evaluated products -- proprietary or open source -- to basic architectural requirements of the standard. Here [x] = competitors, attackers, outside experts, anyone in general. Cheers, Ed Gerck

Re: a new way to build quantum computers?

2007-08-19 Thread Ed Gerck
Steven M. Bellovin wrote: http://www.tgdaily.com/content/view/33425/118/ Ann Arbor (MI) - University of Michigan scientists have discovered a breakthrough way to utilize light in cryptography. The new technique can crack even complex codes in a matter of seconds. Scientists believe this

Re: unintended consequences?

2007-08-08 Thread Ed Gerck
in the remaining through-signal, which can easily be detected. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: improving ssh

2007-07-19 Thread Ed Gerck
Ivan Krstić wrote: On Jul 14, 2007, at 2:43 PM, Ed Gerck wrote: 1. firewall port-knocking to block scanning and attacks 2. firewall logging and IP disabling for repeated attacks (prevent DoS, block dictionary attacks) 3. pre- and post-filtering to prevent SSH from advertising itself

summary, Re: improving ssh

2007-07-19 Thread Ed Gerck
) an in the blog in general. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

improving ssh

2007-07-16 Thread Ed Gerck
other SSH security issues that you would like to see solved /in SSH/. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

a fraud is a sale, Re: The bank fraud blame game

2007-07-03 Thread Ed Gerck
the product along with the shipping costs and the chargeback fees. Merchants, of course, have no choice but to pass those losses on to the honest customers. in http://woip.blogspot.com/2007/03/fraud-is-sale.html See also https://financialcryptography.com/mt/archives/000520.html Cheers, Ed

Re: question re practical use of secret sharing

2007-06-22 Thread Ed Gerck
, such as magnetic domain encoding when storing it in a hard disk. Now, if you pass a copyright-protected work through an irreversible hash function, it would be hard to claim the result to be copyright-protected. Cheers, Ed Gerck

Re: BETA solution, Re: Failure of PKI in messaging

2007-02-16 Thread Ed Gerck
Guus Sliepen wrote: On Thu, Feb 15, 2007 at 02:47:05PM -0800, Ed Gerck wrote: Zmail actually reduces the amount of trust by not storing your usercode, password, or keys anywhere. This makes sense for zmail, and is an incentive to actually do it, to reduce risk -- anyone breaking into any

Re: Failure of PKI in messaging

2007-02-15 Thread Ed Gerck
necessary for banks (because the client already knows the bank and vice versa). Best, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

BETA solution, Re: Failure of PKI in messaging

2007-02-15 Thread Ed Gerck
James A. Donald wrote: Ed Gerck wrote: I am using this insight in a secure email solution that provides just that -- a reference point that the user trusts, both sending and receiving email. Without such reference point, the user can easily fall prey to con games. Trust begins as self-trust

Re: Failure of PKI in messaging

2007-02-13 Thread Ed Gerck
prey to con games. Trust begins as self-trust. Anyone interested in trying it out, please send me a personal email with application info. Best, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe

Re: convenience vs risk -- US public elections by email and beyond

2007-02-07 Thread Ed Gerck
. Best, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Intuitive cryptography that's also practical and secure.

2007-02-05 Thread Ed Gerck
vote selling and coercion. The voter cannot produce a non-repudiable proof of how the voter voted. Best, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

convenience vs risk -- US public elections by email and beyond

2007-02-03 Thread Ed Gerck
by convenience. I would like to invite your comments on this, to help build the trust and integrity that our election system needs -- together with the convenience that voters want. Personal replies are welcome. I am thinking of opening a blog for such dialogue. Moderators are welcome too. Best, Ed

Re: Intuitive cryptography that's also practical and secure.

2007-01-30 Thread Ed Gerck
more chances for success, and less cost, with e-voting. Best, Ed Gerck [1] In Shannon's cryptography terms, the solution reduces the probability of existence of a covert channel to a value as close to zero as we want. This is done by adding different channels of information, as intentional

Re: Intuitive cryptography that's also practical and secure.

2007-01-30 Thread Ed Gerck
fairly intuitive. In fact, it was used about 500 years by the Mogul in India to prevent fraud. The solution is also technologically neutral, but has more chances for success, and less cost, with e-voting. Best, Ed Gerck [1] In Shannon's cryptography terms, the solution reduces the probability

Re: Circle Bank plays with two-factor authentication

2006-09-29 Thread Ed Gerck
! This was the same mistake of email encryption. That the system can actually be used turns out to be more important than any security promise. Cheers, Ed Gerck (*) Apparently, at most. Their 3-digit matrix counter, also included in the message (!), can index at most 999 pages

Circle Bank plays with two-factor authentication

2006-09-28 Thread Ed Gerck
the system less secure than just username/password, while considerably reducing usability. A lose-lose for users. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: [IP] more on Can you be compelled to give a password?

2006-08-08 Thread Ed Gerck
. The data becomes inaccessible even if the coercer has the binary data. Another possibility is to combine the above with threshold cryptography. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe

Re: [IP] more on Can you be compelled to give a password?

2006-07-29 Thread Ed Gerck
heaven for criminals because criminal activity is often detected and evidenced by its outside effects, including tracing. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

Re: Interesting bit of a quote

2006-07-13 Thread Ed Gerck
. Trust depends on parallel channels. So based, trust actually reduces liability. The knife cuts the other way too, and that's why unrevocably expiring documents that can be so treated (legally and business wise) is also necessary to reduce liability. Cheers, Ed Gerck

Call for Papers for the 4th VirtualGoods Workshop in Leeds

2006-07-11 Thread Ed Gerck
C A L L F O R P A P E R S The 4th International Workshop for Technology, Economy and Legal Aspects of Virtual Goods Organized by the GI Working Group ECOM and in parallel with

Re: Is AES better than RC4

2006-05-25 Thread Ed Gerck
the first bytes). Cheers, Ed Gerck Joseph Ashwood wrote: - Original Message - From: Ed Gerck [EMAIL PROTECTED] Subject: [!! SPAM] Re: Is AES better than RC4 ... - The Cryptography Mailing List Unsubscribe by sending

Re: History and definition of the term 'principal'?

2006-04-27 Thread Ed Gerck
by itself cannot operate(or own) anything. Being responsible for an account, or creating keys or passwords, is within the idea of owing or operating. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending

Re: Entropy Definition (was Re: passphrases with more than 160 bits of entropy)

2006-03-24 Thread Ed Gerck
to use. It may actually be a much more powerful tool for data security than currently used. Cheers, Ed Gerck [1] For example, J. Kestin, A Course in Thermodynamics, Blaisdell, 1966. - The Cryptography Mailing List Unsubscribe

Re: Zfone and ZRTP :: encryption for voip protocols

2006-03-16 Thread Ed Gerck
the detection of man-in-the-middle (MiTM) attacks by displaying a short authentication string for the users to read and compare over the phone. Depends on the trust model. May not work. Cheers, Ed Gerck - The Cryptography Mailing

Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-01 Thread Ed Gerck
John W Noerenberg II wrote: At 5:58 PM -0800 2/24/06, Ed Gerck wrote: A phone number is not an envelope -- it's routing information, just like an email address. Publishing the email address is not in question and there are alternative ways to find it out, such as search engines. Oh really

Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-26 Thread Ed Gerck
, weak key, key escrow, shared private key), YOUR envelope is compromised from the start and you have no way of knowing it. This is quite different from an address, which single purpose is to route the communication. That's I said the postal analogue of the public-key is the envelope. Ed Gerck

Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-24 Thread Ed Gerck
that usability is king, could you please send me an encrypted email -- I even let you choose any secure method that you want. Cheers, Ed Gerck Paul Hoffman wrote: At 1:56 PM -0800 2/23/06, Ed Gerck wrote: This story (in addition to the daily headlines) seems to make the case that the available techniques

Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-24 Thread Ed Gerck
Ben Laurie wrote: Ed Gerck wrote: Paul, Usability should by now be recognized as the key issue for security - namely, if users can't use it, it doesn't actually work. And what I heard in the story is that even savvy users such as Phil Z (who'd have no problem with key management) don't use

NPR : E-Mail Encryption Rare in Everyday Use

2006-02-23 Thread Ed Gerck
This story (in addition to the daily headlines) seems to make the case that the available techniques for secure email (hushmail, outlook/pki and pgp) do NOT actually work. http://www.npr.org/templates/story/story.php?storyId=5227744 Cheers, Ed Gerck

surveillance, Re: long-term GPG signing key

2006-01-20 Thread Ed Gerck
technologies is presented at http://email-security.net/papers/pki-pgp-ibe.htm Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Comparison of secure email technologies

2005-12-22 Thread Ed Gerck
. Comments are welcome. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-16 Thread Ed Gerck
during Ramadan, when only approval by the Taliban will do), and then reject them out of hand if I haven't had my second cup of coffee. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-12 Thread Ed Gerck
. The RPs are not part of the contract. Without CAs, there's no key owner in PKI. It's for the benefit (and reduction of liability) of the key owners. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-10 Thread Ed Gerck
in the site as well, at http://email-security.net Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-09 Thread Ed Gerck
Anne Lynn Wheeler wrote: Ed Gerck wrote: Regarding PKI, the X.509 idea is not just to automate the process of reliance but to do so without introducing vulnerabilities in the threat model considered in the CPS. but that is one of the points of the article that as you automate more things

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-08 Thread Ed Gerck
-offs. By comparing the capabilities and faults of the secure email products per technology used, these and other problems come up in the score card. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending

X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-07 Thread Ed Gerck
is at http://email-security.net/papers/pki-pgp-ibe.htm Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

2005-12-07 Thread Ed Gerck
be sent by a direct connection from the client to the recipient mail server, rather than this store and forward crap. Store and forward makes it reliable -- nothing needs to be 100% online 100% of the time (which is, of course, a totally improbable event). Cheers, Ed Gerck

Call for papers -- IS-TSPQ 2006

2005-11-30 Thread Ed Gerck
== CALL FOR PAPERS First International Workshop on Interoperability Solutions to Trust, Security, Policies and QoS for Enhanced Enterprise Systems

announcing email-security.net

2005-09-30 Thread Ed Gerck
will be peer-reviewed before publication. Product and service listings are also welcome, search-engine style (short pitch + link). Regards, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography

Re: Another entry in the internet security hall of shame....

2005-09-13 Thread Ed Gerck
Read in an email from a website: You'll need to send us your CC information via regular email or fax. I would suggest splitting up your CC info if you send it to us via email in two separate emails for security. - The

instant lottery cards too, Re: reading PINs in secure mailers without opening them

2005-08-27 Thread Ed Gerck
time for the attack to be successful. Cheers, Ed Gerck Perry E. Metzger wrote: Often, banks send people PINs for their accounts by printing them on tamper secure mailers. Some folks at Cambridge have discovered that it is easy to read the PINs without opening the seals... http://news.bbc.co.uk

Re: EMV and Re: mother's maiden names...

2005-07-16 Thread Ed Gerck
? By weakly fighting fraud, aren't we allowing fraud systems to become stronger and stronger, just like any biological threat? The parasites are also fighting for survival. We're allowing even email to be so degraded that fax and snail mail are now becoming atractive again. Cheers, Ed Gerck

Re: EMV and Re: mother's maiden names...

2005-07-15 Thread Ed Gerck
that the insurance model of security cannot scale in Internet volumes and cannot even be ethically justifiable. A fraud is a sale is the only outcome possible from using such security school of thought. Also sometimes referred to as acceptable risk -- acceptable indeed, because it is paid for. Cheers, Ed Gerck

[Fwd: VirtualGoods Workshop in Florence: Deadline for Submission, July 20th]

2005-07-07 Thread Ed Gerck
Original Message Subject: VirtualGoods Workshop in Florence: Deadline for Submission, July 20th Date: Wed, 6 Jul 2005 15:55:37 +0200 From: Juergen Nuetzel [EMAIL PROTECTED] Reply-To: Juergen Nuetzel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Dear Members of the

Re: expanding a password into many keys

2005-06-13 Thread Ed Gerck
as a function of all the above -- including the threat model; - provide for key management, with revocation, expiration and roll-over, before you face these needs without planning. Cheers, Ed Gerck Ian G wrote: I'd like to take a password and expand it into several keys. It seems like a fairly

Re: Citibank discloses private information to improve security

2005-05-30 Thread Ed Gerck
last-four is private and static too (unless you want the burden to change your card often). Lance James wrote: But from your point, the codeword would be in the clear as well. Respectively speaking, I don't see how either solution would solve this. Ed Gerck wrote: List, In an effort to stop

Re: Citibank discloses private information to improve security

2005-05-30 Thread Ed Gerck
refresh it at will, each user will have the security that he wants. Matt Crawford wrote: On May 26, 2005, at 13:24, Ed Gerck wrote: A better solution, along the same lines, would have been for Citibank to ask from their account holders when they login for Internet banking, whether they would like

Citibank discloses private information to improve security

2005-05-26 Thread Ed Gerck
it, in the name of security? Cheers, Ed Gerck -- I use ZSentry Mail Secure Email https://zsentry.com/R/index.html/[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe

Re: two-factor authentication problems

2005-03-13 Thread Ed Gerck
Matt Crawford wrote: On Mar 5, 2005, at 11:32, Ed Gerck wrote: The worse part, however, is that the server side can always fake your authentication using a third-party because the server side can always calculate ahead and generate your next number for that third-party to enter -- the same number

two-factor authentication problems

2005-03-06 Thread Ed Gerck
they are recognized. So, again, if someone breaks into your file using your number -- who is responsible? Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Can you help develop crypto anti-spoofing/phishing tool ?

2005-02-09 Thread Ed Gerck
channel available. I am looking at N outputs, N sources of information (each one as independent as possible but not necessarily 100% independent). You have no reference for detecting a spike, I have N-1. Cheers, Ed Gerck

Re: Can you help develop crypto anti-spoofing/phishing tool ?

2005-02-08 Thread Ed Gerck
Amir Herzberg wrote: Ed Gerck responded to me: Can you trust what trustbar shows you? This trust translates to: -- Trusting the TrustBar code (which is open source so can be validated by tech-savvy users / sys-admin) -- Trusting that this code was not modified (same as for any other aspect

[Fwd: Call for Papers: Virtual Goods 2005]

2005-01-26 Thread Ed Gerck
Dear Virtual Goods Community, here is the link to the cfp: http://virtualgoods.tu-ilmenau.de/2005/cfp_short.txt Please feel free to distrubute it. Best regards Juergen Here is the text: C A L L F O R P A P E R S The 3rd International Workshop for

Re: Entropy and PRNGs

2005-01-11 Thread Ed Gerck
, not free from correlations either. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: When A Pencil And Paper Makes Sense

2004-11-18 Thread Ed Gerck
, Ed Gerck R.A. Hettinga wrote: http://www.forbes.com/2004/11/05/cx_ah_1105tentech_print.html Forbes Ten O'Clock Tech When A Pencil And Paper Makes Sense Arik Hesseldahl, 11.05.04, 10:00 AM ET Thank goodness, it's over. Sometime around 4:30 A.M. Wednesday I went to bed, not the least bit uncertain

Re: public-key: the wrong model for email?

2004-09-18 Thread Ed Gerck
Ben Laurie wrote: Ed Gerck wrote: If the recipient cannot in good faith detect a key-access ware, or a GAK-ware, or a Trojan, or a bug, why would a complete background check of the recipient help? Let's assume for a moment that a solution exists that satisfies your requirements. Since

Re: public-key: the wrong model for email?

2004-09-18 Thread Ed Gerck
Anne Lynn Wheeler wrote: At 12:53 PM 9/16/2004, Ed Gerck wrote: If the recipient cannot in good faith detect a key-access ware, or a GAK-ware, or a Trojan, or a bug, why would a complete background check of the recipient help? a complete audit and background check ... would include an audit

Re: public-key: the wrong model for email?

2004-09-17 Thread Ed Gerck
Adam Shostack wrote: On Thu, Sep 16, 2004 at 12:05:57PM -0700, Ed Gerck wrote: | Adam Shostack wrote: | | I think the consensus from debate back last year on | this group when Voltage first surfaced was that it | didn't do anything that couldn't be done with PGP, | and added more risks to boot

Re: public-key: the wrong model for email?

2004-09-17 Thread Ed Gerck
Bill Stewart wrote: At 10:19 PM 9/15/2004, Ed Gerck wrote: Yes, PKC provides a workable solution for key distribution... when you look at servers. For email, the PKC solution is not workable (hasn't been) and gives a false impression of security. For example, the sender has no way of knowing

Re: public-key: the wrong model for email?

2004-09-16 Thread Ed Gerck
to the recipient. To further clarify, my comment is not that PKC is not useful for email. I believe it is, but not directly used as it is today. The PKC key distribution solution is backwards for email. Cheers, Ed Gerck - The Cryptography Mailing

Re: public-key: the wrong model for email?

2004-09-16 Thread Ed Gerck
, with all its drawbacks. Cheers, Ed Gerck Weger, B.M.M. de wrote: Hi Ed, What about ID-based crypto: the public key can be any string, such as your e-mail address. So the sender can encrypt even before the recipient has a key pair. The private key is derived from

Re: public-key: the wrong model for email?

2004-09-16 Thread Ed Gerck
not need to rely on the recipient, or receive anything from the recipient, in order to sign an email. The problem with PKC email signature is PKI. However, email signature can also be done without PKI, by PGP. Cheers, Ed Gerck

Re: public-key: the wrong model for email?

2004-09-16 Thread Ed Gerck
. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: system reliability -- Re: titles

2004-08-31 Thread Ed Gerck
David Honig wrote: At 12:12 AM 8/27/04 -0700, Ed Gerck wrote: David Honig wrote: Applications can't be any more secure than their operating system. -Bram Cohen That sounds cute but I believe it is incorrect. Example: error- correcting codes. The theory of error-correcting codes allows information

Re: Microsoft .NET PRNG (fwd)

2004-08-10 Thread Ed Gerck
the security gap between RSAENH and Windows XP. The most troubling aspect, however, is that RSAENH makes it easy to provide a covert channel for key access. FIPS 140-1 Level 1 compliant. Cheers, Ed Gerck Anton Stiglic wrote: There is some detail in the FIPS 140 security policy of Microsoft's cryptographic

Re: The future of security

2004-07-30 Thread Ed Gerck
Email end-to-end: PGP, PGP/MIME, S/MIME. Not tunnel SSL or SSL at the end points. Lars Eilebrecht wrote: According to Ed Gerck: But encryption and authentication are a hassle today, with less than 2% of all email encrypted (sorry, can't cite the source I know). Are these 2% 'only' S/MIME and PGP

Re: identification + Re: authentication and authorization

2004-07-09 Thread Ed Gerck
and authentication begins in our circle. Just check, for example, The Handbook of Cryptography by Menezes et. al.: 10.2 Remark (identification terminology) The terms identification and entity authentication are used synonymously throughout this book. Cheers, Ed Gerck

  1   2   >