Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread John Kemp
On Sep 18, 2013, at 4:05 AM, ianG i...@iang.org wrote:

 On 17/09/13 23:52 PM, John Kemp wrote:
 On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker hal...@gmail.com
 
 I am sure there are other ways to increase the work factor.
 
 I think that increasing the work factor would often result in
 switching the kind of work performed to that which is easier than
 breaking secrets directly.
 
 
 Yes, that's the logical consequence  approach to managing risks. Mitigate 
 the attack, to push attention to easier and less costly attacks, and then 
 start working on those.
 
 There is a mindset in cryptography circles that we eliminate entirely the 
 attacks we can, and ignore the rest.  This is unfortunately not how the real 
 world works.  Most of risk management outside cryptography is about reducing 
 risks not eliminating them, and managing the interplay between those reduced 
 risks.  Most unfortunate, because it leads cryptographers to strange 
 recommendations.

The technical work always needs doing. It's not that we shouldn't do our best 
to improve cryptographic protection. It's more that one can always bypass 
cryptographic protection by getting to the cleartext before it is encrypted. 
 
 
 
 That may be good. Or it may not.
 
 
 If other attacks are more costly to defender and easyish for the attacker, 
 then perhaps it is bad.  But it isn't really a common approach in our 
 security world to leave open the easiest attack, as the best alternative.  
 Granted, this approach is used elsewhere (in warfare for example, minefields 
 and wire will be laid to channel the attack).
 
 If we can push an attacker from mass passive surveillance to targetted direct 
 attacks, that is a huge win.  The former scales, the latter does not.

My point was that mass passive surveillance is possible with or without 
breaking SSL/TLS (for example, but also other technical attacks), and that it 
is often simpler to pay someone to create a backdoor in an otherwise 
well-secured system. Or to simply pay someone to acquire the data in cleartext 
form prior to the employment of any technical protections to those data. Other 
kinds of technical protections (not really discussed here so far) might be 
employed to protect data from such attacks, but they would still depend on the 
possibility for an attacker to acquire the cleartext before such protections 
were applied. 

I would point out that it was historically the case that the best espionage was 
achieved by paying (or blackmailing) people close to the source of the 
information to retrieve the necessary information. The idea of the mole. That 
would seem to still be possible. 

 
 
 PRISM-Hardening seems like a blunt instrument, or at least one which
 may only be considered worthwhile in a particular context (technical
 protection) and which ignores the wider context (in which such technical
 protections alone are insufficient against this particular adversary).
 
 
 If I understand it correctly, PRISM is or has become the byword for the NSA's 
 vacuuming of all traffic for mass passive surveillance.  In which case, this 
 is the first attack of all, and the most damaging, because it is 
 undetectable, connects you to all your contacts, and stores all your open 
 documents.
 
 From the position of a systems provider, mass surveillance is possibly the 
 most important attack to mitigate.

If you yourself the systems provider, or a bad employee in your organization, 
are not handing the necessary cleartext to the attacker…

  This is because:  we know it is done to everyone, and therefore it is done 
 to our users, and it informs every other attack.  For all the other targetted 
 and active attacks, we have far less certainty about the targetting (user) 
 and the vulnerability (platform, etc).  And they are very costly, by several 
 orders of magnitude more than mass surveillance.

The issue for me is that it is becoming difficult to know whether one can 
reasonably trust service providers in the face of coercion. Both for the 
creation of good-enough technical protections, and the use of them. 

- johnk

 
 
 
 iang
 ___
 The cryptography mailing list
 cryptography@metzdowd.com
 http://www.metzdowd.com/mailman/listinfo/cryptography

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-17 Thread John Kemp
On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker hal...@gmail.com wrote:

 My phrase PRISM-Proofing seems to have created some interest in the press.
 
 PRISM-Hardening might be more important, especially in the short term. The 
 objective of PRISM-hardening is not to prevent an attack absolutely, it is to 
 increase the work factor for the attacker attempting ubiquitous surveillance.
 
 Examples include:
 
 Forward Secrecy: Increases work factor from one public key per host to one 
 public key per TLS session.

How does that work if one of PRISMs objectives is to compromise data _before_ 
it is transmitted by subverting its storage in one way or another?

Forward secrecy does nothing to impact the work factor in that case.

 
 Smart Cookies: Using cookies as authentication secrets and passing them as 
 plaintext bearer tokens is stupid. It means that all an attacker needs to do 
 is to compromise TLS once and they have the authentication secret. The HTTP 
 Session-ID draft I proposed a while back reduces the window of compromise to 
 the first attack.
 
 
 I am sure there are other ways to increase the work factor. 

I think that increasing the work factor would often result in switching the 
kind of work performed to that which is easier than breaking secrets 
directly. That may be good. Or it may not. PRISM-Hardening seems like a blunt 
instrument, or at least one which may only be considered worthwhile in a 
particular context (technical protection) and which ignores the wider context 
(in which such technical protections alone are insufficient against this 
particular adversary).  

- johnk
 
 
 
 -- 
 Website: http://hallambaker.com/
 ___
 The cryptography mailing list
 cryptography@metzdowd.com
 http://www.metzdowd.com/mailman/listinfo/cryptography

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] NIST announcement about Dual_EC_DRBG

2013-09-12 Thread John Kemp
NIST strongly recommends that, pending the resolution of the security concerns 
and the 
re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 
version of SP 800-90A, 
no longer be used.

http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf

- johnk


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: GSM eavesdropping

2010-08-02 Thread John Kemp
On Aug 2, 2010, at 11:08 AM, Perry E. Metzger wrote:

 On Mon, 2 Aug 2010 11:02:54 -0400 Bill Squier g...@old-ones.com
 wrote:
 ...In his presentation at the Black Hat Conference, German GSM
 expert Karsten Nohl presented a tool he calls Kraken, which he
 claims can crack the A5/1 encryption used for cell phone calls
 within seconds.
 
 http://www.h-online.com/security/news/item/Quickly-decrypting-cell-phone-calls-1048850.html
 
 This is a really important development.

Others have previously cracked A5/1, and Mr Nohl's efforts are not news: 
http://www.pcworld.com/businesscenter/article/185552/gsm_encryption_cracked_showing_its_age.html
 but the main thing here appears to be the compilation of the rainbow tables.

Also, it's worth noting that the GSMA has had A5/3 GSM encryption available 
(http://gsmworld.com/documents/a5_3_and_gea3_specifications.pdf -- PDF) since 
2008, but that the improved technology has apparently not yet seen large-scale 
adoption by mobile operators. 

Regards,

- johnk

 -- 
 Perry E. Metzger  pe...@piermont.com
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Kaminsky finds DNS exploit

2008-07-09 Thread John Kemp

Ben Laurie wrote:

Paul Hoffman wrote:
First off, big props to Dan for getting this problem fixed in a 
responsible manner. If there were widespread real attacks first, it 
would take forever to get fixes out into the field.


However, we in the security circles don't need to spread the Kaminsky 
finds meme. Take a look at 
http://tools.ietf.org/wg/dnsext/draft-ietf-dnsext-forgery-resilience/. 
The first draft of this openly-published document was in January 2007. 
It is now in WG last call.


The take-away here is not that Dan didn't discover the problem, but 
Dan got it fixed. An alternate take-away is that IETF BCPs don't 
make nearly as much difference as a diligent security expert with a 
good name.


Guess you need to tell Dan that - he seems to think he did discover it.


Well, he does seem to credit quite a few people and companies on his own 
blog entry about the matter: http://www.doxpara.com/?p=1162


It does seem he would like an air of some mystery to exist though until 
he makes his presentation about the issue at Defcon - did he, himself, 
discover something new? We'll just have to wait, unless we go play with 
the BIND code ourselves.


Regards,

- johnk

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]