Re: [Cryptography] SSH small RSA public exponent

2013-10-12 Thread Peter Gutmann
Tim Hudson t...@cryptsoft.com writes: Does anyone recollect the history behind and the implications of the (open) SSH choice of 35 as a hard-wired public exponent? /* OpenSSH versions up to 5.4 (released in 2010) hardcoded e = 35, which is both a suboptimal exponent (it's less efficient that

Re: [Cryptography] Key stretching

2013-10-11 Thread Peter Gutmann
Phillip Hallam-Baker hal...@gmail.com writes: Quick question, anyone got a good scheme for key stretching? http://lmgtfy.com/?q=hkdfl=1 Peter :-). ___ The cryptography mailing list cryptography@metzdowd.com

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-10 Thread Peter Gutmann
Watson Ladd watsonbl...@gmail.com writes: The obvious solution: Do it right the first time. And how do you know that you're doing it right? PGP in 1992 adopted a bleeding-edge cipher (IDEA) and was incredibly lucky that it's stayed secure since then. What new cipher introduced up until 1992

[Cryptography] Universal security measures for crypto primitives

2013-10-07 Thread Peter Gutmann
Given the recent debate about security levels for different key sizes, the following paper by Lenstra, Kleinjung, and Thome may be of interest: Universal security from bits and mips to pools, lakes and beyond http://eprint.iacr.org/2013/635.pdf From now on I think anyone who wants to argue

Re: [Cryptography] encoding formats should not be committee'ized

2013-10-04 Thread Peter Gutmann
d...@geer.org writes: The (U.S.) medical records system that started at the Veterans' Administration and has now spread to all but all parts of the U.S. Federal government that handle electronic health records is ASCII encoded, and readable. Called The Blue Button,[1] there is even an HL7-Blue

Re: [Cryptography] encoding formats should not be committee'ized

2013-10-03 Thread Peter Gutmann
Jerry Leichter leich...@lrw.com writes: My favorite more recent example of the pitfalls is TL1, a language and protocol used to managed high-end telecom equipment. TL1 has a completely rigorous syntax definition, but is supposed to be readable. For those not familiar with TL1, supposed to be

Re: [Cryptography] RSA recommends against use of its own products.

2013-09-29 Thread Peter Gutmann
Phillip Hallam-Baker hal...@gmail.com writes: Quite, who on earth thought DER encoding was necessary or anything other than incredible stupidity? At least some X.500/LDAP folks thought they could do it. Mind you, we're talking about people who believe in X.500/LDAP here... Peter.

Re: [Cryptography] RSA recommends against use of its own products.

2013-09-26 Thread Peter Gutmann
=?iso-8859-1?Q?Kristian_Gj=F8steen?= kristian.gjost...@math.ntnu.no writes: (For what it's worth, I discounted the press reports about a trapdoor in Dual-EC-DRBG because I didn't think anyone would be daft enough to use it. I was wrong.) +1. It's the Vinny Gambini effect (from the film My

Re: [Cryptography] RSA recommends against use of its own products.

2013-09-26 Thread Peter Gutmann
ianG i...@iang.org writes: Well, defaults being defaults, we can assume most people have left it in default mode. I suppose we could ask for research on this question, but I'm going to guess: most. “Software Defaults as De Facto Regulation: The Case of Wireless APs”, Rajiv Shah and

Re: [Cryptography] forward-secrecy =2048-bit in legacy browser/servers? (Re: RSA equivalent key length/strength)

2013-09-26 Thread Peter Gutmann
Adam Back a...@cypherspace.org writes: Is there a possibility with RSA-RSA ciphersuite to have a certified RSA signing key, but that key is used to sign an RS key negotiation? Yes, but not in the way you want. This is what the 1990s-vintage RSA export ciphersuites did, but they were designed so

Re: [Cryptography] RSA equivalent key length/strength

2013-09-25 Thread Peter Gutmann
Stephen Farrell stephen.farr...@cs.tcd.ie writes: That's a mischaracterisation I think. Some folks (incl. me) have said that 1024 DHE is arguably better that no PFS and if current deployments mean we can't ubiquitously do better, then we should recommend that as an option, while at the same time

Re: [Cryptography] RSA equivalent key length/strength

2013-09-25 Thread Peter Gutmann
Peter Fairbrother zenadsl6...@zen.co.uk writes: On 24/09/13 05:27, Peter Gutmann wrote: Peter Fairbrother zenadsl6...@zen.co.uk writes: If you just want a down-and-dirty 2048-bit FS solution which will work today, why not just have the websites sign a new RSA-2048 sub-certificate every day

Re: [Cryptography] RSA equivalent key length/strength

2013-09-24 Thread Peter Gutmann
Patrick Pelletier c...@funwithsoftware.org writes: I'm inclined to agree with you, but you might be interested/horrified in the 1024 bits is enough for anyone debate currently unfolding on the TLS list: That's rather misrepresenting the situation. It's a debate between two groups, the security

Re: [Cryptography] RSA equivalent key length/strength

2013-09-24 Thread Peter Gutmann
Peter Fairbrother zenadsl6...@zen.co.uk writes: If you just want a down-and-dirty 2048-bit FS solution which will work today, why not just have the websites sign a new RSA-2048 sub-certificate every day? Or every few hours? And delete the secret key, of course. ... and I guess that puts you

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-19 Thread Peter Gutmann
Phillip Hallam-Baker hal...@gmail.com writes: I have not spent a great deal of time looking at the exact capabilities of PRISM vs the other programs involved because from a design point they are irrelevant. The objective is to harden/protect the infrastructure from any ubiquitous, indiscriminate

Re: [Cryptography] Gilmore response to NSA mathematician's make rules for NSA appeal

2013-09-18 Thread Peter Gutmann
Walter van Holst walter.van.ho...@xs4all.nl writes: These are not rights that are solely vested in the exceptional Americans. The Bill of Tights [...] For people unfamiliar with this one, it's the bit that reads: Congress shall make no law respecting the wearing of hosiery, or prohibiting

Re: [Cryptography] The paranoid approach to crypto-plumbing

2013-09-17 Thread Peter Gutmann
Tony Arcieri basc...@gmail.com writes: On Mon, Sep 16, 2013 at 9:44 AM, Bill Frantz fra...@pwpconsult.com wrote: After Rijndael was selected as AES, someone suggested the really paranoid should super encrypt with all 5 finalests in the competition. Five level super encryption is probably

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-12 Thread Peter Gutmann
zooko zo...@zooko.com writes: I agree that randomness-reuse is a major issue. Recently about 55 Bitcoin were stolen by exploiting this, for example: http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/ Was that the change that was required by FIPS 140, or a different

Re: [Cryptography] Radioactive random numbers

2013-09-12 Thread Peter Gutmann
Dave Horsfall d...@horsfall.org writes: Given that there is One True Source of randomness to wit radioactive emission, has anyone considered playing with old smoke detectors? The ionising types are being phased out in favour of optical (at least in Australia) so there must be heaps of them lying

Re: [Cryptography] Suite B after today's news

2013-09-11 Thread Peter Gutmann
Ben Laurie b...@links.org writes: Feel free to argue the toss with IANA: http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml Hmm, I talked to person involved in the process earlier this year to let him know that 0x10 was already being used, I'd assumed it'd

Re: [Cryptography] Suite B after today's news

2013-09-10 Thread Peter Gutmann
Ben Laurie b...@links.org writes: We need to get an extension number allocated, since the one it uses clashes with ALPN. It does? draft-ietf-tls-applayerprotoneg-01 doesn't mention ID 0x10 anywhere. (In any case -encrypt-then-MAC got there first, these Johnny-come-lately's can find their own

Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-09 Thread Peter Gutmann
Phillip Hallam-Baker hal...@gmail.com writes: People buy guns despite statistics that show that they are orders of magnitude more likely to be shot with the gun themselves rather than by an attacker. Some years ago NZ abolished its offensive (fighter) air force (the choice was either to buy

Re: [Cryptography] Protecting Private Keys

2013-09-08 Thread Peter Gutmann
Jeffrey I. Schiller j...@mit.edu writes: If I was the NSA, I would be scavenging broken hardware from “interesting” venues and purchasing computers for sale in interesting locations. I would be particularly interested in stolen computers, as they have likely not been wiped. Just buy

Re: [Cryptography] Suite B after today's news

2013-09-08 Thread Peter Gutmann
Ralph Holz ralph-cryptometz...@ralphholz.de writes: I've followed that list for a while. What I find weird is that there should be much dissent at all. This is about increasing security based on adding quite well-understood mechanisms. What's to be so opposed to there? There wasn't really much

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Peter Gutmann
ianG i...@iang.org writes: And, controlling processes is just what the NSA does. https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html How does '(a) Organizations and Conferences' differ from SOP for these sorts of things? Peter. ___

Re: [Cryptography] Suite B after today's news

2013-09-06 Thread Peter Gutmann
Ralph Holz ralph-cryptometz...@ralphholz.de writes: But for right now, what options do we have that are actually implemented somewhere? Take SSL. CBC mode has come under pressure for SSL (CRIME, BEAST, etc.), and I don't see any move towards TLS 1.0.

Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)

2013-09-05 Thread Peter Gutmann
John Denker j...@av8n.com writes: To say the same thing the other way, I was always amazed that the Nazis were unable to figure out that their crypto was broken during WWII. There were experiments they could have done, such as sending out a few U-boats under strict radio silence and comparing

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Peter Gutmann
Perry E. Metzger pe...@piermont.com writes: I would like to open the floor to *informed speculation* about BULLRUN. Not informed since I don't work for them, but a connect-the-dots: 1. ECDSA/ECDH (and DLP algorithms in general) are incredibly brittle unless you get everything absolutely

Re: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal candidates for mix networks)

2013-09-05 Thread Peter Gutmann
Perry E. Metzger pe...@piermont.com writes: I can think of no circumstances where I would voluntarily use LDAP as the solution to any problem of any sort. Our direct competitor has asked us to recommend a technology for whatever it is that LDAP is meant to be the solution for. What should we

Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?

2013-09-05 Thread Peter Gutmann
[Apparently a pile of my mail got dropped, the following few messages are re-sends] The Doctor dr...@virtadpt.net writes: It might be a reasonable way of protecting PGP key information in DNS records so that someone doesn't try inserting their own when it's looked up. And that's the problem

Re: [Cryptography] NSA and cryptanalysis

2013-09-05 Thread Peter Gutmann
John Kelsey crypto@gmail.com writes: If I had to bet, I'd bet on bad rngs as the most likely source of a breakthrough in decrypting lots of encrypted traffic from different sources. If I had to bet, I'd bet on anything but the crypto. Why attack when you can bypass [1]. Peter. [1] From

Re: [Cryptography] Keeping backups (was Re: Separating concerns

2013-09-05 Thread Peter Gutmann
Phillip Hallam-Baker hal...@gmail.com writes: To backup the key we tell the device to print out the escrow data on paper. Let us imagine that there there is a single sheet of paper which is cut into six parts as follows: You read my mind :-). I suggested more or less this to a commercial

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Peter Gutmann
Perry E. Metzger pe...@piermont.com writes: At the very least, anyone whining at a standards meeting from now on that they don't want to implement a security fix because it isn't important to the user experience or adds minuscule delays to an initial connection or whatever should be viewed with

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Peter Gutmann
Perry E. Metzger pe...@piermont.com writes: I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH that you're thinking of? It's not just randomness, it's problems with DLP-based crypto in general. For example there's the scary tendency of DLP-based ops to leak the private

Re: [Cryptography] Suite B after today's news

2013-09-05 Thread Peter Gutmann
Jon Callas j...@callas.org writes: My opinion about GCM and GMAC has not changed. I've never been a fan. Same here. AES is, as far as we know, pretty secure, so any problems are going to arise in how AES is used. AES-CBC wrapped in HMAC is about as solid as you can get. AES-GCM is a design or

Re: [Cryptography] Suite B after today's news

2013-09-05 Thread Peter Gutmann
Jon Callas j...@callas.org writes: How do you feel (heh, I typoed that as feal) about the other AEAD modes? If it's not a stream cipher and doesn't fail catastrophically with IV reuse then it's probably as good as any other mode. Problem is that at the moment modes like AES-CTR are being

Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?

2013-08-26 Thread Peter Gutmann
Ralph Holz ralph-cryptometz...@ralphholz.de writes: There is a host of older literature, too - P2P research, however, has become a cold topic. Although I expect that it will see a revival in the face of surveillance. For people who are interested, the list I have (for a year or two back) is:

Re: Computer health certificate plan: Charney of DoJ/MS

2010-10-08 Thread Peter Gutmann
Before people get too far into conspiracy theories with this, I should point out that health certificates have been part of corporate Windows environments for years (I don't know how many exactly, I think it's been since at least Server 2003). The intent of health certs is that it allows the IT

Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic

2010-10-07 Thread Peter Gutmann
Victor Duchovni victor.ducho...@morganstanley.com writes: What are EE certs, did you mean EV? End-entity certs, i.e. non-CA certs. This means that potentially after the end of this year and definitely after 2013 it will not be possible to use any key shorted than 2048 bits with Firefox.

Re: What if you had a very good entropy source, but only practical at crypto engine installation time?

2010-10-07 Thread Peter Gutmann
Thierry Moreau thierry.mor...@connotech.com writes: The PUDEC (Practical Use of Dice for Entropy Collection) scheme has been advanced. The new web page is at http://pudec.connotech.com Plus the PUDEC dice sets are now offered for sale. Hmm, they're somewhat expensive... a cheaper alternative,

Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic

2010-10-07 Thread Peter Gutmann
Matt Crawford craw...@fnal.gov writes: EE = End Entity, but I don't read the first sentence the way Peter did. As I mentioned in my previous followup, it's badly worded, but the intent is to ban any keys 2K bits of any kind (currently with evolving weasel-words about letting CAs certify them

Formal notice given of rearrangement of deck chairs on RMS PKItanic

2010-10-06 Thread Peter Gutmann
From https://wiki.mozilla.org/CA:MD5and1024: December 31, 2010 - CAs should stop issuing intermediate and end-entity certificates from roots with RSA key sizes smaller than 2048 bits [0]. All CAs should stop issuing intermediate and end-entity certificates with RSA key size smaller than

Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

2010-10-03 Thread Peter Gutmann
Jerry Leichter leich...@lrw.com writes: By the way, the don't acknowledge whether it was the login ID or the password that was wrong example is one of those things everyone knows - along with change your password frequently - that have long passed their use by date. You got there before I did

Something you have, something else you have, and, uh, something else you have

2010-09-17 Thread Peter Gutmann
From the ukcrypto mailing list: Just had a new Lloyds credit card delivered, it had a sticker saying I have to call a number to activate it. I call, it's an automated system. It asks for the card number, fair enough. It asks for the expiry date, well maybe, It asks for my DOB, the only

More on padding oracles

2010-09-16 Thread Peter Gutmann
Brian Holyfield has created another implementation of the padding oracle exploitation tool first described by Juliano Rizzo and Thai Duong, as well as providing a step-by-step, easy-to-understand explanation of how the attack works, you can find it at:

Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

2010-09-15 Thread Peter Gutmann
Tom Ritter t...@ritter.vg writes: What's weird is I find confusing literature about what *is* the default for protecting the viewstate. I still haven't seen the paper/slides from the talk so it's a bit hard to comment on the specifics, but if you're using .NET's FormsAuthenticationTicket (for

A mighty fortress is our PKI, Part III

2010-09-15 Thread Peter Gutmann
Some more amusing anecdotes from the world of PKI: - A standard type of fraud that's been around for awhile is for scammers to set up an online presence for a legit offline business, which appears to check out when someone tries to verify it. A more recent variation on this is to buy certs

Re: Debian encouraging use of 4096 bit RSA keys

2010-09-14 Thread Peter Gutmann
Perry E. Metzger pe...@piermont.com writes: One wonders what security model indicated 4096 bits is the ideal length The one that says that if you wind things up past 11 (4096 bits), various things break. (D'you really think they applied any kind of security analysis to the choice of key

Re: Intel plans crypto-walled-garden for x86

2010-09-14 Thread Peter Gutmann
John Gilmore g...@toad.com writes: Let me guess -- to run anything but Windows, you'll soon have to jailbreak even laptops and desktop PC's? Naah, we're perfectly safe, like every other similar attempt after 5-10 years of effort and several hundred million dollars down the drain it'll come to

Re: Fw: [IP] Malware kills 154

2010-08-23 Thread Peter Gutmann
Perry E. Metzger pe...@piermont.com forwards: Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware

RE: Has there been a change in US banking regulations recently?

2010-08-15 Thread Peter Gutmann
Ray Dillinger b...@sonic.net writes: On Fri, 2010-08-13 at 14:55 -0500, eric.lengve...@wellsfargo.com wrote: The big drawback is that those who want to follow NIST's recommendations to migrate to 2048-bit keys will be returning to the 2005-era overhead. Either way, that's back in line with the

Has there been a change in US banking regulations recently?

2010-08-13 Thread Peter Gutmann
As part of a thread on another list, I noticed that Bank of America, who until recently didn't bother protecting the page where users are expected to enter their credentials with anything more substantial than a GIF of a padlock, now finally use HTTPS on their home page, and redirect HTTP to HTTPS

Re: A mighty fortress is our PKI, Part II

2010-08-11 Thread Peter Gutmann
Thor Lancelot Simon t...@rek.tjls.com writes: If you want to see a PKI tragedy in the making, have a look at the CRLs used by the US DoD. Only in the making? Actually it's all relative, in Japan the Docomo folks turned off CRLs because they found that even a relatively modest CRL (not just the

Re: A mighty fortress is our PKI, Part II

2010-08-05 Thread Peter Gutmann
David-Sarah Hopwood david-sa...@jacaranda.org writes: Huh? I don't understand the argument being made here. It's a bogus argument, the text says: He took a legitimate software package and removed the signature of the digital certificate it contained, then installed the package on his

Re: A mighty fortress is our PKI, Part II

2010-08-05 Thread Peter Gutmann
Jon Callas j...@callas.org writes: But S.J. Perleman's Three Shares in a Boat Uhh. minor nitpick, it was Jerome K.Jerome who wrote Three Shares in a Boat. He followed it up with Three Certificates on the Bummel, a reference to the sharing of commercial vendors' code-signing keys with malware

Preventing a recurrence of the Realtek/JMicron fiasco

2010-08-05 Thread Peter Gutmann
I've been having an off-list discussion with someone about how you'd prevent the recent Realtek/JMicron certificate fiasco. My thoughts on this: Since many development shops see the signing process as nothing more than an annoying speed-bump that stands in the way of application deployment,

Using file-hiding rootkits for good

2010-08-03 Thread Peter Gutmann
I recently came across an example of a file-hiding rootkit for Windows that's used for good instead of evil: It's a minifilter that hides (or at least blocks, the files are still visible) access to executables on removable media, with user-configurable options to block autorun.inf and/or all

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-02 Thread Peter Gutmann
Jerry Leichter leich...@lrw.com writes: One could certainly screw up the design of a recovery system, but one would have to try. There really ought not be that much of difference between recovering from m pieces and recovering from one. There's a *huge* difference, see my previous posting

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-02 Thread Peter Gutmann
Jerry Leichter leich...@lrw.com writes: Here's how I would do it: Key segments are stored on USB sticks. There's a spot on the device with m USB slots, two buttons, and red and green LED's. You put your USB keys into the slots and push the first button. If the red LED lights - you don't have

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-01 Thread Peter Gutmann
Thierry Moreau thierry.mor...@connotech.com writes: With the next key generation for DNS root KSK signature key, ICANN may have an opportunity to improve their procedure. What they do will really depend on what their threat model is. I suspect that in this case their single biggest threat was

Is this the first ever practically-deployed use of a threshold scheme?

2010-07-31 Thread Peter Gutmann
Apparently the DNS root key is protected by what sounds like a five-of-seven threshold scheme, but the description is a bit unclear. Does anyone know more? (Oh, and for people who want to quibble over practically-deployed, I'm not aware of any real usage of threshold schemes for anything, at

Re: Five Theses on Security Protocols

2010-07-31 Thread Peter Gutmann
Perry E. Metzger pe...@piermont.com writes: Inspired by recent discussion, these are my theses, which I hereby nail upon the virtual church door: Are we allowed to play peanut gallery for this? 1 If you can do an online check for the validity of a key, there is no need for a long-lived signed

Re: A mighty fortress is our PKI

2010-07-30 Thread Peter Gutmann
Paul Tiemann paul.tiemann.use...@gmail.com writes: What if... Firefox (or other) could introduce a big new feature (safety controls) and ask you up front: Do you want to be safer on the internet? The problem is that neither the browser vendor nor the users will see it like this. For the user

Re: A mighty fortress is our PKI, Part II

2010-07-30 Thread Peter Gutmann
Steven Bellovin s...@cs.columbia.edu writes: When I look at this, though, little of the problem is inherent to PKI. Rather, there are faulty communications paths. Oh no my Lord, I assure you that parts of it are excellent! :-). [...] how should the CA or Realtek know about the problem? [...]

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Peter Gutmann
Ben Laurie b...@links.org writes: On 24/07/2010 18:55, Peter Gutmann wrote: - PKI dogma doesn't even consider availability issues but expects the straightforward execution of the condition problem - revoke cert. For a situation like this, particularly if the cert was used to sign 64-bit

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Peter Gutmann
Ben Laurie b...@links.org writes: I find your response strange. You ask how we might fix the problems, then you respond that since the world doesn't work that way right now, the fixes won't work. Is this just an exercise in one-upmanship? You know more ways the world is broken than I do? It's

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Peter Gutmann
Steven Bellovin s...@cs.columbia.edu writes: For the last issue, I'd note that using pki instead of PKI (i.e., many different per-realm roots, authorization certificates rather than identity certificates, etc.) doesn't help: Realtek et al. still have no better way or better incentive to revoke

Re: A mighty fortress is our PKI

2010-07-28 Thread Peter Gutmann
Paul Tiemann paul.tiemann.use...@gmail.com writes: I like the idea of SSL pinning, but could it be improved if statistics were kept long-term (how many times I've visited this site and how many times it's had certificate X, but today it has certificate Y from a different issuer and certificate

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Peter Gutmann
Nicolas Williams nicolas.willi...@oracle.com writes: Exactly. OCSP can work in that manner. CRLs cannot. OCSP only appears to work in that manner. Since OCSP was designed to be 100% bug-compatible with CRLs, it's really an OCQP (online CRL query protocol) and not an OCSP. Specifically, if

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Peter Gutmann
Nicolas Williams nicolas.willi...@oracle.com writes: Sorry, but this is wrong. The OCSP protocol itself really is an online certificate status protocol. It's not an online certificate status protocol because it can provide neither a yes or a no response to a query about the validity of a

Re: A mighty fortress is our PKI

2010-07-27 Thread Peter Gutmann
Paul Tiemann paul.tiemann.use...@gmail.com writes: [...] This is kind of a long message to reply to so I'll just post a meta-reply to avoid getting bogged down in nitpicking, the message, as the subject line indicated, was intended to start a discussion on some of the weaknesses inherent in the

Re: A mighty fortress is our PKI

2010-07-27 Thread Peter Gutmann
Ian G i...@iang.org writes: ** But talking about TLS/SNI to SSL suppliers is like talking about the lifeboats on the Titanic ... we don't need it because SSL is unsinkable. ... or talking to PKI standards groups about adding a CRL reason code for certificate issued in error (e.g. to an

A mighty fortress is our PKI, Part II

2010-07-25 Thread Peter Gutmann
Have you ever wondered what would happen if malware started appearing that was authenticated by signing keys belonging to major hardware or software vendors? Over the last week or two we've had a chance to find out: One of the scariest scenarios for code signing is when the malware authors manage

Re: A mighty fortress is our PKI

2010-07-23 Thread Peter Gutmann
From an off-list discussion: Can someone who knows more about how these CDNs handle certs provide a brief summary for the list? From looking at Sybil certs grabbed from a few CDN sites there doesn't seem to be any rhyme or reason to them. Also, how and under what conditions can you get access to

Re: A mighty fortress is our PKI

2010-07-23 Thread Peter Gutmann
Looks like the CDN certificate is already causing security problems, although not the kind that I was expecting: While trying to import a server certificate for a CDN service, a segv bug was found in [PKI app]. It is likely that this bug is exploitable by sending a special crafted signed

A mighty fortress is our PKI

2010-07-22 Thread Peter Gutmann
Readers are cordially invited to go to https://edgecastcdn.net and have a look at the subjectAltName extension in the certificate that it presents. An extract is shown at the end of this message, this is just one example of many like it. I'm not picking on Edgecast specifically, I just used

Re: Intel to also add RNG

2010-07-13 Thread Peter Gutmann
Paul Wouters p...@xelerance.com writes: Which is what you should do anyway, in case of a hardware failure. I know the Linux intel-rng and amd-rng used to produce nice series of zeros. Do you have any more details on this? Was it a hardware problem, software problem, ...? How was it caught?

Re: Fwd: Anyone make any sense out of this skype hack announcement?

2010-07-13 Thread Peter Gutmann
Christian Collberg collb...@gmail.com writes: I don't know if the new crack reveals anything new. We have a writeup about the Skype protection techniques in Surreptitious Software, our book on security-through-obscurity. (Sorry for the blatant self-promotion). No need to apologise, it's a damn

Re: Intel to also add RNG

2010-07-12 Thread Peter Gutmann
Ben Laurie b...@google.com writes: On 2 July 2010 13:19, Eugen Leitl eu...@leitl.org wrote: http://www.technologyreview.com/printer_friendly_article.aspx?id=25670channel=Briefingssection=Microprocessors Tuesday, June 29, 2010 Nanoscale Random Number Circuit to Secure Future Chips Intel unveils

Re: Question w.r.t. AES-CBC IV

2010-07-10 Thread Peter Gutmann
Ralph Holz ralph-cryptometz...@ralphholz.de writes: CTR mode seems a better choice here. Without getting too technical, security of CTR mode holds as long as the IVs used are fresh whereas security of CBC mode requires IVs to be random. Unfortunately CTR mode, being a stream cipher, fails

Re: Question w.r.t. AES-CBC IV

2010-07-10 Thread Peter Gutmann (alt)
Ralph Holz ralph-cryptometz...@ralphholz.de writes: CTR mode seems a better choice here. Without getting too technical, security of CTR mode holds as long as the IVs used are fresh whereas security of CBC mode requires IVs to be random. Unfortunately CTR mode, being a stream cipher, fails

Spy/Counterspy

2010-07-09 Thread Peter Gutmann (alt)
GPS tracking units that you can fit to your car to track where your kids are taking it (or *cough* other purposes) have been around for awhile now. It's interesting to see that recently the sorts of places that'll sell you card skimmers and RFID cloners have started selling miniature GPS jammers

Re: Against Rekeying

2010-03-26 Thread Peter Gutmann (alt)
Nicolas Williams nicolas.willi...@sun.com writes: I made much the same point, but just so we're clear, SSHv2 re-keying has been interoperating widely since 2005. (I was at Connectathon, and while the details of Cthon testing are proprietary, I can generalize and tell you that interop in this

Phone company phishes its own users

2009-11-21 Thread Peter Gutmann
There have been numerous posts to this list about banks phishing their own users so I figured I'd start a new thread about other companies who are potential phishing-targets doing this as well, in this case a phone company. From the fraud-alert support forum of Vodafone:

Why the onus should be on banks to improve online banking security

2009-11-21 Thread Peter Gutmann
There's been a near-neverending debate about who should be responsible for improving online banking security measures: the users, the banks, the government, the OS vendor, ... . Here's an interesting perspective from Peter Benson peter.ben...@codescan.com, reposted with permission, on why the

Re: Crypto dongles to secure online transactions

2009-11-21 Thread Peter Gutmann
John Levine jo...@iecc.com writes: I told him about an approach to use a security dongle that puts the display and confirmation outside the range of the malware, and although I thought it was fairly obvious, he'd apparently never heard it before. Some general thoughts on this, there have been

Interesting way of protecting credit card data on untrusted hosts

2009-09-28 Thread Peter Gutmann
A Canadian company called SmartSwipe has come up with an interesting way to protect credit card numbers from most man-in-the-browser attacks. What they do is install a Windows CSP (cryptographic service provider) that acts as a proxy to an external mag-stripe reader with built-in crypto

Re: Bringing Tahoe ideas to HTTP

2009-09-18 Thread Peter Gutmann
Alexandre Dulaunoy adu...@gmail.com writes: On the same idea, there is an expired Internet-Draft called Link Fingerprints : http://www.potaroo.net/ietf/idref/draft-lee-uri-linkfingerprints/ Although the draft has expired, the concept lives on in various tools. For example DownThemAll for

Re: [tahoe-dev] Bringing Tahoe ideas to HTTP

2009-09-18 Thread Peter Gutmann
Brian Warner war...@lothar.com writes: From what I can tell, the Sparkle update framework (for OS-X)[1] is doing something like what I want for firefox: the Sparkle-enabled application will only accept update bundles which are signed by a DSA privkey that matches a pubkey embedded in the app.

Re: Detecting attempts to decrypt with incorrect secret key in OWASP ESAPI

2009-09-17 Thread Peter Gutmann
Kevin W. Wall kevin.w.w...@gmail.com writes: (Obviously some of these padding schemes such as OAEP are not suitable with symmetric ciphers. Or at least I don't think they are.) You'd be surprised at what JCE developers will implement just because they can, and what therefore gets used by

Re: Detecting attempts to decrypt with incorrect secret key in OWASP ESAPI

2009-09-16 Thread Peter Gutmann
David Wagner d...@cs.berkeley.edu writes: (You could replace AES-CMAC with SHA1-HMAC, but why would you want to?) The answer to that depends on whether you need to support an existing base of crypto software and hardware. Even though (in this case) it's a new standard, it still requires support

Re: RNG using AES CTR as encryption algorithm

2009-09-14 Thread Peter Gutmann
Damien Miller d...@mindrot.org writes: The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH. I don't think OpenSSL even supports a CTR mode through its EVP API. I first saw it reported on the Putty bugs list [0], a good place to track interop problems with implementations since

Re: RNG using AES CTR as encryption algorithm

2009-09-09 Thread Peter Gutmann
David Johnston d...@deadhat.com writes: Convincing yourself that you have implemented AES-CTR correctly usually involves first checking that your AES-ECB is correct, then putting the output of you counter construction into some other known good AES-CTR implementation and comparing the results

Re: Client Certificate UI for Chrome?

2009-09-08 Thread Peter Gutmann
Ian G i...@systemics.com writes: If one is trying to solve the whole thing, then using the much-commented secure-bookmarks model would do this. Within the secure bookmark, record the user's certificate and cache enough info on the server's cert to deal with replacements (like, cert, name, CA).

Re: Client Certificate UI for Chrome?

2009-09-08 Thread Peter Gutmann
Steven Bellovin s...@cs.columbia.edu writes: Peter, I'm not sure what you mean by good enough to satisfy security geeks vs. good enough for most purposes. I'm not looking for theoretically good enough, for any value of theory; my metric -- as a card-carrying security geek -- is precisely good

Re: SHA-1 and Git (was Re: [tahoe-dev] Tahoe-LAFS key management, part 2: Tahoe-LAFS is like encrypted git)

2009-09-08 Thread Peter Gutmann
Thor Lancelot Simon t...@rek.tjls.com writes: I think we're largely talking past one another. As regards new horrible problems I meant simply that if there _are_ new horrible problems_ such that we need to switch away from SHA1 in the TLS PRF, the design mistakes made in TLS 1.1 will make it

Re: Client Certificate UI for Chrome?

2009-09-04 Thread Peter Gutmann
Steven Bellovin s...@cs.columbia.edu writes: This returns us to the previously-unsolved UI problem: how -- with today's users, and with something more or less like today's browsers since that's what today's users know -- can a spoof-proof password prompt be presented? Good enough to satisfy

Re: Client Certificate UI for Chrome?

2009-08-18 Thread Peter Gutmann
James A. Donald jam...@echeque.com writes: I cannot see how you could create a bank web page without a web application framework (counting mod-php as a very primitive web application framework) and scripting and a database, which scripting and database has to know who it is is that logged in We

Re: Client Certificate UI for Chrome?

2009-08-16 Thread Peter Gutmann
James A. Donald jam...@echeque.com writes: [Incredibly complicated description of web scripting plumbing deleted] We seem to be talking about competely different things here. For a typical application, say online banking, I connect to my bank at www.bank.com or whatever, the browser requests my

Re: Client Certificate UI for Chrome?

2009-08-11 Thread Peter Gutmann
James A. Donald jam...@echeque.com writes: For password-authenticated key agreement such as TLS-SRP or TLS-PSK to work, login has to be in the chrome. Sure, but that's a relatively tractable UI problem (and see the comment below on Camino). Certificates on the other hand are an apparently

  1   2   3   4   5   >