Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-10-01 Thread d.nix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Found at: http://www.nytimes.com/2007/02/05/technology/05secure.html?ex=1328331600en=295ec5d0994b0755ei=5090partner=rssuserlandemc=rss To quote from the above: The idea is that if customers do not see their [preselected] image, they

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-10-01 Thread Jerry Leichter
On Sep 30, 2013, at 9:01 PM, d.nix d@comcast.net wrote: It's also worth pointing out that common browser ad blocking / script blocking / and site redirection add-on's and plugins (NoScript, AdBlockPlus, Ghostery, etc...) can interfere with the identification image display. My bank uses

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-30 Thread Salz, Rich
Bill said he wanted a piece of paper that could help verify his bank's certificate. I claimed he's in the extreme minority who would do that and he asked for proof. I can only, vaguely, recall that one of the East Coast big banks (or perhaps the only one that is left) at one point had a

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-30 Thread Bill Frantz
Rich - Thanks for chasing this study down. There is a lot of food for thought for all of us in it. On 9/30/13 at 11:29 AM, rs...@akamai.com (Salz, Rich) wrote: Bill said he wanted a piece of paper that could help verify his bank's certificate. I claimed he's in the extreme minority who

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-24 Thread ianG
I think, if we are about redesigning and avoiding the failures of the past, we have to unravel the false assumptions of the past... On 20/09/13 01:21 AM, Phillip Hallam-Baker wrote: ... Bear in mind that securing financial transactions is exactly what we designed the WebPKI to do and it

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-22 Thread John Kelsey
On Sep 19, 2013, at 5:21 PM, Phillip Hallam-Baker hal...@gmail.com wrote: Criminals circumvent the WebPKI rather than trying to defeat it. If they did start breaking the WebPKI then we can change it and do something different. If criminals circumvent the PKI to steal credit card numbers,

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-21 Thread Phillip Hallam-Baker
On Thu, Sep 19, 2013 at 4:15 PM, Ben Laurie b...@links.org wrote: On 18 September 2013 21:47, Viktor Dukhovni cryptogra...@dukhovni.orgwrote: On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: This is only realistic with DANE TLSA (certificate usage 2 or 3), and thus will

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-21 Thread Phillip Hallam-Baker
On Thu, Sep 19, 2013 at 5:11 PM, Max Kington mking...@webhanger.com wrote: On 19 Sep 2013 19:11, Bill Frantz fra...@pwpconsult.com wrote: On 9/19/13 at 5:26 AM, rs...@akamai.com (Salz, Rich) wrote: I know I would be a lot more comfortable with a way to check the mail against a piece of

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-21 Thread Russell Nelson
Salz, Rich writes: I would say this puts you in the sub 1% of the populace. Most people want to do things online because it is much easier and gets rid of paper. Those are the systems we need to secure. Perhaps another way to look at it: how can we make out-of-band verification

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-19 Thread Salz, Rich
I know I would be a lot more comfortable with a way to check the mail against a piece of paper I received directly from my bank. I would say this puts you in the sub 1% of the populace. Most people want to do things online because it is much easier and gets rid of paper. Those are the

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-19 Thread Robin Alden
On Wed, Sep 18, 2013 at 08:47:17PM +, Viktor Dukhovni wrote: On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: This is only realistic with DANE TLSA (certificate usage 2 or 3), and thus will start to be realistic for SMTP next year (provided DNSSEC gets off the ground)

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-19 Thread ianG
Hi John, (I think we are in agreement here, there was just one point below where I didn't make myself clear.) On 18/09/13 23:45 PM, John Kemp wrote: On Sep 18, 2013, at 4:05 AM, ianG i...@iang.org wrote: On 17/09/13 23:52 PM, John Kemp wrote: On Sep 17, 2013, at 2:43 PM, Phillip

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-19 Thread Bill Frantz
On 9/19/13 at 5:26 AM, rs...@akamai.com (Salz, Rich) wrote: I know I would be a lot more comfortable with a way to check the mail against a piece of paper I received directly from my bank. I would say this puts you in the sub 1% of the populace. Most people want to do things online because

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-19 Thread Peter Gutmann
Phillip Hallam-Baker hal...@gmail.com writes: I have not spent a great deal of time looking at the exact capabilities of PRISM vs the other programs involved because from a design point they are irrelevant. The objective is to harden/protect the infrastructure from any ubiquitous, indiscriminate

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-19 Thread Carl Wallace
On 9/18/13 5:50 PM, Viktor Dukhovni cryptogra...@dukhovni.org wrote: On Wed, Sep 18, 2013 at 08:47:17PM +, Viktor Dukhovni wrote: On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: This is only realistic with DANE TLSA (certificate usage 2 or 3), and thus will start to be

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-19 Thread Max Kington
On 19 Sep 2013 19:11, Bill Frantz fra...@pwpconsult.com wrote: On 9/19/13 at 5:26 AM, rs...@akamai.com (Salz, Rich) wrote: I know I would be a lot more comfortable with a way to check the mail against a piece of paper I received directly from my bank. I would say this puts you in the sub

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Christian Huitema
Given that many real organizations have hundreds of front end machines sharing RSA private keys, theft of RSA keys may very well be much easier in many cases than broader forms of sabotage. Or we could make it easy to have one separate RSA key per front end, signed using the main RSA key of

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Viktor Dukhovni
On Tue, Sep 17, 2013 at 11:48:40PM -0700, Christian Huitema wrote: Given that many real organizations have hundreds of front end machines sharing RSA private keys, theft of RSA keys may very well be much easier in many cases than broader forms of sabotage. Or we could make it easy to

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Albert Lunde
Another consideration is that the NSA isn't the only bad actor out there. Improving the robustness of TLS and other security protocols will defend against other attacks. ___ The cryptography mailing list cryptography@metzdowd.com

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Phillip Hallam-Baker
A few clarifications 1) PRISM-Proof is a marketing term I have not spent a great deal of time looking at the exact capabilities of PRISM vs the other programs involved because from a design point they are irrelevant. The objective is to harden/protect the infrastructure from any ubiquitous,

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread ianG
On 17/09/13 23:52 PM, John Kemp wrote: On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker hal...@gmail.com I am sure there are other ways to increase the work factor. I think that increasing the work factor would often result in switching the kind of work performed to that which is easier

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Ben Laurie
On 18 September 2013 15:30, Viktor Dukhovni cryptogra...@dukhovni.orgwrote: On Tue, Sep 17, 2013 at 11:48:40PM -0700, Christian Huitema wrote: Given that many real organizations have hundreds of front end machines sharing RSA private keys, theft of RSA keys may very well be much easier

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Bill Frantz
On 9/18/13 at 6:08 AM, hal...@gmail.com (Phillip Hallam-Baker) wrote: If I am trying to work out if an email was really sent by my bank then I want a CA type security model because less than 0.1% of customers are ever going to understand a PGP type web of trust for that particular purpose. But

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Viktor Dukhovni
On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: This is only realistic with DANE TLSA (certificate usage 2 or 3), and thus will start to be realistic for SMTP next year (provided DNSSEC gets off the ground) with the release of Postfix 2.11, and with luck also a DANE-capable

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread John Kemp
On Sep 18, 2013, at 4:05 AM, ianG i...@iang.org wrote: On 17/09/13 23:52 PM, John Kemp wrote: On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker hal...@gmail.com I am sure there are other ways to increase the work factor. I think that increasing the work factor would often result in

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Viktor Dukhovni
On Wed, Sep 18, 2013 at 08:47:17PM +, Viktor Dukhovni wrote: On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: This is only realistic with DANE TLSA (certificate usage 2 or 3), and thus will start to be realistic for SMTP next year (provided DNSSEC gets off the ground)

[Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-17 Thread Phillip Hallam-Baker
My phrase PRISM-Proofing seems to have created some interest in the press. PRISM-Hardening might be more important, especially in the short term. The objective of PRISM-hardening is not to prevent an attack absolutely, it is to increase the work factor for the attacker attempting ubiquitous

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-17 Thread John Kemp
On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker hal...@gmail.com wrote: My phrase PRISM-Proofing seems to have created some interest in the press. PRISM-Hardening might be more important, especially in the short term. The objective of PRISM-hardening is not to prevent an attack

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-17 Thread Perry E. Metzger
On Tue, 17 Sep 2013 16:52:26 -0400 John Kemp j...@jkemp.net wrote: On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker hal...@gmail.com wrote: The objective of PRISM-hardening is not to prevent an attack absolutely, it is to increase the work factor for the attacker attempting ubiquitous

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-17 Thread Viktor Dukhovni
On Tue, Sep 17, 2013 at 05:01:12PM -0400, Perry E. Metzger wrote: (Note that this assumes no cryptographic breakthroughs like doing discrete logs over prime fields easily or (completely theoretical since we don't really know how to do it) sabotage of the elliptic curve system in use.)