Re: Photos of an FBI tracking device found by a suspect

2010-10-08 Thread Nicolas Williams
On Fri, Oct 08, 2010 at 11:21:16AM -0400, Perry E. Metzger wrote: My question: if someone plants something in your car, isn't it your property afterwards? If you left a wallet in someone's car, isn't it still yours? And isn't that so even if you left it there on purpose (e.g., to test a

Re: Photos of an FBI tracking device found by a suspect

2010-10-08 Thread Nicolas Williams
On Fri, Oct 08, 2010 at 05:45:16PM -0400, Perry E. Metzger wrote: On Fri, 8 Oct 2010 16:13:13 -0500 Nicolas Williams nicolas.willi...@oracle.com wrote: On Fri, Oct 08, 2010 at 11:21:16AM -0400, Perry E. Metzger wrote: My question: if someone plants something in your car, isn't it your

Re: English 19-year-old jailed for refusal to disclose decryption key

2010-10-07 Thread Nicolas Williams
On Thu, Oct 07, 2010 at 01:10:12PM -0400, Bernie Cosell wrote: I think you're not getting the trick here: with truecrypt's plausible deniability hack you *CAN* give them the password and they *CAN* decrypt the file [or filesystem]. BUT: it is a double encryption setup. If you use one

Re: Hashing algorithm needed

2010-09-14 Thread Nicolas Williams
On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote: On 09/14/2010 09:13 AM, Ben Laurie wrote: Of some interest to me is the approach I saw recently (confusingly named WebID) of a pure Javascript implementation (yes, TLS in JS, apparently), allowing UI to be completely controlled by the

Re: towards https everywhere and strict transport security

2010-08-26 Thread Nicolas Williams
On Thu, Aug 26, 2010 at 12:40:04PM +1000, James A. Donald wrote: On 2010-08-25 11:04 PM, Richard Salz wrote: Also, note that HSTS is presently specific to HTTP. One could imagine expressing a more generic STS policy for an entire site A really knowledgeable net-head told me the other day

Re: Has there been a change in US banking regulations recently?

2010-08-16 Thread Nicolas Williams
On Fri, Aug 13, 2010 at 02:55:32PM -0500, eric.lengve...@wellsfargo.com wrote: There are some possibilities, my co-workers and I have discussed. For purely internal systems TLS-PSK (RFC 4279) provides symmetric encryption through pre-shared keys which provides us with whitelisting as well as

Re: GSM eavesdropping

2010-08-03 Thread Nicolas Williams
On Mon, Aug 02, 2010 at 04:19:38PM -0400, Paul Wouters wrote: On Mon, 2 Aug 2010, Nicolas Williams wrote: How should we measure success? The default mode for any internet communication is encrypted That's... extreme. There are many things that will not be encrypted, starting with the DNS

Re: Five Theses on Security Protocols

2010-08-03 Thread Nicolas Williams
On Mon, Aug 02, 2010 at 11:29:32AM -0400, Adam Fields wrote: On Sat, Jul 31, 2010 at 12:32:39PM -0400, Perry E. Metzger wrote: [...] 3 Any security system that demands that users be educated, i.e. which requires that users make complicated security decisions during the course of

Re: GSM eavesdropping

2010-08-02 Thread Nicolas Williams
On Mon, Aug 02, 2010 at 12:32:23PM -0400, Perry E. Metzger wrote: Looking forward, the there should be one mode, and it should be secure philosophy would claim that there should be no insecure mode for a protocol. Of course, virtually all protocols we use right now had their origins in the

Re: GSM eavesdropping

2010-08-02 Thread Nicolas Williams
On Mon, Aug 02, 2010 at 01:05:53PM -0400, Paul Wouters wrote: On Mon, 2 Aug 2010, Perry E. Metzger wrote: For example, in the internet space, we have http, smtp, imap and other protocols in both plain and ssl flavors. (IPSec was originally intended to mitigate this by providing a common

Re: A mighty fortress is our PKI, Part II

2010-07-29 Thread Nicolas Williams
On Thu, Jul 29, 2010 at 10:50:10AM +0200, Alexandre Dulaunoy wrote: On Thu, Jul 29, 2010 at 3:09 AM, Nicolas Williams nicolas.willi...@oracle.com wrote: This is a rather astounding misunderstanding of the protocol.  [...] I agree on this and but the implementation of OCSP has to deal

Re: Persisting /dev/random state across reboots

2010-07-29 Thread Nicolas Williams
On Thu, Jul 29, 2010 at 03:47:01PM -0400, Richard Salz wrote: At shutdown, a process copies /dev/random to /var/random-seed which is used on reboots. Is this a good, bad, or shrug, whatever idea? If the entropy pool has other, reasonable/fast sources of entropy at boot time, then seeding the

Re: A mighty fortress is our PKI

2010-07-28 Thread Nicolas Williams
On Tue, Jul 27, 2010 at 10:10:54PM -0600, Paul Tiemann wrote: I like the idea of SSL pinning, but could it be improved if statistics were kept long-term (how many times I've visited this site and how many times it's had certificate X, but today it has certificate Y from a different issuer and

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 01:21:33PM +0100, Ben Laurie wrote: On 28/07/2010 13:18, Peter Gutmann wrote: Ben Laurie b...@links.org writes: I find your response strange. You ask how we might fix the problems, then you respond that since the world doesn't work that way right now, the

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 10:05:22AM -0400, Perry E. Metzger wrote: PKI was invented by Loren Kohnfelder for his bachelor's degree thesis at MIT. It was certainly a fine undergraduate paper, but I think we should forget about it, the way we forget about most undergraduate papers. PKI alone is

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 03:16:32PM +0100, Ben Laurie wrote: Maybe it doesn't, but no revocation mechanism at all makes me nervous. I don't know Kerberos well enough to comment. DNSSEC doesn't have revocation but replaces it with very short signature lifetimes (i.e. you don't revoke, you

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 10:42:43AM -0400, Anne Lynn Wheeler wrote: On 07/28/2010 10:05 AM, Perry E. Metzger wrote: I will point out that many security systems, like Kerberos, DNSSEC and SSH, appear to get along with no conventional notion of revocation at all. long ago and far away ... one

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 11:13:36AM -0400, Perry E. Metzger wrote: On Wed, 28 Jul 2010 09:30:22 -0500 Nicolas Williams nicolas.willi...@oracle.com wrote: I have no objections to infrastructure -- bridges, the Internet, and electrical transmission lines all seem like good ideas. However, lets

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Thu, Jul 29, 2010 at 04:23:52AM +1200, Peter Gutmann wrote: Nicolas Williams nicolas.willi...@oracle.com writes: Sorry, but this is wrong. The OCSP protocol itself really is an online certificate status protocol. It's not an online certificate status protocol because it can provide

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote: Again, I understand that in a technological sense, in an ideal world, they would be equivalent. However, the big difference, again, is that you can't run Kerberos with no KDC, but you can run a PKI without an OCSP server. The

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 01:25:21PM -0400, Perry E. Metzger wrote: My mother relies on many certificates. Can she make a decision on whether or not her browser uses OCSP for all its transactions? I mention this only because your language here is quite sticky. Saying it is up to the relying

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 02:41:35PM -0400, Perry E. Metzger wrote: On the other edge of the spectrum, many people now use quite secure protocols (though I won't claim the full systems are secure -- implementation bugs are ubiquitous) for handling things like remote login and file transfer,

Re: A mighty fortress is our PKI

2010-07-27 Thread Nicolas Williams
On Tue, Jul 27, 2010 at 09:54:51PM +0100, Ben Laurie wrote: On 27/07/2010 15:11, Peter Gutmann wrote: The intent with posting it to the list was to get input from a collection of crypto-savvy people on what could be done. The issue had previously been discussed on a (very small) private

Re: A mighty fortress is our PKI

2010-07-27 Thread Nicolas Williams
On Tue, Jul 27, 2010 at 06:30:51PM -0600, Paul Tiemann wrote: ** But talking about TLS/SNI to SSL suppliers is like talking about the lifeboats on the Titanic ... we don't need it because SSL is unsinkable. Apache support for this came out 12 months ago. Does any one know of statistics

Re: What if you had a very good patent lawyer...

2010-07-24 Thread Nicolas Williams
On Thu, Jul 22, 2010 at 05:59:50PM -0700, John Gilmore wrote: It's pretty outrageous that anyone would try to patent rolling barcoded dice to generate random numbers. If you have children at home you could just point a webcam at their gameroom, or, depending on how obsessive compulsive their

Re: Intel to also add RNG

2010-07-12 Thread Nicolas Williams
On Mon, Jul 12, 2010 at 01:13:10PM -0400, Jack Lloyd wrote: I think it's important to make the distinction between trusting Intel not to have made it actively malicious, and trusting them to have gotten it perfectly correct in such a way that it cannot fail. Fortunately, the second problem,

Re: Against Rekeying

2010-03-26 Thread Nicolas Williams
On Fri, Mar 26, 2010 at 10:22:06AM -0400, Peter Gutmann wrote: I missed that in his blog post as well. An equally big one is the SSHv2 rekeying fiasco, where for a long time an attempt to rekey across two different implementations typically meant drop the connection, and it still does for the

Re: Against Rekeying

2010-03-26 Thread Nicolas Williams
On Sat, Mar 27, 2010 at 12:31:45PM +1300, Peter Gutmann (alt) wrote: Nicolas Williams nicolas.willi...@sun.com writes: I made much the same point, but just so we're clear, SSHv2 re-keying has been interoperating widely since 2005. (I was at Connectathon, and while the details of Cthon

Re: Against Rekeying

2010-03-25 Thread Nicolas Williams
On Thu, Mar 25, 2010 at 01:24:16PM +, Ben Laurie wrote: Note, however, that one of the reasons the TLS renegotiation attack was so bad in combination with HTTP was that reauthentication did not result in use of the new channel to re-send the command that had resulted in a need for

Re: Against Rekeying

2010-03-23 Thread Nicolas Williams
On Tue, Mar 23, 2010 at 11:21:01AM -0400, Perry E. Metzger wrote: Ekr has an interesting blog post up on the question of whether protocol support for periodic rekeying is a good or a bad thing: http://www.educatedguesswork.org/2010/03/against_rekeying.html I'd be interested in hearing what

Re: Against Rekeying

2010-03-23 Thread Nicolas Williams
On Tue, Mar 23, 2010 at 10:42:38AM -0500, Nicolas Williams wrote: On Tue, Mar 23, 2010 at 11:21:01AM -0400, Perry E. Metzger wrote: Ekr has an interesting blog post up on the question of whether protocol support for periodic rekeying is a good or a bad thing: http

Re: 1024 bit RSA cracked?

2010-03-16 Thread Nicolas Williams
On Wed, Mar 10, 2010 at 09:27:06PM +0530, Udhay Shankar N wrote: Anyone know more? http://news.techworld.com/security/3214360/rsa-1024-bit-private-key-encryption-cracked/ My initial reaction from reading only the abstract and parts of the introduction is that the authors are talking about

Re: TLS break

2009-11-25 Thread Nicolas Williams
On Wed, Nov 11, 2009 at 10:57:04AM -0500, Jonathan Katz wrote: Anyone care to give a layman's explanation of the attack? The explanations I have seen assume a detailed knowledge of the way TLS/SSL handle re-negotiation, which is not something that is easy to come by without reading the RFC.

Re: Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto

2009-11-02 Thread Nicolas Williams
On Sun, Nov 01, 2009 at 10:33:34PM -0700, Zooko Wilcox-O'Hearn wrote: I don't understand why you need a MAC when you already have the hash of the ciphertext. Does it have something to do with the fact that the checksum is non-cryptographic by default (http://docs.sun.com/app/

Re: SHA-1 and Git (was Re: [tahoe-dev] Tahoe-LAFS key management, part 2: Tahoe-LAFS is like encrypted git)

2009-09-30 Thread Nicolas Williams
On Sun, Sep 27, 2009 at 02:23:16PM -0700, Fuzzy Hoodie-Monster wrote: As usual, I tend to agree with Peter. Consider the time scale and severity of problems with cryptographic algorithms vs. the time scale of protocol development vs. the time scale of bug creation attributable to complex

Re: Client Certificate UI for Chrome?

2009-09-08 Thread Nicolas Williams
On Thu, Sep 03, 2009 at 04:26:30PM +1200, Peter Gutmann wrote: Steven Bellovin s...@cs.columbia.edu writes: This returns us to the previously-unsolved UI problem: how -- with today's users, and with something more or less like today's browsers since that's what today's users know -- can a

Re: SHA-1 and Git (was Re: [tahoe-dev] Tahoe-LAFS key management, part 2: Tahoe-LAFS is like encrypted git)

2009-08-25 Thread Nicolas Williams
On Tue, Aug 25, 2009 at 12:44:57PM +0100, Ben Laurie wrote: In order to roll out a new crypto algorithm, you have to roll out new software. So, why is anything needed for pluggability beyond versioning? It seems to me protocol designers get all excited about this because they want to design

Re: Fast MAC algorithms?

2009-07-23 Thread Nicolas Williams
On Thu, Jul 23, 2009 at 05:34:13PM +1200, Peter Gutmann wrote: mhey...@gmail.com mhey...@gmail.com writes: 2) If you throw TCP processing in there, unless you are consistantly going to have packets on the order of at least 1000 bytes, your crypto algorithm is almost _irrelevant_. [...] for a

Re: Fast MAC algorithms?

2009-07-22 Thread Nicolas Williams
On Wed, Jul 22, 2009 at 06:49:34AM +0200, Dan Kaminsky wrote: Operationally, HMAC-SHA-256 is the gold standard. There's wonky stuff all over the place -- Bernstein's polyaes work appeals to me -- but I wouldn't really ship anything but HMAC-SHA-256 at present time. Oh, I agree in general. As

Fast MAC algorithms?

2009-07-21 Thread Nicolas Williams
I've an application that is performance sensitive, which can re-key very often (say, every 15 minutes, or more often still), and where no MAC is accepted after 2 key changes. In one case the entity generating a MAC is also the only entity validating the MAC (but the MAC does go on the wire). I'm

Re: HSM outage causes root CA key loss

2009-07-14 Thread Nicolas Williams
On Tue, Jul 14, 2009 at 11:09:41PM +0200, Weger, B.M.M. de wrote: Suppose this happens in a production environment of some CA (root or not), how big a problem is this? I can see two issues: - they have to build a new CA and distribute its certificate to all users, which is annoying and maybe

Re: password safes for mac

2009-07-01 Thread Nicolas Williams
On Wed, Jul 01, 2009 at 12:32:40PM -0400, Perry E. Metzger wrote: I think he's pointing out a more general problem. Indeed. IIRC, the Mac keychain uses your login password as its passphrase by default, which means that to keep your keychain unlocked requires either keeping the password around

Re: password safes for mac

2009-07-01 Thread Nicolas Williams
I should add that a hardware token/smartcard, would be even better, but the same issue arises: keep it logged in, or prompt for the PIN every time it's needed? If you keep it logged in then an attacker who compromises the system will get to use the token, which I bet in practice is only

Re: password safes for mac

2009-06-30 Thread Nicolas Williams
On Mon, Jun 29, 2009 at 11:29:48PM -0700, Jacob Appelbaum wrote: This would be great if LoginWindow.app didn't store your unencrypted login and password in memory for your entire session (including screen lock, suspend to ram and hibernate). I keep hearing that Apple will close my bug about

Re: Property RIghts in Keys

2009-02-12 Thread Nicolas Williams
On Tue, Feb 03, 2009 at 04:54:48PM -0500, Steven M. Bellovin wrote: Under what legal theory might a certificate -- or a key! -- be considered property? There wouldn't seem to be enough creativity in a certificate, let alone a key, to qualify for copyright protection. Private and secret keys

Re: full-disk subversion standards released

2009-01-31 Thread Nicolas Williams
On Fri, Jan 30, 2009 at 03:37:22PM -0800, Taral wrote: On Fri, Jan 30, 2009 at 1:41 PM, Jonathan Thornburg jth...@astro.indiana.edu wrote: For open-source software encryption (be it swap-space, file-system, and/or full-disk), the answer is yes: I can assess the developers' reputations, I

Re: Proof of Work - atmospheric carbon

2009-01-29 Thread Nicolas Williams
On Wed, Jan 28, 2009 at 04:35:50PM -0500, Jerry Leichter wrote: [Proposals to use reversible computation, which in principle consume no energy, elided.] There's a contradiction here between the computer science and economic parts of the problem being discussed. What gives a digital coin

Re: Obama's secure PDA

2009-01-27 Thread Nicolas Williams
On Mon, Jan 26, 2009 at 04:18:39PM -0500, Jerry Leichter wrote: An email system for the White House has the additional complication of the Presidential Records Act: Phone conversations don't have to be recorded, but mail messages do (and have to

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-20 Thread Nicolas Williams
On Mon, Jan 19, 2009 at 01:38:02PM +, Darren J Moffat wrote: I don't think it depends at all on who you trust but on what algorithms are available in the protocols you need to use to run your business or use the apps important to you for some other reason. It also very much depends on

Re: Why the poor uptake of encrypted email?

2008-12-19 Thread Nicolas Williams
On Thu, Dec 18, 2008 at 01:06:37PM +1000, James A. Donald wrote: Peter Gutmann wrote: ... to a statistically irrelevant bunch of geeks. Watch Skype deploy a not- terribly-anonymous (to the people running the Skype servers) communications system. Actually that is pretty anonymous.

Re: CPRNGs are still an issue.

2008-12-18 Thread Nicolas Williams
On Wed, Dec 17, 2008 at 03:02:54PM -0500, Perry E. Metzger wrote: The longer I'm in this field, the more the phrase use with extreme caution seems to mean don't use to me. More and more, I think that if you don't have a really good way to test and get assurance about a component of your

Re: Why the poor uptake of encrypted email?

2008-12-17 Thread Nicolas Williams
On Tue, Dec 16, 2008 at 03:06:04AM +, StealthMonger wrote: Alec Muffett alec.muff...@sun.com writes: In the world of e-mail the problem is that the end-user inherits a blob of data which was encrypted in order to defend the message as it passes hop by hop over the store-and-forward

Re: Quantum direct communication: secrecy without key distribution

2008-12-05 Thread Nicolas Williams
[I'm guessing that nobody here wants yet another quatum crypto is snake oil, no it's not, yes it is, though it has a bright future, no it's not, ... thread.] On Fri, Dec 05, 2008 at 02:16:09PM +0100, Eugen Leitl wrote: In the last couple of years, we've seen a number of quantum key

Re: Bitcoin P2P e-cash paper

2008-11-18 Thread Nicolas Williams
On Fri, Nov 14, 2008 at 11:04:21PM -0800, Ray Dillinger wrote: On Sat, 2008-11-15 at 12:43 +0800, Satoshi Nakamoto wrote: If someone double spends, then the transaction record can be unblinded revealing the identity of the cheater. Identities are not used, and there's no reliance on

Re: once more, with feeling.

2008-09-23 Thread Nicolas Williams
On Mon, Sep 22, 2008 at 08:59:25PM -1000, James A. Donald wrote: The major obstacle is that the government would want a strong binding between sim cards and true names, which is no more practical than a strong binding between physical keys and true names. I've a hard time believing that this

Re: once more, with feeling.

2008-09-10 Thread Nicolas Williams
On Wed, Sep 10, 2008 at 01:29:32PM -0400, William Allen Simpson wrote: I agree. I'm sure this is a world-wide problem, and head-in-the-sand cyber-libertarianism has long prevented better solutions. The market doesn't work for this, as there is a competitive *disadvantage* to providing

Re: OpenID/Debian PRNG/DNS Cache poisoning advisory

2008-08-08 Thread Nicolas Williams
On Fri, Aug 08, 2008 at 02:08:37PM -0400, Perry E. Metzger wrote: The kerberos style of having credentials expire very quickly is one (somewhat less imperfect) way to deal with such things, but it is far from perfect and it could not be done for the ad-hoc certificate system https: depends on

Re: OpenID/Debian PRNG/DNS Cache poisoning advisory

2008-08-08 Thread Nicolas Williams
On Fri, Aug 08, 2008 at 11:20:15AM -0700, Eric Rescorla wrote: At Fri, 08 Aug 2008 10:43:53 -0700, Dan Kaminsky wrote: Funnily enough I was just working on this -- and found that we'd end up adding a couple megabytes to every browser. #DEFINE NONSTARTER. I am curious about the

Re: OpenID/Debian PRNG/DNS Cache poisoning advisory

2008-08-08 Thread Nicolas Williams
On Fri, Aug 08, 2008 at 12:35:43PM -0700, Paul Hoffman wrote: At 1:47 PM -0500 8/8/08, Nicolas Williams wrote: On Fri, Aug 08, 2008 at 02:08:37PM -0400, Perry E. Metzger wrote: The kerberos style of having credentials expire very quickly is one (somewhat less imperfect) way to deal

Re: The PKC-only application security model ...

2008-07-24 Thread Nicolas Williams
On Wed, Jul 23, 2008 at 05:32:02PM -0500, Thierry Moreau wrote: The document I published on my web site today is focused on fielding certificateless public operations with the TLS protocol which does not support client public keys without certificates - hence the meaningless security

Re: how bad is IPETEE?

2008-07-11 Thread Nicolas Williams
On Fri, Jul 11, 2008 at 05:08:39PM +0100, Dave Korn wrote: It does sound a lot like SSL/TLS without certs, ie. SSL/TLSweakened to make it vulnerable to MitM. Then again, if no Joe Punter ever knows the difference between a real and spoofed cert, we're pretty much in the same situation

Re: how bad is IPETEE?

2008-07-10 Thread Nicolas Williams
On Thu, Jul 10, 2008 at 06:10:27PM +0200, Eugen Leitl wrote: In case somebody missed it, http://www.tfr.org/wiki/index.php?title=Technical_Proposal_(IPETEE) I did miss it. Thanks for the link. I don't think in-band key exchange is desirable here, but, you never know what will triumph in

Re: how bad is IPETEE?

2008-07-10 Thread Nicolas Williams
On Thu, Jul 10, 2008 at 02:31:12PM -0400, James Cloos wrote: Eugen == Eugen Leitl [EMAIL PROTECTED] writes: Eugen I'm not sure what the status of http://postel.org/anonsec/ The IETF just created a new list and subscribed all anonsec subscribers:

Re: The wisdom of the ill informed

2008-06-30 Thread Nicolas Williams
On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote: Given this, the real question is, /Quis custodiet ipsos custodes?/ Putting aside the fact that cryptographers aren't custodians of anything, it's all about social institutions. There are well-attended conferences, papers published online

Re: The wisdom of the ill informed

2008-06-30 Thread Nicolas Williams
On Mon, Jun 30, 2008 at 11:47:54AM -0700, Allen wrote: Nicolas Williams wrote: On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote: Given this, the real question is, /Quis custodiet ipsos custodes?/ Putting aside the fact that cryptographers aren't custodians of anything, it's all about

Re: User interface, security, and simplicity

2008-05-06 Thread Nicolas Williams
On Tue, May 06, 2008 at 03:40:46PM +, Steven M. Bellovin wrote: Experiment part two: implement remote login (or remote IMAP, or remote Web with per-user privileges, etc.) under similar conditions. Recall that being able to do this was a goal of the IPsec working group. I think that part

Re: how to read information from RFID equipped credit cards

2008-04-18 Thread Nicolas Williams
On Tue, Apr 01, 2008 at 12:47:45AM +1300, Peter Gutmann wrote: Ben Laurie [EMAIL PROTECTED] writes: And so we end up at the position that we have ended up at so many times before: the GTCYM has to have a decent processor, a keyboard and a screen, and must be portable and secure. One day

Re: Dutch Transport Card Broken

2008-02-06 Thread Nicolas Williams
On Sun, Feb 03, 2008 at 09:24:48PM +1000, James A. Donald wrote: Nicolas Williams wrote: What, specifically, are you proposing? I am still writing it up. Running the web over UDP? In a sense. That should have been done from the beginning, even before security became a problem

Re: Dutch Transport Card Broken

2008-02-06 Thread Nicolas Williams
On Tue, Feb 05, 2008 at 08:17:32AM +1000, James A. Donald wrote: Nicolas Williams wrote: Sounds a bit like SCTP, with crypto thrown in. SCTP is what we should have done http over, though of course SCTP did not exist back then. Perhaps, like quite a few other standards, it still does

Re: Dutch Transport Card Broken

2008-02-03 Thread Nicolas Williams
On Thu, Jan 31, 2008 at 11:12:45PM -0500, Victor Duchovni wrote: On Fri, Feb 01, 2008 at 01:15:09PM +1300, Peter Gutmann wrote: If anyone's interested, I did an analysis of this sort of thing in an unpublished draft Performance Characteristics of Application-level Security Protocols,

Re: Dutch Transport Card Broken

2008-02-01 Thread Nicolas Williams
On Wed, Jan 30, 2008 at 02:47:46PM -0500, Victor Duchovni wrote: If someone has a faster than 3-way handshake connection establishment protocol that SSL could leverage instead of TCP, please explain the design. I don't have one that exists today and is practical. But we can certainly imagine

Re: Gutmann Soundwave Therapy

2008-02-01 Thread Nicolas Williams
On Fri, Feb 01, 2008 at 09:24:10AM -0500, Perry E. Metzger wrote: Does tinc do something that IPsec cannot? I use a VPN system other than IPSec on a regular basis. The reason is simple: it is easy to configure for my application and my OS native IPsec tools are very difficult to configure.

Re: Dutch Transport Card Broken

2008-02-01 Thread Nicolas Williams
On Fri, Feb 01, 2008 at 07:58:16PM +, Steven M. Bellovin wrote: On Fri, 01 Feb 2008 13:29:52 +1300 [EMAIL PROTECTED] (Peter Gutmann) wrote: (Anyone have any clout with Firefox or MS? Without significant browser support it's hard to get any traction, but the browser vendors are too

Re: two-person login?

2008-01-29 Thread Nicolas Williams
On Tue, Jan 29, 2008 at 06:34:29PM +, The Fungi wrote: On Mon, Jan 28, 2008 at 03:56:11PM -0700, John Denker wrote: So now I throw it open for discussion. Is there any significant value in two-person login? That is, can you identify any threat that is alleviated by two-person login,

Re: refactoring crypto handshakes (SSL in 3 easy steps)

2007-11-13 Thread Nicolas Williams
On Thu, Nov 08, 2007 at 01:49:30PM -0600, [EMAIL PROTECTED] wrote: PREVIOUS WORK: Three messages is the proven minimum for mutual authentication. Last two messages all depend on the previous message, so minimum handshake time is 1.5 RTTs. Kerberos V manages in one round-trip. And it could

Re: improving ssh

2007-07-19 Thread Nicolas Williams
Doesn't this belong on the old SSHv2 WG's mailing list? On Sat, Jul 14, 2007 at 11:43:53AM -0700, Ed Gerck wrote: SSH (OpenSSH) is routinely used in secure access for remote server maintenance. However, as I see it, SSH has a number of security issues that have not been addressed (as far I

Re: Quantum Cryptography

2007-06-27 Thread Nicolas Williams
On Tue, Jun 26, 2007 at 02:03:29PM -0700, Jon Callas wrote: On Jun 26, 2007, at 10:10 AM, Nicolas Williams wrote: This too is a *fundamental* difference between QKD and classical cryptography. What does this classical word mean? Is it the Quantum way to say real? I know we're in violent

Re: Quantum Cryptography

2007-06-26 Thread Nicolas Williams
On Fri, Jun 22, 2007 at 08:21:25PM -0400, Leichter, Jerry wrote: BTW, on the quantum subway tokens business: In more modern terms, what this was providing was unlinkable, untraceable e-coins which could be spent exactly once, with *no* central database to check against and none of this well,

Re: Quantum Cryptography

2007-06-26 Thread Nicolas Williams
On Mon, Jun 25, 2007 at 08:23:14PM -0400, Greg Troxel wrote: Victor Duchovni [EMAIL PROTECTED] writes: Secure in what sense? Did I miss reading about the part of QKD that addresses MITM (just as plausible IMHO with fixed circuits as passive eavesdropping)? It would be good to read the

Re: ad hoc IPsec or similiar

2007-06-26 Thread Nicolas Williams
On Fri, Jun 22, 2007 at 10:43:16AM -0700, Paul Hoffman wrote: Note that that RFC is Informational only. There were a bunch of perceived issues with it, although I think they were more purity disagreements than anything. FWIW, if you do *not* care about man-in-the-middle attacks (called

Re: ad hoc IPsec or similiar

2007-06-26 Thread Nicolas Williams
On Tue, Jun 26, 2007 at 01:20:41PM -0700, Paul Hoffman wrote: For all the other aspects of BTNS (IPsec connection latching [and channel binding], IPsec APIs, leap-of-faith IPsec) agreeing on a globally shared secret does not come close to being sufficient. Fully agree. BTNS will definitely

Re: Why self describing data formats:

2007-06-23 Thread Nicolas Williams
On Mon, Jun 11, 2007 at 11:28:37AM -0400, Richard Salz wrote: Many protocols use some form of self describing data format, for example ASN.1, XML, S expressions, and bencoding. I'm not sure what you're getting at. All XML and S expressions really get you is that you know how to skip past

Re: Why self describing data formats:

2007-06-21 Thread Nicolas Williams
On Fri, Jun 01, 2007 at 08:59:55PM +1000, James A. Donald wrote: Many protocols use some form of self describing data format, for example ASN.1, XML, S expressions, and bencoding. ASN.1 is not an encoding, and not all its encodings are self-describing. Specifically, PER is a compact encoding

Re: Why self describing data formats:

2007-06-21 Thread Nicolas Williams
But the main motivation (imho) is that it's trendy. And once anyone proposes a heavyweight standard encoding, anyone who opposes it is labeled a Luddite. Maybe. But there's quite a lot to be said for standards which lead to widespread availability of tools implementing them, both, open source

Re: Why self describing data formats:

2007-06-21 Thread Nicolas Williams
On Mon, Jun 11, 2007 at 09:28:02AM -0400, Bowness, Piers wrote: But what is does help is allowing a protocol to be expanded and enhanced while maintaining backward compatibility for both client and server. Nonsense. ASN.1's PER encoding does not prevent extensibility.

Re: no surprise - Sun fails to open source the crypto part of Java

2007-05-15 Thread Nicolas Williams
On Mon, May 14, 2007 at 11:06:47AM -0600, [EMAIL PROTECTED] wrote: Ian G wrote: * Being dependent on PKI style certificates for signing, ... The most important motivation at the time was to avoid the risk of Java being export-controlled as crypto. The theory within Sun was that crypto

Re: no surprise - Sun fails to open source the crypto part of Java

2007-05-15 Thread Nicolas Williams
On Tue, May 15, 2007 at 11:37:56AM +0200, Ian G wrote: Nicolas Williams wrote: The requirement for having providers signed by a vendor's key certified by Sun was to make sure that only providers from suppliers not from, say, North Korea etc., can be loaded by the pluggable frameworks. OK

Re: More info in my AES128-CBC question

2007-05-12 Thread Nicolas Williams
On Wed, May 09, 2007 at 06:04:20PM -0400, Leichter, Jerry wrote: | Frankly, for SSH this isn't a very plausible attack, since it's not | clear how you could force chosen plaintext into an SSH session between | messages. A later paper suggested that SSL is more vulnerable: | A browser

Re: no surprise - Sun fails to open source the crypto part of Java

2007-05-12 Thread Nicolas Williams
Subject: Re: no surprise - Sun fails to open source the crypto part of Java Were you not surprised because you knew that said source is encumbered, or because you think Sun has some nefarious motive to not open source that code? If the latter then keep in mind that you can find plenty of crypto

Re: Was a mistake made in the design of AACS?

2007-05-04 Thread Nicolas Williams
On Thu, May 03, 2007 at 10:25:34AM -0700, Steve Schear wrote: At 03:52 PM 5/2/2007, Ian G wrote: This seems to assume that when a crack is announced, all revenue stops. This would appear to be false. When cracks are announced in such systems, normally revenues aren't strongly effected.

Re: More info in my AES128-CBC question

2007-04-27 Thread Nicolas Williams
On Wed, Apr 25, 2007 at 10:58:01PM -0500, Travis H. wrote: On Wed, Apr 25, 2007 at 05:42:44PM -0500, Nicolas Williams wrote: A confounder is an extra block of random plaintext that is prepended to a message prior to encryption with a block cipher in CBC (or CTS) mode; the resulting extra

Re: More info in my AES128-CBC question

2007-04-27 Thread Nicolas Williams
On Fri, Apr 27, 2007 at 05:13:44PM -0400, Leichter, Jerry wrote: What the RFC seems to be suggesting is that the first block of every message be SSH_MSG_IGNORE. Since the first block in any message is now fixed, there's no way for the attacker to choose it. Since the attacker SSH_MSG_IGNORE

Re: Public key encrypt-then-sign or sign-then-encrypt?

2007-04-25 Thread Nicolas Williams
On Wed, Apr 25, 2007 at 03:24:06PM -0300, Mads Rasmussen wrote: Jee Hea An, Yevgeniy Dodis and Tal Rabin claims that the order doesn't matter [2]. Encrypt-then-sign or sign-then-encrypt is equally secure. Is this really true? My feeling was that the principle from Krawczyk's paper should

Re: More info in my AES128-CBC question

2007-04-25 Thread Nicolas Williams
On Wed, Apr 25, 2007 at 05:20:30PM +0300, Hagai Bar-El wrote: On 25/04/07 02:18, Nicolas Williams wrote: But be careful. Simply chaining the IV from message to message will create problems (see SSH). What problem does this (chaining IV from message to message) introduce in our case? See

Re: More info in my AES128-CBC question

2007-04-24 Thread Nicolas Williams
On Sun, Apr 22, 2007 at 05:59:54PM -0700, Aram Perez wrote: No, there will be message integrity. For those of you asking, here's a high level overview of the protocol is as follows: [...] 3) Data needing confidentiality is encrypted with the SK in the mode selected in step 1. The

Re: More info in my AES128-CBC question

2007-04-24 Thread Nicolas Williams
On Mon, Apr 23, 2007 at 11:23:54AM -0700, Aram Perez wrote: On Apr 23, 2007, at 8:11 AM, Nicolas Williams wrote: On Sun, Apr 22, 2007 at 05:59:54PM -0700, Aram Perez wrote: No, there will be message integrity. For those of you asking, here's a high level overview of the protocol is as follows

Re: AES128-CBC Question

2007-04-19 Thread Nicolas Williams
On Fri, Apr 20, 2007 at 08:56:32AM +1200, Sidney Markowitz wrote: Aram Perez wrote, On 19/4/07 6:29 PM: Is there any danger in using AES128-CBC with a fixed IV of all zeros? Here is some discussion about doing this, in the context of PGP doing just that and why PGP inserts random characters

Re: DNSSEC to be strangled at birth.

2007-04-06 Thread Nicolas Williams
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote: At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote: On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote: Control: The root signing key only controls the contents of the root, not any level below the root. That is, of

Re: Failure of PKI in messaging

2007-02-15 Thread Nicolas Williams
On Thu, Feb 15, 2007 at 11:36:35AM -0500, Victor Duchovni wrote: On Thu, Feb 15, 2007 at 10:10:21AM -0500, Leichter, Jerry wrote: Meanwhile, the next generation of users is growing up on the immediacy of IM and text messaging. Mail is ... so 20th century. Well, you certainly don't want to

Re: One Laptop per Child security

2007-02-09 Thread Nicolas Williams
On Fri, Feb 09, 2007 at 01:22:06PM +1000, James A. Donald wrote: Nicolas Williams wrote: The text you quote doesn't answer the question; the rest of the wiki frontpage says little more. It tends to make me think that if an application wants to do something that I've not enabled it to do

  1   2   >