Countries that ban the use of crypto?
Hi, A colleague of mine is locked in a battle with a client about the use of NULL ciphers for OpenSSL. The client claims that he has/wants to allow NULL ciphers so that people in countries that ban the use of crypto can still use the website. My colleague wants to know if there is a list of such countries that he could use. Many thanks, Lee -- -- [EMAIL PROTECTED] DOC #25 GLASS #136 www.mud-dog.org I Need A Reason To Stand Up And Fight Need To Believe What I See - The Silver Drop - Mnemic - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Proving the randomness of a random number generator?
Hi, Apologies if this has been asked before. The company I work for has been asked to prove the randomness of a random number generator. I assume they mean an PRNG, but knowing my employer it could be anything.. I've turned the work down on the basis of having another gig that week. However, it raised the issue of just how this could be achieved. As far as I'm aware there are no strong mathematicians in the team, so it will get thrown out to the first available person (cool idea, eh?). There will most likely be very little time allocated to do it. So, the question is, how can the randomness of a PRNG be proved within reasonable limits of time, processing availability and skill? Thanks, Lee -- -- [EMAIL PROTECTED] DOC #25 GLASS #136 www.mud-dog.org I Need A Reason To Stand Up And Fight Need To Believe What I See - The Silver Drop - Mnemic - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: FW: ATM machine security
On Thu, Feb 24, 2005 at 02:24:38AM +1100, Chris Trott wrote: > > > My Apologies to the original poster here, but does this seem like a little > human engineering to anyone else? No problem. As it happens the project I'm working on isn't for ATMs but for a system that shares some similarities: * Located in potentially hostile environments * Subject to abuse and civil disobedience * Use of crypto and anti tampering devices * Compliance with a standard outlined by the police and understood in the legal system [1] [1] The standards are 9 years old, but they were, at the time, in line with what the financial industry used. However, as we all know, industry has moved on and we are looking to see if the vendors are keeping up with better practice than was available 9 years ago. One of the main things I'm looking for is not so much *how* to break into an ATM, but what happens when one is, for example, are the keys (if pre-shared) deleted? One vendor of the system has the key encryption key (KEK) stored on a smartcard, which won't be deleted if power is lost. This goes against the police guidelines, but there may be a precedent in the financial industry that says "Hey, that's ok if you do X,Y and Z". My employer is looking for that sort of information, especially if it is easily understood by lawyers. The financial industry provided the best background for a legal system to understand. > I mean sounds to me like your project is a search for weakness in the ATM > system in preparation for an attack, or have I misjudged and you are the > well meaning integrating party who have commissioned a number of 'suppliers' > build a new ATM system (or ATM like system) while methodically attempting to > avoid past errors. I work for a large global Professional Services company, but I prefer to keep queries like this to my private email address. But, and you'll just _have_ to trust me on this one, I don't do anything illegal because I know I'd get caught :) Besides, doing fun stuff and getting paid for it is far better than being in jail.. > If you are accepting bids from suppliers who already produce ATMs ie NEC or > the like, how would your request help ? would you be expecting them to > subvert the existing standards to prevent attacks ? See above, but basically the bidders need to be able to justify that the system they are going to use has safeguards in place. We aren't talking about money here, but there is a watertight need to maintain evidential integrity of the data transmitted across the network. The network itself will be protected via VPN *BUT* it will be assumed to be a hostile network, and potentially an attacker could harvest enough packets to make a brute force attack viable. > competing standards, differing levels of what would be considered secure > etc. Standards, so many to choose from :) > Just curious, or was it paranoid, - who said that ? /me looks over his shoulder :) Lee -- -- [EMAIL PROTECTED] DOC #25 GLASS #136 I Need A Reason To Stand Up And Fight Need To Believe What I See - The Silver Drop - Mnemic - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
ATM machine security
Hi, I'm working on a project that requires a benchmark against which to judge various suppliers. The closest that has similar requirements is the ATM industry. To this end I'm looking for any papers, specifications or published attacks against ATM machines and their infrastructure. I'm also looking for what type of networks they use and the crypto they use to protect comms. Also any standards would be good that the ATM industry has to adhere to. Thanks, Lee -- -- [EMAIL PROTECTED] DOC #25 GLASS #136 I Need A Reason To Stand Up And Fight Need To Believe What I See - The Silver Drop - Mnemic - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
3DES performance - Thanks!
Hi, Many thanks for all of the information regarding performance of the various algorithms! Cheers, Lee -- -- [EMAIL PROTECTED] DOC #25 GLASS #136 You can never break the chain There is never love without pain - Secret Touch, Rush - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
3DES performance
Hi, I'm working on a project for a company that involves the use of 3DES. They have asked me to find out what the overheads are for encrypting a binary file. There will be quite a lot of traffic coming in (in the region of hundreds of thousands of files per hour). Has anyone got any figures for 3DES performance? I've tried bdes on OpenBSD which has given me some useful results. Many thanks, Lee -- -- [EMAIL PROTECTED] DOC #25 GLASS #136 You can never break the chain There is never love without pain - Secret Touch, Rush - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]