Re: padlocks with backdoors - TSA approved

2007-02-27 Thread Hadmut Danisch
Hi Allen,

On Mon, Feb 26, 2007 at 09:23:30PM -0800, Allen wrote:
 Hi Hadmut,
 
 combination lock brands in the $30 to $45 USD range where you can 
 set the combination to whatever you want. Guess what? They all 
 seemed to use the same key to enable setting the combination. 


Why make it that difficult and complicated?


You can easily and immediately open most combination locks with
vertical wheels on suitcases (and probably those at padlocks). All you
need is a flashlight. 

The wheels are usually a little bit loose. Just shift it to the left
or to the right with your finger tip and use the flashlight to peep
into the gap. You will spot the axis of the wheel. Now turn the wheel
until you see the chamfer pointing directly to you. Proceed with all
wheels. 

If the lock doesn't open, turn all wheel by 180 degree (to digit n+5
mod 10). Some locks need the chamfer up, some need it down to open.

With a little practise and experience it is almost as fast as if you 
knew the combination code.

regards
Hadmut

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: padlocks with backdoors - TSA approved

2007-02-27 Thread Hadmut Danisch
On Tue, Feb 27, 2007 at 01:09:00AM -0500, David Chessler wrote:

 This is why I don't bother with padlocks until I get to the hotel 
 room. It is a good idea to slow down the petty thief, but a twist 
 tie from a plastic bag will work. I use the nylon straps used to 
 hold cable bunches in place. I use many different colors, so it is 
 most unlikely that a petty thief would have one handy (black or white 
 are very common.


Same what I do, especially because opening luggage in absence of the
owner is rather unusual outside the USA. Sometimes I also seal the 
case with any unusual sticker I got somewhere for free or a paper
sticker.

The method with the cable binder became difficult since it is
forbidden to have a nail scissors in the bord luggage. Sometimes not
that easy to open it without damaging luggage without a tool.


regards
Hadmut


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: padlocks with backdoors - TSA approved

2007-02-27 Thread Hadmut Danisch
On Mon, Feb 26, 2007 at 10:36:22PM -0600, Taral wrote:
 
 I'm just waiting for someone with access to photograph said keys and
 post it all over the internet.



It does not need access to the keys. 


Do you know that car Volkswagen Golf? As far as I know also sold in
the USA. 

In the eighties there was a problem: Many of the had been stolen
without visible force. No broken window, no broken ignition lock.


They finally found the method:


These Golfs had plastic fuel tank caps, which could be easily broken
off by hand. Just grab it, tear it away with force, and you have it.

The tank cap had a lock inside. All you needed to do is to cut the
plastic lock open and to copy the tumbler lengths to a blank key. 
Then you have a working key. 

You could do the same and just open some of these locks, one per key
number.

regards
Hadmut


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Details of the backdoor-padlock

2007-02-27 Thread Hadmut Danisch
Hi,

made two pictures of the padlock with the backdoor:

http://www.danisch.de/tmp/pict0951x.jpg

shows the TSA keywhole: Just a very simple standard 
key cylinder, pretty easy to produce a general key from any lock. 


But that's waste of time. The lock suffers from the same weakness
almost all locks of this kind do: You don't need any key or code 
to open them: See 

http://www.danisch.de/tmp/pict0954x.jpg

The 'secret' code is still 000. When you turn the wheels for
exactly 180 degree (thus the 5 is up on the rightmost wheel), 
you can see that chamfer of the axis on the left side of the rightmost wheel. 
It is visible, but must point down to open.

Turn the wheels until you see this, and then turn them another
180 degrees, and: Open Sesame!

So no need to bother with a TSA key. Open it directly. 

regards
Hadmut


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


padlocks with backdoors - TSA approved

2007-02-26 Thread Hadmut Danisch
Hi,

has this been mentioned here before?


I just had my crypto mightmare experience. 


I was in a (german!) outdoor shop to complete my equipment 
for my next trip, when I came to the rack with luggage padlocks 
(used to lock the zippers). 

While the german brand locks were as usual, all the US brand locks 
had a sticker 

   Can be opened and re-locked by US luggage inspectors. 

Each of these (three digit code) locks had a small keyhole for the 
master key to open. Obviously there are different key types 
(different size, shape, brand) as the locks had numbers like TSA005 
tell the officer which key to use to open that lock.


Never seen anything in real world which is such a precise analogon of 
a crypto backdoor for governmental access.

Ironically, they advertise it as a big advantage and important feature, 
since it allows to arrive with the lock intact and in place instead of 
cut off. 


This is the point where I decided to have nightmares from now on.


regards
Hadmut

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: RSA SecurID SID800 Token vulnerable by design

2006-09-09 Thread Hadmut Danisch
Hi Lance,

On Fri, Sep 08, 2006 at 10:26:45AM -0700, Lance James wrote:
 
 Another problem from what I see with Malware that steals data is the
 formgrabbing and on event logging of data. Malware can detect if
 SecureID is being used based on targeted events, example: Say HSBC
 (Hypothetical example, not targeting HSBC) has two-factor logins in
 place, the problem with this is that it is vulnerable to session riding
 and trojan-in-the-middle attacks anyway, because the minute the user
 logs in, the malware could launder money out (unless transaction auth is
 in place, which in most cases it's not), or they could pharm the user
 with a fake website that resolves as HSBC but they go in within the time
 frame of that token being valid and have access. Either way, however you
 cut it, SecureID/Two-Factor User auth is not protected against malware,
 period.


Partly agreed. These kinds of attacks I usually teach in my
workshops. 

However, in all of these cases the attacker has to be online in the
moment you are logging in and you experience any failure, e.g. can't
login or something like that. 

But with the SID800 malware could silently sit in the background and
pass token codes to the attacker even if you do not login at this
moment. E.g. it could wait until you have logged in (or out) and grap
the next token code.

Furthermore, the attack you described presumes that the attacker knows
where you want to login. But when you could use the current token code
as an indicator for searching login data in the input stream, then you
can find new places to login, e.g. your company VPN access point.

While the attack you describe is more important for banking, the USB
attack is more against company logins.

regards
Hadmut




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RSA SecurID SID800 Token vulnerable by design

2006-09-08 Thread Hadmut Danisch
Hi,

I recently tested an RSA SecurID SID800 Token
http://www.rsasecurity.com/products/securid/datasheets/SID800_DS_0205.pdf


The token is bundled with some windows software designed to make
user's life easier. Interestingly, this software provides a function
which directly copies the current token code into the cut-and-paste
buffer, when the token is plugged in into USB. This is weak by design.

The security of these tokens is based on what RSA calls two-factor
user authentication: It takes both a secret (PIN) and the
time-dependend Token-Code to authenticate. The security of the
Token-Code depends on the assumption that the token is resistant
against malware or intruders on the computer used for communication
(web browser, VPN client,...).

However, if the Token Code can be read over the USB bus, this
assumption does not hold. A single attack on the PC where the token is
plugged in would compromise both the PIN (e.g. with a keylogger) and
the token itself (e.g. writing a daemon which continuously polls the
token and forwards the token in real time to a remote attacker.

Ironically this could make an attack even easier: If some malware
simultaneously monitors the token and the keyboard, it is much easier
to detect that the keystrokes are actually related to some login
procedure:

Whenever the 6-digit token code appears in the keyboard or
cut-and-paste input stream, you can be pretty sure that in a sliding
window of about the last 100-200 keystrokes both the PIN and the
address of the server to login is contained. Makes it really easy to
automatically detect secrets in the input stream.

Thus, two different authentication methods are together weaker than
each single one.

regards
Hadmut

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: PGP master keys

2006-04-28 Thread Hadmut Danisch
On Wed, Apr 26, 2006 at 10:41:12PM -0400, Steven M. Bellovin wrote:

 Ah -- corporate key escrow.  An overt back door for Little Brother, rather
 than a covert one for Big Brother



You should check the list of recipient keys in PGP messages from time
to time anyway. I recently found a bug in an MTU plugin: Once you had
a PGP pubkey with an empty ID in your keyring, the plugin had always
added this key to the recipient keys, although the owner was not
listed as a recipient of the e-mail. As far as we debugged, the key
had to be in 'trusted' state, but it worked. Once you managed to have
your pubkey added to someone else's keyring with an additional empty
user ID (what most users never realize) you could read any encrypted
mail sent by that person.

regards
Hadmut


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: History and definition of the term 'principal'?

2006-04-26 Thread Hadmut Danisch

Hi,


On Wed, Apr 26, 2006 at 03:18:40PM -0400, Sean W. Smith wrote:
 I like the definition in Kaufman-Perlman-Speciner:
 
 A completely generic term used by the security community to include  
 both people and computer systems.  Coined because it is more  
 dignified than 'thingy' and because 'object' and 'entity' (which also  
 means thingy) were already overused.


Many thanks for the hint. :-)

Are there different editions of Kaufman-Perlman-Speciner ?

My edition of 1995 has two entries for principal in the index:

- Page 129: A principal is anything or anyone participating 
  in cryptographically protected communication.

- Page 266: each user and each resource that will be using 
  Kerberos.



Which edition is yours?

regards
Hadmut

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


How security could benefit from high volume spam

2005-12-14 Thread Hadmut Danisch
How security could benefit from high volume spam


The parliament of the European Union today has passed a law that
electronical call detail records, such as phone numbers, e-mail addresses,
web accesses of all 450 million EU citizens are to be recorded and
stored for 6 to 24 months. So everyone will be subject of
complete surveillance of telecommunication. No place to hide.

The given reasons are the need to investigate and prosecute terrorism
and severe crime. But there is no evidence that this law
actually has this effect, and that it is worth to sacrifice democracy
and civil rights. Our constitution protects the right to communicate
confidentially, for all citizens, and especially for lawyers,
journalists, priests, etc. So terrorists finally begin to
succeed in destructing our european, modern, democratic, and free way
of life and civil rights. It is ridiculous that the modern world has
not been attacked by a large army, but by just about 30-40 people with
knives and a few bombs. The attack is not the primary attack
itself. The main attack is to provocate overextended counter
measures. Technically spoken, a denial-of-civil-rights-attack. And the
EU proved to be vulnerable to this kind of attack. A patch is not
available yet.

Another threat to privacy and civil rights is the intellectual
property industry. We have seen Sony attacking and sabotaging private
computers, revealing private data, taking secretly control over
people's communication and working equipment. We have seen a mother of
five been sued into bankruptcy in the USA just for listening to music.
This is perverse. We currently see governments considering to outlaw
open source software or any kind of data processing or communication
device without a digital rights management. There are good reasons to
assume, that the European Union's collection of all telecommunication
details will be abused to allow the intellectual property industry to
completely track every communication. Just having received any e-mail
from someone who had illegally downloaded music could be enough to have
your home searched, your computer confiscated, and find yourself sued
or prosecuted. 


The art and science of communication security will have to realign and
focus on new goals. When designing telecommunication protocols we have
to take much more care about what communication could reveal about the
communication parties and the contents. It is not enough to just put
some kind of simple encryption on a message body. We need to protect
against traffic analysis, in particular the one without democratic
legitimation. 

What does that mean?

When designing a protocol we should take more care than we did to
describe its vulnerability for and resistance against traffic
analysis. Not just whether the contents are encrypted, but what an
eavesdropper can tell about the communicating parties.  We need to
incorporate techniques like oblivious transfer and traffic hiding.

An important component of such protection methods is noise. Plenty of
noise. Something to hide in, to cover, to overload recording of call
details. We should think about and research how to produce noise. 

We already have some noise. Its called spam. 

Some of you might know that I am one of the early days fighters
against spam. I tried to eliminate as much spam as possible. 

But now, there could be a positive aspect about spam, virus mails, and
other mass mails. Maybe it could become an advantage to receive a
million mails per day from any senders. Maybe that is what is needed
to hide my personal e-mails. Maybe that's the answer I have to give
when someone blames me to have received e-mail from the wrong person:
I have no idea what you are talking about. I received about 150,000
virus and spam e-mails that day from arbitrary addresses, and didn't
read a single one of them. I have just deleted them. When designing
measures against spam, we should take this into consideration.



Maybe in near future the advantages of that noise produced by millions
of bots will outweigh the disadvantages?


Comments are welcome.

Hadmut Danisch


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: HTTPS mutual authentication alpha release - please test

2005-11-07 Thread Hadmut Danisch
On Fri, Nov 04, 2005 at 09:16:16AM +, Nick Owen wrote:
 
 No, this is not it.  It is this attack and similar:
 
 http://tinyurl.com/a3b89
 
 The phishers are not using valid certificates, but users are so immune
 to warnings about certificates that they don't pay attention to them.
 It may be a DNS cache poison or the typical email; it could be any
 mechanism to send the user to a fraudulent site.  What is being provided
 is a mechanism to route the users to the correct site by providing a way
 to validate the certificate for them.



Mmmh, I'd have two questions about this:


- It seems that you are not defending against an attack, but trying to
  protect the user against his own ignorance. The user ignores the
  warning label, so you want to replace it with a bigger warning
  label. But the bigger warning label doesn't contain any news or more
  information, or any protection that the smaller label doesn't
  provide. It's just that the bigger warning label is bigger (or more
  red, or more alerting letters...), hoping to wake the user up?

  But user ignorance is not a new type of attack. If the user pays
  attention to the browser warnings, then I don't see what advantage
  WIKD should have. Inventing new protocols and complexity, and
  trusting an additional party without good reason and reasonable
  advantage is never a good idea in security.


- The authorized owner must be able to replace the server certificate
  with a new one at any time, e.g. when the secret key has been lost
  or compromised.

  case 1:  If it is not possible to update the hash stored at WIKID,
  how would the authorized owner ever be able to replace the
  compromised key with a new one? Wouldn't this force him into
  continuing in using the compromised key?


  case 2: If it is possible to update the hash stored at WIKID, and if
  the attacker was already able to register a bogus certificate at an
  official CA, why shouldn't he be able to update the certificate at
  WIKID as well? In what way is WIKID's certificate verification
  procedure more reliable than the one of the trusted CAs ?


Hadmut






-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Forwarded] RealID: How to become an unperson.

2005-07-06 Thread hadmut
On Tue, Jul 05, 2005 at 11:26:54PM -0400, Steven M. Bellovin wrote:
 
 Let me refer you to a National Academies report (I was on the 
 committee):  Stephen T. Kent and Lynette Millett, ed. IDs -- Not That
 Easy: Questions About Nationwide Identity Systems. National Academies
 Press, 2002.  http://books.nap.edu/html/id_questions/  Briefly, the 
 report notes that there are a very large number of questions that need 
 to be answered about any such system before it's even possible to 
 discuss it intelligently.
 


Thanks for the hint, but I am too busy to read it in detail before
next week.


However, there is a funny thing I need to mention:

- In Germany we have an ID card and I have it in my pocket all the
  time. But actually it is rarely used, I do need it not more than
  maybe three times a year. At the moment I can't remember to have it
  used within the last two years, except for in my job when entering
  high security areas and some protected company premises. But rarely
  in private life. I know one shop where they do ask for when paying
  with a card.


- In the USA they say they don't have ID cards. 

  But whereever I walk through the streets of cities at the
  east- or westcoast, they all ask me for picture IDs. Some years ago 
  I couldn't even enter a night club without a picture ID, and in
  every supermarket they have signs that they don't sell alcohol or 
  cigarettes without picture ID (besides the fact that I neither drink
  nor smoke). Even in some hotels and gas stations they ask for a 
  picture ID.





Isn't that ridiculous? In the USA where they allegedly don't have ID cards
you are approx. more than 20 times as often asked for a picture ID than 
in Germany where we have ID cards officially. 



Last November I attended an Anti-Spam-Summit at FTC in Washington 
DC. As usual they were checking for metal in the clothes, x-raying 
bags, and (*surprise*) asking for a picture ID. Someone didn't have 
a driving license. They accepted his WalMart Customer Card as a 
picture ID. Isn't that scary?


reards
Hadmut









-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Forwarded] RealID: How to become an unperson.

2005-07-05 Thread hadmut
Don't laugh. This is exactly the problem I had with my
german identity card.

In Germany, you are required to possess either an identity card 
or a passport once you reach the age of 16. If you're younger you
can just have a children's passport in case you need for travelling. 

Usually applying for an ID card is not a problem at all.

For reasons far beyond cryptography my father chose an
unusual given name for me, one that was usual in around the 8th-10th
century. He named me Hadmut. Most people in Germany have never heard
that name before and don't believe, that this name exists. There is
another name, Hartmut, which is ethymologically different, but sounds
similar. Therefore, most people assume that my name is just
misspelled and would correctly be Hartmut. 

When we moved to a different town some years ago, someone made a
mistake in the municipal register, and entered 'Hartmut' instead of
'Hadmut', obviously because he or she believed it was misspelled.

When I applied for an ID card after my 16th birthday, they told me
that they can't issue one, because my children's passport said my
given name is 'Hadmut', while the register said that I am 'Hartmut'. 

Whoever I decided to be, I would not receive an ID card before I could
prove which of both I am. They asked me to bring a certified copy of
my birth certificate. For reasons even more beyond cryptography, that
copy was lost years ago. So I had to go to the registry office where I
was born to get another copy. Fortunately, this was just 20 minutes by
bicycle away. 

For privacy reasons, you can't just go to a registry office and ask
for anyone's birth certificate. You have to proof your identity - with
your ID card. Exactly that circular problem as mentioned in the
posting.

But when I explained that circular problem, they checked by phone with
the town's registry office and gave me the copy of the birth
certificate without an ID card to solve the problem.


But nevertheless, I do not understand why americans are so afraid of
an ID card. It has by far more advantages than disadvantages, and
actually the US driving license is already a kind of ID card. And
whenever I enter the US, I have to give the fingerprints of my index
fingers and they take a picture of me. That's worse than an ID card. 

Remember the PGP signing party at the 1994 IETF meeting in San Jose? 
Several participants who had never seen me before did sign my PGP key 
after I showed them my german ID card (including Perry). 


Funny side effect: Since most americans don't know that we have ID
cards in germany the card is almost always believed to be a driving
license in the US. 

regards
Hadmut  

(currently in Boston, MA, after giving fingerprints at the 
airport immigration)






-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Cryptanalytic attack on an RFID chip

2005-01-30 Thread Hadmut Danisch
On Sat, Jan 29, 2005 at 01:09:32PM -0500, Steven M. Bellovin wrote:
 This chip is used in anti-theft 
 automobile immobilizers and in the ExxonMobil SpeedPass. 

If I recall correctly, there are two different electronic
functions in key cars. One is the theft protection where the chip 
needs to authenticate when starting the engine (in Europe e.g. Ford
introduced this some years ago, the keys had a red, and the car came 
with a fully red master key (yes, both a mechanical and
cryptographical key) which allowed to teach the car to accept
additional keys). The other function is the remote control to open the
doors by pressing a button at the key. 

Does this attack compromise the theft protection only or the door
opener as well?


regards
Hadmut

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Where to get a Jefferson Wheel ?

2005-01-05 Thread Hadmut Danisch
Dean, James wrote:
  The order of the wheels can't be changed.
  So this encryption device doesn't use any key?
Only the most trivial; you choose the row to transmit.

From what I've seen on the web not even that:
Unlike the original Jefferson wheel these toys are not
intended to choose any row, but to use the row directly
under the plaintext row as cipher text. Instead of the
line indicator from Jefferson, they have a sliding
bar with two windows for two subsequent rows.
regards
Hadmut
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Where to get a Jefferson Wheel ?

2005-01-04 Thread Hadmut Danisch
Hi,

does anyone know where I can get a 
Jefferson Wheel or a replica?

regards
Hadmut

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: M-209 broken in WWII

2004-09-29 Thread Hadmut Danisch
Anish wrote:
 could you please translate atleast the abstract for the rest of us :-)
http://www.heise.de/tp/deutsch/inhalt/co/18371/1.html
Sure, some of the first paragraphs:
As a german codebreaker in World War II
Klaus Schmeh 23.9.2004
For the first time a witness reported, who was involved in breaking the
US cipherdevice M-209
Even experts didn't know until some years ago that german deciphering
specialists broke ciphers of the allied in the second world war.
But several sources document, that the germans at that time succeeded
to decipher the US cipher device M-209. Telepolis associate Klaus
Schmeh, who is specialised on cryptology, has finally found a 
contemporary witness, who participated in the decryption of M-209
messages.

One of the most fascinating episodes of technical history happend in
World War II. At that time british experts on the manor Bletchley
Park near to London broke the famous german cipher device Enigma under
the strictest secrecy, where they used thousands of people and
for that time top modern data processing devices.
Until some years ago, the doctrine was, that the germans, in contrast
to the british, underestimated the potential of the science of 
deciphering and couldn't read the radio messages of their enemies.
It is known for just a few years, that this assessment is
'political correct' but wrong.For example, the former President
of the Bundesamt fr Sicherheit in der Informationstechnik
BSI (German Federal Office of Security in Information Technology)
Dr. Otto Leiberich reported, that the germans broke the
US cipherdevice M-209 in the WWII, what was absolutely not an
easy untertaking. More documented successes in deciphering proof,
that the german code breakers were even among the best of the world.

The explanations of Otto Leiberich provided also an important source
of information for the author of this article, when he wrote his
recently published book Die Welt der geheimen Zeichen - Die 
faszinierende Geschichte der Verschlsselung (The world of secret
signs - the fascinating history of encryption). An excerpt of this
book, that was published on Telepolis, caused a little sensation:
A 84 year old man from Frankfurt reported to the author and explained
that he was involved in breaking the aforesaid US cipherdevice M-209.
After there were only second-hand reports about german codebreakers
in WWII, for the first time an eye witness appeared, who furthermore
brought some completely new aspects to light. With this article the
memories of this contemporary witness are published for the very first 
time.


OK, these are the first few paragraphs. If you want to have more about
this you should ask the publisher for a translation, because under 
german copyright law even the translation is a right of the author.

regards
Hadmut

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [anonsec] Re: potential new IETF WG on anonymous IPSec (fwd from [EMAIL PROTECTED]) (fwd from [EMAIL PROTECTED])

2004-09-18 Thread Hadmut Danisch
On Thu, Sep 16, 2004 at 12:41:41AM +0100, Ian Grigg wrote:
 
 It occurs to me that a number of these ideas could
 be written up over time ... a wiki, anyone?  I think
 it is high past time to start documenting crypto
 patterns.

Wikis are not that good for discussions, and I do believe
that this requires some discussion.

I'd propose a separate mailing list for that.

regards
Hadmut

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Forensic: Who gave this crypto talk?

2004-09-15 Thread Hadmut Danisch
Hi,

I have again one of these special, strange, freaky questions. 
I'm still investigating some unusual activities in 
science and cryptography. 

There are some handwritten notes, they seem 
to be some kind of transcript of slides from a talk 
about cryptography. I need to find out when, where, and by
whom that talk was given. 

These notes already existed in the end of 1997, so the 
talk must have been given 1997 or before. 

The talk is about cryptography and system design theory. 
It is about 'layers', such as physics, electrical engieering, 
boolean functions, boolean circuits, algebra of 
polynomial power series, operating system, automata theory. 
It mentions an access  authentication description language
for a modified secure unix-pw protocol, and comes to 
the conlusion that crypto can act as a system science. 

Gus Simmons is mentioned several times, but this might not 
have been part of the talk but a personal annotation of the 
person who made the transcript. 

Does anyone know about such a talk?

(The notes are available at 
http://www.danisch.de/tmp/discussion.pdf )


regards
Hadmut








-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Compression theory reference?

2004-09-01 Thread Hadmut Danisch
On Tue, Aug 31, 2004 at 05:07:30PM -0500, Matt Crawford wrote:

 Plus a string of log(N) bits telling you how many times to apply the 
 decompression function!
 Uh-oh, now goes over the judge's head ...


Yeah, I just posted a lengthy description why I think that this 
counterexample is not a counterexample. 

The problem is that if you ask for a string of log(N) bits, then 
someone else could take this as a proof that this actually works, 
because a string of log(N) bits is obviously shorter than the 
message of N bits, thus the compression scheme is working. Hooray!


The problem is, that the number of iterations is not in the order of 
N, but in the order of 2^N, so it takes log2(around 2^N) = around N bits to
store the number of iterations. The recursion convertes a message of 
N bit recursively into a message of 1 or zero bit length (to your
taste), *and* a number which takes around N bit to be stored. 
Nothing is won. But proof that. 

This recursion game is far more complicated than it appears to be. 


Note also that storing a number takes in reality more than log(N)
bits. Why? Because you don't know N in advance. We don't have any
limit for the message length. So you'r counting register needs
theoretically inifinte many bits. When you're finished you know 
how many bits your number took. But storing your number needs an 
end symbol or a tristate-bit (0,1,void). That's a common mistake. 

When determining the compression rate for a file people often 
forget, that some information is not stored in the file itself, but in
the file system, e.g. the file length (telling where the compressed
data stops) and the file name (telling you, that the file was
compressed). That's basically the same problem.

thanks and regards
Hadmut




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Compression theory reference?

2004-09-01 Thread Hadmut Danisch
On Wed, Sep 01, 2004 at 04:02:02PM +1200, Peter Gutmann wrote:
 
 comp.compression FAQ, probably question #1 given the number of times this
 comes up in the newsgroup.
 
 (I've just checked, it's question #9 in part 1.  Question #73 in part 2 may
  also be useful).


Thanks, that's a pretty good hint, especially because it contains 
an explicit statement, and it's an FAQ, making it easy to show, that
the university's claim is not just wrong, but silly. :-)

regards
Hadmut

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Compression theory reference?

2004-08-31 Thread Hadmut Danisch

Hi,

I need a literature reference for a simple problem of 
encoding/compression theory:

It can be easily shown that there is no lossless 
compression method which can effectively compress every possible
input. Proof is easy: In a first step, consider all 
possible messages of length n bit, n0. There are 2^n different
ones. But there are only (2^n)-1 shorter messages, so 
there is no injektive encoding to encode all messages into
a shorter one. And then all codewords of length n are occupied, 
so it is impossible to compress messages shorter than n bit.
So when trying to compress a message of length m, mn, it 
must be encoded in to a codeword of at least n bit, thus 
longer than m and not effectively compressed. (And you'd even 
have to consider the entropy of the eom sign or the bit counter)

Or in other words: For every input word which is compressed into 
a shorter codeword, there must be another, shorter input word, which 
cannot be effectively compressed, but gets longer - if the
algorithm/function should be able to accept any input and should be
lossless, i.e. for any input a   decompress(compress(a))=a.

Thus, for every lossless compression method, which can accept any 
input message and is not completely useless (i.e. there is at least 
one message which's codeword is shorter than the message), there is 
at least one input which's codeword is longer than the message. 

As far as I know that's stuff of the early semesters of computer
science to learn, that in theory there is no universal lossless method 
compressing everything. Lossless compression is the idea to encode
those messages with higher probabilities into shorter codewords, and 
those with lesser probability into longer codewords, thus reducing
the average length of the messages, not the length of every single
message. 


As I mentioned earlier, I have some trouble with a computer science 
department. They do not want to believe that there is no such
algorithm, and they claim that there are such algorithms which can 
compress everything without loss and without any input resulting into 
a longer codeword. They claimed that Lempel-Ziv and MTF (Move to
Front) would do the job. I've given counterexamples in LZ, showed 
that gzip on a file filled with random numbers results in a bigger
file, and showed that MTF is not a compression at all, since it does
not change the length of a message. They don't understand.

Therefore, I need a book about computer science or encoding theory,
which explicitely says that this is impossible, in a way that a person
unexperienced in computer science (judges at a court) can read and 
at least see that this is not just my personal phantasy and at least
somehow reasonable. 

I have checked several books about information and coding theory, 
but didn't find any suitable for readers without computer science 
background. The statement is always hidden in formulas about
entropy, average code lengths, code efficiency inequations etc.
If you had such an encoding scheme, you could easily show that 
the average length is below the entropy of the efficiency is 100%.  
But a non-computer science person does not understand that. 

Does anybody know a book about coding theory which explicitely states
the impossibility of such a compression method in plain language?

regards
Hadmut







-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


cryptograph(y|er) jokes?

2004-06-22 Thread Hadmut Danisch
Hi,

does anyone know good jokes about
cryptography, cryptographers, or security?

regards
Hadmut

[Moderator's note: I know of several security systems that are jokes
in and of themselves, but that doesn't seem to be what you meant. :)
--Perry]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-08 Thread Hadmut Danisch
On Mon, Apr 26, 2004 at 08:21:43PM +0100, Graeme Burnett wrote:
 
 Would anyone there have any good predictions on how
 cryptography is going to unfold in the next few years
 or so?  I have my own ideas, but I would love
 to see what others see in the crystal ball.



My guess is that it is unpredictable. 
As so many other things, it depends on so many coincidences, 
marketing, politics.

But what I do expect:

- I don't expect that there will be much progress in 
  maths and theory of cryptography. Very few inventions
  will make it out of the ivory tower, if any at all.

  Key lenghts will increase. We'll play RSA with 
  4096 or 8192 bit. They will find that Quantum Computers
  may be fast, but still bound to computation complexity.


- SSL/TLS will become even more of a de facto standard in 
  open source software and (new?) protocols. It will make 
  it's way into the standard libraries of programming languages
  (e.g. as it did for Ruby).

- I don't expect that we'll ever have a common PKI for 
  common people with a significant distribution. It's like 
  with today's HTTPS: The big ones have commercial certificates, 
  plain people use passwords and simple authentication mechanisms
  (like receiving a URL with a random number by e-mail).


- I guess the most important crypto applications will be:

- HTTPS of course

- portable storage equipped with symmetric ciphers 
  such as USB-Sticks and portable hard disks. 

- VPN routers

- Voice over IP

- DRM

- maybe in digital passports and credit cards

- simple auth tokens like RSA SecurID, Aladdin eToken
  will become more commonly used.  



- As a consequence, I guess that politicians will reopen the
  1997's discussion of prohibiting strong encryption. They already
  do. 


- Maybe we'll have less crypto security in future than we have
  today. 

  5-10 years ago I knew much more people using PGP than today. 

  Most modern mail user agents are capable of S/MIME, but it's hard
  to find someone making use of it. I'm a consultant for many
  companies, but not a single one of them uses it. Most modern 
  MTAs support TLS, but to my knowledge less than 3% of messages 
  are actually TLS encrypted in SMTP.

  It's strange, but law will become more important than cryptograpy. 




As a summary, I don't expect any innovations. Not more than within
the last 10 years.

But I'm pretty sure that security will be more and more important
and that's were I expect innovations and progress. Security doesn't
necessarily mean cryptography.


regards
Hadmut



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Do Cryptographers burn?

2004-04-04 Thread Hadmut Danisch
 didn't bother to inform himself about the given problem, the
  legal requirements, and the available grades. That's a strong
  requirement in Germany. Obviously, if someone accepts to write an 
  expertise and in advance knows that he won't need grades, then he
  knows that he will reject the dissertation before he has seen it.

- And he erroneously assumed that the expertise would be kept secret. 
  In Germany, the examinee has the right to get a copy of the
  expertise and raise objections. He was not aware of this and 
  based his expertise on the assumption that nobody would see it.


I then raised several technical and legal objections, and cited
literature which explicetly stated that such subjects have not yet
been published.

- He then had to admit that he couldn't prove his statement that all
  this was known in literature, and that he raised this claim to
  reject the dissertation because he didn't like it.

- He couldn't defend against any of my technical objections and
  citations. He is not even claiming that his expertise is correct,
  and obviously was completely surprised by the fact that I have
  access to his expertise (unlike the university where he is working,
  where they keep the expertises secret).

- When I demanded to receive reasons, he denied that and stated that
  he would not agree with the requirent to reason an
  expertise. Instead, he had based his examination on an international
  consensus that would free him from the need to give reasons.

  He also stated that it would be illogical to require an examiner to
  give reasons for his expertise, because candidates could succeed
  with empty dissertations then. (???)



So this expertise is just ridiculous and won't have any chance at a
court, except that it will take me again years for the lawsuit.

I then informed the IACR's board of directors and asked them whether
an organization, where such a person can become a director can be
trusted any longer in context of security and cryptography.

Surprisingly, they were not even surprised. The fully tolerate this
and even consider this as normal. It looks as if they consider this
kind of expertise as kind of self-evident. To help a colleague and
protect him from legal trouble seems to be much more important than
giving correct and reasonable expertises.


I discussed that with several friend and colleagues, all working in
security and cryptography, and they were all shocked. Everyone would
have bed that they would kick everyone out known to have given a false
expertise. But they don't. 

Very similar with the supervisor and the former second examinor: 
It is more than obvious that both had given intentionally wrong
expertises and were claiming technical nonsense. But everyone seems to 
silently accept this and to consider this as normal. 

When preparing for the lawsuit, I read several other dissertations in
order to compare them. I found several of them to be really wrong or
to contain nothing but citations from literature. One of these
dissertations would never have been published if I hadn't asked for a
copy. It was then published around two years after the examination and
contained just citations from literature. 

So what I found is fraud, extortion, false expertises. 

But not a single one of those cryptographers burns.

Maybe it's a minority writing false expertises. But it's a majority
accepting that.

So my doubt is not so much about that someone found the magic way to
factorize. It's about someone intenionally selling snake-oil or
backdoors and other's keeping their mouth shut and tolerate this as
they do it here.

I have three expertises proven to be intentionally wrong. One from
someone who is known to have no clue about security. One from someone
who is known as a cryptographer and once claimed to be one of the top
four. And one from someone who is a director of IACR. And no one
cares about. Nobody told me I'd be wrong. Nobody doubted my claims,
objections, and technical arguments. I could easily show that all of
them have intentionally given wrong expertises. Some people even
explicetely confirmed that my dissertation is correct and the
expertises are wrong. This just doesn't matter in any way.

Isn't that spooky? What kind of business is cryptography?


regards
Hadmut

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Do Cryptographers burn?

2004-04-03 Thread Hadmut Danisch
Hi,

this is not a technical question, but a rather
academic or abstract one: 

Do Cryptographers burn?

Cryptography is a lot about math, information theory, 
proofs, etc. But there's a certain level where all this
is too complicated and time-consuming to follow all those
theories and claims. At a certain point cryptography is based
on trusting the experts. Is anyone here on this list who can 
claim to have read and understood all those publications 
about cryptography? Is anyone here who can definitely tell
whether the factorization and discrete logarithm problems 
are hard or not? Today's cryptography is to a certain degree
based on trusting a handful of experts, maybe the world's top 100 
(300? 1000?) in cryptography.

Does this require those people to be trustworthy?

What if a cryptographer is found to intentionally have given a false
expertise in cryptography and security just to do a colleague a favor,
when he erroneously assumed the expertise would be kept secret? Would
such a cryptographer be considered as burned? Wouldn't he give more
false expertises once he's getting paid for or asked by his government?

I'd be interested in your opinions.

regards
Hadmut


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Canon's Image Data Verification Kit DVK-E2 ?

2004-03-31 Thread Hadmut Danisch
Hi,

Canon provides a so called Data Verification Kit
which allegedly allows to detect whether a digital 
image has been tampered with since it has been taken
with a digital camera.

I found the announcement at
http://www.dpreview.com/news/0401/04012903canondvke2.asp 

They say:

  How it works

  The kit consists of a dedicated SM (secure mobile) card
  reader/writer and verification software. When the appropriate
  function (Personal Function 31) on the EOS-1D Mark II or EOS-1Ds is
  activated, a code based on the image contents is generated and
  appended to the image. When the image is viewed, the data
  verification software determines the code for the image and compares
  it with the attached code. If the image contents have been
  manipulated in any way, the codes will not match and the image
  cannot be verified as the original. 

So some kind of hash code or digital signature is generated. 

Does anybody know details about this? I never heard that there
are digital mass market cameras which could generate digital
signatures.  But if the signature is generated inside the SM card
only, why should the PC where the image was modified be unable to
write the modified image the same way as a digital camera writes
an unmodified one? (And, btw., how do they detect that the
picture was taken at a real scene and is not a repro of a
modified and printed picture?)

I guess the secure mobile card generates some signature and they
presume that the attacker would not have access to the memory card. 
This would start to protect the image not from the moment it 
had been taken, but from the moment when it was copied from the 
card to other media. And it would require to trust the
photographer.

Is there a technical description of those secure mobile cards 
available? I didn't find any details, just marketing blabla.


regards
Hadmut

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


OOAPI-SSL/TLS (Was: Simple SSL/TLS - Some Questions)

2003-10-04 Thread Hadmut Danisch
On Fri, Oct 03, 2003 at 05:55:25PM +0100, Jill Ramonsky wrote:
 Having been greatly encouraged by people on this list to go ahead with a 
 new SSL implementation, 

That's a pretty good idea, I also encourage you (and volunteer to
support).


 The main 
 point of confusion/contention right now seem to be (1) should it be in C 
 or C++?,


I definitely vote for C++ for several reasons. You already mentioned 
plenty of reasons yourself, the security advantages of C++. But be
warned: In contrast to modern scripting languages C++ is not
automatically immune against buffer overruns etc. It takes some
discipline to have a good programming style in C++.

The main advantage I see is the oportunity to have a good, 
object oriented design of the API to give an example of a 
good and usable Crypto API.

Everyone here has his own favourite language, I meanwhile prefer
Ruby. I had to write a CA some months ago and didn't find a good
language with SSL and Certificate management support, except for 
Ruby. Michal Rokos [EMAIL PROTECTED] was currently writing the
glue code to use the openssl library with ruby, and I found it 
very comfortable to use SSL from a scripting language. It was 
however a big heap of debugging, reading the openssl API and source
code, discussing requirements with Michal, ask him for extensions
etc., since it is quite difficult, to implement all features of 
openssl, and many of them are not logical. This project showed 
the shortcomings of openssl, it is not really a usable and complete
software. This causes insecurity, because it is too difficult for
application writers to use it and to support all features.


I'd therefore propose the following:


To design two (ore more) object oriented APIs for

- cryptographic primitives
- non-communication oriented functions (key and certificate
  management, S/MIME message handling, ...) 
- communication oriented functions (SSL/TLS)


but to not stick too tight to C++. The design must be applicable 
to all modern object oriented languages.


Then do a C++ implementation of the API (spell: header files) and
see, whether this is possible without tricks. Also have the API 
defined in other languages such as Python, Ruby, Java,...

Take care that the design is easy to read, easy to understand, 
easy to debug. Make use of object oriented design where possible.


Now implement the library itself in C++, while others write
the glue code for other languages simultaneously.


As a result, there will be a language-independend object-oriented
Meta-API, describing the library virtually for all languages.
For every supported language there is a translated API of this
and a library to use. For C++, this is a genuine library, for
other languages this will be glue code + the C++ library.




This would be a step to bring secure programming a step forward
towards modern programming, and to ease and support use of 
SSL/TLS/... 

I am currently quite happy with the way Michal Rokos wrapped 
openssl into an object oriented API, but it would be good to 
have this in more languages, it still allows improvements and
is still incomplete.


regards
Hadmut





-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]