webcam encryption beats quasar encryption

2006-03-30 Thread Heyman, Michael
Internet webcam signals from webcams could emerge as an 
exotic but effective new tool for securing terrestrial 
communications against eavesdropping.

Scientists have come up with a method for encrypting 
messages using the internet objects, which emit signals 
and are thought to be powered by DC voltage.

Scientists at the National Institute of Cool Security 
Ideas (NICSI) propose using the signals emitted by 
webcams to lock and unlock digital communications in 
a secure fashion.
The researchers believe webcams could make an ideal 
cryptographic tool because the signals they emit are 
impossible to predict. Webcam-based cryptography is 
based on a physical fact that such a webcam signal 
is random and has a very broad frequency spectrum. 

NICSI scientists suggest using an agreed webcam signal 
to add randomness to a stream cipher.

Each communicating party would only need to know which 
webcam to monitor and when to start in order to encrypt 
and decrypt a message. Without knowing the target webcam
and time an eavesdropper should be unable to decrypt 
the message.

NICSI scientists believes voyeur-cryptography could 
appeal to anyone who requires high-security communications.
He adds that the method does not require a large radio 
antenna like quasar encryption because the signals exist 
already on the internet. Plus quasar signals are really 
boring compared to many webcam signals.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Linux RNG paper

2006-03-21 Thread Heyman, Michael
Gutterman, Pinkas, and Reinman have produced a nice as-built-specification and 
analysis of the Linux random number generator.


Following our analysis of the LRNG, we suggest the following recommendations 
for the design of pseudo-random number generators.

² Fixing the LRNG. The issues which were reported in this paper should be 
fixed. In particular, the LRNG code should be changed to prevent attacks on its 
forward security. The OpenWRT implementation should be changed to provide more 
entropy to the LRNG, or at least save its state during shutdown.

² Implementing a quota for the consumption of random bits. Random bits are a 
limited resource, and attackers can easily mount a denial-of-service attack 
(even remotely) by consuming random bits at a high rate. The common solution 
for this type of problem is to implement a quota system which limits the effect 
of each user, or each process, on the operation of other users of the same 
system. Such a quota system should be added to the Linux kernel.

² Adopting the Barak-Halevi construction. The Barak-Halevi (BH) construction 
and its analysis [3] are attractive in their simplicity, which clearly 
identifies the role of every component of the system, and enables a simple 
implementation. In comparison, the current LRNG construction is an overkill in 
some aspects (like the size of the pools or the number of SHA-1 invocations), 
but its complexity does not improve its security but rather hides its 
weaknesses. We suggest that future constructions of pseudo-random number 
generators follow the BH construction (and in general, try to keep it simple).

² Since randomness is often consumed in a multi-user environment, it makes 
sense to generalize the BH model to such environments. Ideally, each user 
should have its own random-number generator, and these generators should be 
refreshed with different data which is all derived from the entropy sources 
available to the system (perhaps after going through an additional PRNG). This 
architecture should prevent denial-of-service attacks, and prevent one user 
from learning about the randomness used by other users

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

RSA-640 factored

2005-11-09 Thread Heyman, Michael

November 8, 2005--A team at the German Federal Agency 
for Information Technology Security (BSI) recently 
announced the factorization of the 193-digit number 

310 7418240490 0437213507 5003588856 7930037346 
0228427275 4572016194 8823206440 5180815045 5634682967 
1723286782 4379162728 3803341547 1073108501 9195485290 
0733772482 2783525742 3864540146 9173660247 7652346609 

known as RSA-640. The team responsible for this 
factorization is the same one that previously factored 
the 174-digit number known as RSA-576 (MathWorld 
headline news, December 5, 2003) and the 200-digit 
number known as RSA-200 (MathWorld headline news, 
May 10, 2005). 

-Michael Heyman

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

FYI: Credit bureaus to adopt data protection standard

2005-09-23 Thread Heyman, Michael
Credit bureaus to adopt data protection standard

By Reuters

Story last modified Thu Sep 22 21:58:00 PDT 2005 

The top three U.S. credit reporting companies said on Thursday they
would adopt a single, shared encryption standard to better protect the
huge amounts of sensitive electronic data they receive every day from
banks, retailers and credit-card companies. 
Equifax, Experian and TransUnion, which maintain huge databases on
hundreds of millions of Americans, said the joint effort would involve
the development and adoption of a data-cloaking code built on an
encrypted algorithm and 128-bit, secret-key technologies.

In a statement, the companies insisted they have long employed
information security tools and programs to ensure the information they
compile from third parties isn't intercepted by thieves.

But they said that by creating and adhering to a single, beefed-up
industry standard, they would further assure the protection of
sensitive consumer data when transmitted between data furnishers and
credit reporting companies.

We're trying to make it easier for them so they don't have to juggle
three different standards when they're dealing with us, said Colleen
Tunney, a spokeswoman for Chicago-based TransUnion.

The coordinated effort by the three traditional rivals is the latest
proof of the serious threat posed by identity thieves and
Internet-enabled crooks--and the unprecedented lengths business is going
to in order to fight back.

According to a report released earlier this week by Symantec, the
world's biggest maker of security software, programs designed to steal
confidential information accounted for three-quarters of viruses during
the first half of 2005, up from 54 percent in the last six months of

The credit reporting agencies aren't alone in seeking strength in
numbers. Speaking at a credit-card conference earlier this week in
Memphis, Tenn., the top security experts at Visa and MasterCard, the
world's two biggest card associations and long-time rivals, said that
they, too, were cooperating to crack down on fraud.

Visa and MasterCard said the unity was required given the growing
sophistication of the thieves, who, they said, were increasingly acting
in concert and hiring former Soviet KGB cryptographers to help crack
security codes.

Previous Next Among the challenges the financial services industry faces
is the emergence of highly sophisticated sleeper crimeware programs
that infect a computer and then wait--quietly--for the user to log into
a highly secure site such as an online banking or brokerage account.

Once the infected user has run the gauntlet of passwords and
authentication hurdles and is inside, the sleeper program wakes up and
swings into action, launching what is known as a man-in-the-middle

In the case of an online bank account, for instance, it might send
instructions to the secure server--which the server believes to be
legitimate and the infected user cannot see--to liquidate the account
and transfer the balance overseas using automatic clearing-house

We're making it tougher and tougher for the bad guys, John
Shaughnessy, senior vice president for fraud prevention at Visa USA,
told the Memphis conference on Monday.

But the Russians are good.

Story Copyright (c) 2005 Reuters Limited. All rights reserved.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

RSA gets a reprieve?

2005-06-30 Thread Heyman, Michael

ATTEMPTS to build quantum computers could run up 
against a fundamental limit on how long useful 
information can persist inside them. Exceed the 
limit and information could just leak away, 
making computation impossible...Rather than 
remaining in a superposition of two states, a 
qubit will spontaneously collapse into one state 
or another (Physical Review Letters, vol 94, 
p 230401). When we discovered this we were 
stunned, says van den Brink...the time limit 
for decoherence seems to grow shorter as systems 
get smaller. Zaanen says that for some of the 
most promising qubit technologies the limit 
would be about 1 second. It's not a problem at 
the moment, he says, because researchers are 
fighting to get coherence times up to around a 
microsecond. But this fundamental limit is 
getting within reach.

This plus the no-cloning theorem means that if a quantum computer
cannot factor an RSA modulus in under a second, RSA will remain
unbreakable. (I'm not a quantum physicist or quantum computer programmer
so I don't even know if the no-cloning theorem, which states qubits of
unknown states cannot be copied, applies.)

-Michael Heyman

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Retailers Experiment With Biometric Payment article

2005-06-09 Thread Heyman, Michael

  You can always get a new Social Security number, but 
  you certainly can't get a new thumbprint..., Lee [of 
  EFF] said...Robinson, of BioPay, argues that a personal 
  check written at a grocery store passes through eight 
  people before it is cashed, a process he considers much 
  less secure than a biometric payment, in which the 
  fingerprint image is connected immediately to the 
  user's bank account. What can I do to hurt you if I 
  have a picture of the tip of your finger? Not much, 
  Robinson said, contending that associating fingerprints 
  with legal troubles is unwarranted. BioPay does not 
  share its biometric data with government agencies, and 
  in fact, the full fingerprints are not stored in the 
  system. Instead, a complex mathematical algorithm is 
  created to represent identifying characteristics of 
  the fingerprint, which are matched to the real thing 
  when a user shows up at a checkout counter.

No discussion on the threat of finger removal...


The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

RE: Citibank discloses private information to improve security

2005-06-01 Thread Heyman, Michael
 [mailto:[EMAIL PROTECTED] On Behalf Of Peter Gutmann
 Sent: Tuesday, May 31, 2005 1:29 PM
 In this situation, I believe that the users, through hard won 
 experience with computers, _correctly_ assumed this was a 
 false positive.

 Probably not.
 [SNIP text on user's thoughts on warning dialogs]

The false positive I was referring to is the something is telling me
something unimportant positive. I didn't mean to infer that the users
likely went through a thought process centered around the possible
causes of the certificate failure, specifically the likelihood of an
active man-in-the-middle vs. software bug, vs. setup error, vs. etc..

So, when the box popped up, in the unimportant vs. important choice
that the users went through, they correctly chose unimportant. These
warning dialogs pop up regularly and usually they are crying wolf.

I've probably seen hundreds of signature validation warnings from
various web-sites for certificates and Active-X and possibly other
signed content. I can't recall needing to heed even one of the warnings.
We are trying to detect man-in-the-middle or outright spoofing with
signatures and our false positive rate is through the roof. The false
positive rate must be zero or nearly zero to work as a useful detector
in real world situations.

Defense in depth can help against spoofing - this includes valid
certificates, personalization (even if it is the less-than-optimal
Citibank-like solution), PetName, etc. Man-in-the-middle is harder given
that we have such a high false positive rate on our best weapon.


The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

RE: Citibank discloses private information to improve security

2005-05-31 Thread Heyman, Michael
 [mailto:[EMAIL PROTECTED] On Behalf Of James A. Donald
 Sent: Saturday, May 28, 2005 1:48 PM
 With bank web sites, experience has shown that only 0.3% of 
 users are deterred by an invalid certificate, probably 
 because very few users have any idea what a certificate 
 authority is, what it does, or why they should care.

I assume you refer to the BankDirect case with the accidentally invalid

In this situation, I believe that the users, through hard won experience
with computers, _correctly_ assumed this was a false positive. If an
attack had actually occurred, the users would have been wrong. Luckily
for them, they were correct and did not let the mistake interfere with
their commerce. The one in 300 users that did let the mistake interfere
wasted their time and, perhaps, money if they lost money due to the
delay in access.

As it stands, the system works reasonably well (of course it still has
its share of problems). If 300 out of 300 users wasted time and money
because of the mistake (say if the system were designed so users could
not bypass the possibly bad certificate warning), the security folks in
ivory towers may pat themselves on the back saying, look, the system
works great! - the actual users of the technology would be more then a
little ticked. A brittle system that cannot accept failures will always
have trouble dealing with us fallible types.

I'm not familiar with the BankDirect site, but if it like banking sites
I am used to, it is fairly impersonal and easy to spoof. One way to
reduce the ease-of-spoof factor is to add many ways to identify the bank
web site. If one or two of them fail, the web site is probably still
valid. Ways to identify a site include certificates, personalized
greetings (Hello Michael, Welcome back, you haven't been here in 4 days
and we've missed you), code words, the PetName tool, green light by
anti-phishing software, even the URL and overall look-and-feel. So what
if a couple of them fail? That happens all the time and we have to
expect that and design our systems to work in spite of it.

-Michael Heyman

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]