Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Sep 30, 2013, at 9:01 PM, "d.nix" wrote: > It's also worth pointing out that common browser ad blocking / script > blocking / and site redirection add-on's and plugins (NoScript, > AdBlockPlus, Ghostery, etc...) can interfere with the identification > image display. My bank uses this sort of te

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Found at: > > > > > To quote from the above: > > The idea is that if customers do not see their [preselected] imag

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

Rich - Thanks for chasing this study down. There is a lot of food for thought for all of us in it. On 9/30/13 at 11:29 AM, rs...@akamai.com (Salz, Rich) wrote: Bill said he wanted a piece of paper that could help verify his bank's certificate. I claimed he's in the extreme minority who would

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

Bill said he wanted a piece of paper that could help verify his bank's certificate. I claimed he's in the extreme minority who would do that and he asked for proof. I can only, vaguely, recall that one of the East Coast big banks (or perhaps the only one that is left) at one point had a third-

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

I think, if we are about redesigning and avoiding the failures of the past, we have to unravel the false assumptions of the past... On 20/09/13 01:21 AM, Phillip Hallam-Baker wrote: ... Bear in mind that securing financial transactions is exactly what we designed the WebPKI to do and it work

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Sep 19, 2013, at 5:21 PM, Phillip Hallam-Baker wrote: > Criminals circumvent the WebPKI rather than trying to defeat it. If they did > start breaking the WebPKI then we can change it and do something different. If criminals circumvent the PKI to steal credit card numbers, this shows up as

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

Salz, Rich writes: > I would say this puts you in the sub 1% of the populace. Most > people want to do things online because it is much easier and "gets > rid of paper." Those are the systems we need to secure. Perhaps > another way to look at it: how can we make out-of-band verification >

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Thu, Sep 19, 2013 at 5:11 PM, Max Kington wrote: > > On 19 Sep 2013 19:11, "Bill Frantz" wrote: > > > > On 9/19/13 at 5:26 AM, rs...@akamai.com (Salz, Rich) wrote: > > > >>> I know I would be a lot more comfortable with a way to check the mail > against a piece of paper I > >> > >> received d

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Thu, Sep 19, 2013 at 4:15 PM, Ben Laurie wrote: > > > > On 18 September 2013 21:47, Viktor Dukhovni wrote: > >> On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: >> >> > > This is only realistic with DANE TLSA (certificate usage 2 or 3), >> > > and thus will start to be realistic for

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On 19 Sep 2013 19:11, "Bill Frantz" wrote: > > On 9/19/13 at 5:26 AM, rs...@akamai.com (Salz, Rich) wrote: > >>> I know I would be a lot more comfortable with a way to check the mail against a piece of paper I >> >> received directly from my bank. >> >> I would say this puts you in the sub 1% of t

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On 18 September 2013 21:47, Viktor Dukhovni wrote: > On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: > > > > This is only realistic with DANE TLSA (certificate usage 2 or 3), > > > and thus will start to be realistic for SMTP next year (provided > > > DNSSEC gets off the ground) with t

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Wed, Sep 18, 2013 at 5:50 PM, Viktor Dukhovni wrote: > On Wed, Sep 18, 2013 at 08:47:17PM +, Viktor Dukhovni wrote: > > > On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: > > > > > > This is only realistic with DANE TLSA (certificate usage 2 or 3), > > > > and thus will start to

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On 9/18/13 5:50 PM, "Viktor Dukhovni" wrote: >On Wed, Sep 18, 2013 at 08:47:17PM +, Viktor Dukhovni wrote: > >> On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: >> >> > > This is only realistic with DANE TLSA (certificate usage 2 or 3), >> > > and thus will start to be realistic f

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

Phillip Hallam-Baker writes: >I have not spent a great deal of time looking at the exact capabilities of >PRISM vs the other programs involved because from a design point they are >irrelevant. The objective is to harden/protect the infrastructure from any >ubiquitous, indiscriminate intercept cap

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On 9/19/13 at 5:26 AM, rs...@akamai.com (Salz, Rich) wrote: I know I would be a lot more comfortable with a way to check the mail against a piece of paper I received directly from my bank. I would say this puts you in the sub 1% of the populace. Most people want to do things online because

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

Hi John, (I think we are in agreement here, there was just one point below where I didn't make myself clear.) On 18/09/13 23:45 PM, John Kemp wrote: On Sep 18, 2013, at 4:05 AM, ianG wrote: On 17/09/13 23:52 PM, John Kemp wrote: On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker I am s

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

> On Wed, Sep 18, 2013 at 08:47:17PM +, Viktor Dukhovni wrote: > > On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: > > > > This is only realistic with DANE TLSA (certificate usage 2 or 3), > > > > and thus will start to be realistic for SMTP next year (provided > > > > DNSSEC gets o

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

> I know I would be a lot more comfortable with a way to check the mail against > a piece of paper I received directly from my bank. I would say this puts you in the sub 1% of the populace. Most people want to do things online because it is much easier and "gets rid of paper." Those are the s

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Wed, Sep 18, 2013 at 08:47:17PM +, Viktor Dukhovni wrote: > On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: > > > > This is only realistic with DANE TLSA (certificate usage 2 or 3), > > > and thus will start to be realistic for SMTP next year (provided > > > DNSSEC gets off the

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Sep 18, 2013, at 4:05 AM, ianG wrote: > On 17/09/13 23:52 PM, John Kemp wrote: >> On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker >>> I am sure there are other ways to increase the work factor. >> >> I think that "increasing the work factor" would often result in >> switching the kind of

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: > > This is only realistic with DANE TLSA (certificate usage 2 or 3), > > and thus will start to be realistic for SMTP next year (provided > > DNSSEC gets off the ground) with the release of Postfix 2.11, and > > with luck also a DANE-cap

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On 9/18/13 at 6:08 AM, hal...@gmail.com (Phillip Hallam-Baker) wrote: If I am trying to work out if an email was really sent by my bank then I want a CA type security model because less than 0.1% of customers are ever going to understand a PGP type web of trust for that particular purpose. But i

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On 18 September 2013 15:30, Viktor Dukhovni wrote: > On Tue, Sep 17, 2013 at 11:48:40PM -0700, Christian Huitema wrote: > > > > Given that many real organizations have hundreds of front end > > > machines sharing RSA private keys, theft of RSA keys may very well be > > > much easier in many cases

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On 17/09/13 23:52 PM, John Kemp wrote: On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker I am sure there are other ways to increase the work factor. I think that "increasing the work factor" would often result in switching the kind of "work" performed to that which is easier than breaking se

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

A few clarifications 1) PRISM-Proof is a marketing term I have not spent a great deal of time looking at the exact capabilities of PRISM vs the other programs involved because from a design point they are irrelevant. The objective is to harden/protect the infrastructure from any ubiquitous, indis

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

Another consideration is that the NSA isn't the only bad actor out there. Improving the robustness of TLS and other security protocols will defend against other attacks. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.c

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Tue, Sep 17, 2013 at 11:48:40PM -0700, Christian Huitema wrote: > > Given that many real organizations have hundreds of front end > > machines sharing RSA private keys, theft of RSA keys may very well be > > much easier in many cases than broader forms of sabotage. > > Or we could make it easy

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Tue, 17 Sep 2013 23:48:40 -0700 "Christian Huitema" wrote: > > Given that many real organizations have hundreds of front end > > machines sharing RSA private keys, theft of RSA keys may very > > well be much easier in many cases than broader forms of sabotage. > > Or we could make it easy to h

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

> Given that many real organizations have hundreds of front end > machines sharing RSA private keys, theft of RSA keys may very well be > much easier in many cases than broader forms of sabotage. Or we could make it easy to have one separate RSA key per front end, signed using the main RSA key of

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Sep 17, 2013, at 5:31 PM, Viktor Dukhovni wrote: > ...And indeed the FUD around the NIST EC curves is rather unfortunate. > Is secp256r1 better or worse than 1024-bit EDH? Given our state of knowledge both of the mathematics, and of games NSA has been playing, I don't believe anyone can give a

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Tue, Sep 17, 2013 at 05:01:12PM -0400, Perry E. Metzger wrote: > (Note that this assumes no cryptographic breakthroughs like doing > discrete logs over prime fields easily or (completely theoretical > since we don't really know how to do it) sabotage of the elliptic > curve system in use.) > >

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Tue, 17 Sep 2013 16:52:26 -0400 John Kemp wrote: > On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker > wrote: > > The objective of PRISM-hardening is not to prevent an > > attack absolutely, it is to increase the work factor for the > > attacker attempting ubiquitous surveillance. > > > > Exa

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker wrote: > My phrase PRISM-Proofing seems to have created some interest in the press. > > PRISM-Hardening might be more important, especially in the short term. The > objective of PRISM-hardening is not to prevent an attack absolutely, it is to >

[Cryptography] PRISM-Proofing and PRISM-Hardening

My phrase PRISM-Proofing seems to have created some interest in the press. PRISM-Hardening might be more important, especially in the short term. The objective of PRISM-hardening is not to prevent an attack absolutely, it is to increase the work factor for the attacker attempting ubiquitous survei