Re: [cryptography] A REALLY BIG MITM
I wrote: >This isn't one of those namby-pamby one-site phishing MITMs, this is a MITM >of an entire country: For those who want more details, there's a technical analysis at: http://blog.jgc.org/2011/01/code-injected-to-steal-passwords-in.html Full source available via pastebin: http://pastebin.com/1JsrcZBf Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Re- Entropy key testing and remailers
Rayservers writes: >They are waiting for analysis. If anyone on this list has the time and >expertise (both hardware and software), they can have one sent gratis for a >full analysis report to this list. If you carry out a full destructive >analysis [the innards are epoxied], a replacement will be sent. Does anyone know more about the hardware they're using to communicate via USB? If it's something like a standard PL2303 it shouldn't be too hard to talk to on systems other than the few Linux ones they support, the only problem will be the complex protocol they use, which uses MAC'd packets implementing a custom comms protocol instead of just opening a serial port and reading the output, definitely not a good design decision because it limits use to systems running their (from the webpage) not very stable drivers. (There have been other devices that just output random bytes over a serial link, I have a couple here and even included support for them in my code for a few years. Interest in them was absolutely zero so I removed it again some time ago). Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] True Random Source, Thoughts about a Global System Perspective
On Jan 27, 2011, at 8:37 45AM, Len Sassaman wrote: > On Wed, 26 Jan 2011, Thierry Moreau wrote: > >> 2) a host plus some H/W for true random source > > Speaking of hardware entropy sources, has anyone analyzed the Simtek > Electronics Entropy Key (http://www.entropykey.co.uk/)? It's a USB dongle, > recommended to me by several remailer operators. To quote the web site: > > "The Entropy Key contains two high-quality noise generators, and an ARM > Cortex CPU that actively measures, checks and confirms all generated random > numbers, before encrypting them and sending them to the server. It also > actively detects attempts to corrupt or sway the device. It aims towards > FIPS-140-2 Level 3 compliance with some elements of Level 4, including > tamper-evidence, tamper-proofing, role-based authentication, and > environmental attacks. If it detects that one of its two generators has > failed, may be about to fail, or if it detects a physical attack, it will > automatically shut down." > > I have to wonder how it is 2010 and this sort of hardware isn't a standard > motherboard component, but if the Entropy Key dongle is sound, it's an > affordable solution to this problem. > Because every time someone ships such a device, people on this list and their colleagues start screaming that (a) you can never tell if it's working correctly; (b) it's closed hardware so that you don't know what it *really* does; (c) that it's actually an NSA plot to start with. All the while, of course, they're ignoring that you can, at the least, mix in as an additional source of randomness, assuming you have good mixer -- and if you don't, your other sources of randomness aren't being used properly, either. Yes, my cynicism is showing today. --Steve Bellovin, http://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Re- Entropy key testing and remailers
I had posted about these on this list earlier. I have had 10 of them purchased. They are waiting for analysis. If anyone on this list has the time and expertise (both hardware and software), they can have one sent gratis for a full analysis report to this list. If you carry out a full destructive analysis [the innards are epoxied], a replacement will be sent. The web site mentioned that the on board processor running closed source does entropy checks before transmitting the data via a secure channel over USB to the open source driver on Linux. Obviously I am concerned about the closed source on the micro. Speaking of remailers, a few will be set up shortly. Where is the state of the art documentation? Debian seems to have a reasonably simple apt-get process to get mixmaster going, which I have used to set up a node that has been running for quite some time now, but I do not monitor it (middleman only). What about clients for dummies? Best, Ray On 27/01/11 13:37, Len Sassaman wrote: > On Wed, 26 Jan 2011, Thierry Moreau wrote: > >> 2) a host plus some H/W for true random source > > Speaking of hardware entropy sources, has anyone analyzed the Simtek > Electronics > Entropy Key (http://www.entropykey.co.uk/)? It's a USB dongle, recommended to > me > by several remailer operators. To quote the web site: > > "The Entropy Key contains two high-quality noise generators, and an ARM Cortex > CPU that actively measures, checks and confirms all generated random numbers, > before encrypting them and sending them to the server. It also actively > detects > attempts to corrupt or sway the device. It aims towards FIPS-140-2 Level 3 > compliance with some elements of Level 4, including tamper-evidence, > tamper-proofing, role-based authentication, and environmental attacks. If it > detects that one of its two generators has failed, may be about to fail, or if > it detects a physical attack, it will automatically shut down." > > I have to wonder how it is 2010 and this sort of hardware isn't a standard > motherboard component, but if the Entropy Key dongle is sound, it's an > affordable solution to this problem. > > > --Len. > ___ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography -- Rayservers http://www.rayservers.com/ Zurich: +41 43 5000 728 London: +44 20 30 02 74 72 Panama: +507 832 1846 San Francisco: +1 408 419 1978 USA Toll Free: +1 888 265 5009 10:00 - 24:00 GMT We prefer to be paid in gold Globals™ and silver Isles™ Global Standard™ - Global Settlement Foundation http://www.global-settlement.org/ Our PGP key 0x079CCE10 on http://keyserver.rayservers.com/ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Favourite signature scheme?
On 27-01-2011 17:39, Rose, Greg wrote: > Some people have been referring to the Rabin signature algorithm as either > Rabin-Miller or R-W (I assume meaning Rabin-Williams). Credit where credit is > due: the scheme is entirely due to Michael Rabin according to my > understanding. His name gets tied to the others in other contexts such as > checking primality. Rabin did originally propose the signature scheme in [1]. Williams removed the necessity of a Jacobi symbol computation during signing [2]. Dan Bernstein describes these and more improvements in [3]. [1] M. O. Rabin, Digitalized signatures and public-key functions as intractable as factorization, Technical Report, Massachusetts Institute of Technology, Cambridge, MA, USA (1979). [2] H.C. Williams, A modification of the RSA public-key encryption procedure, IEEE Trans. Information Theory, IT-26, 726-729 (1980). [3] D. J. Bernstein, RSA signatures and Rabin-Williams signatures: the state of the art, http://cr.yp.to/sigs.html#rwsota (2008). Samuel Neves ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] True Random Source, Thoughts about a Global System Perspective
On 01/27/2011 07:37 AM, Len Sassaman wrote: On Wed, 26 Jan 2011, Thierry Moreau wrote: 2) a host plus some H/W for true random source Speaking of hardware entropy sources, has anyone analyzed the Simtek Electronics Entropy Key (http://www.entropykey.co.uk/)? It's a USB dongle, recommended to me by several remailer operators. Looks cool, but as much as I like the idea of entropy generation, I have to wonder if it outweighs the risk of adding more moving parts to the system. For example, this key requires a daemon to operate. On *nix this will probably be running as root, or at least as a user with privileges to talk to USB and lie to /dev/random about how much real entropy it has. I downloaded the code and spot-checked it quickly. On the whole, it looks like a really clean and professional implementation. Nevertheless, it represents 8000 lines of C code using fixed-sized buffers for string handling. It's almost certain to have bugs, the exploitability of which being up to lady luck. For example: ekeyd-1.1.3/device/frames/pem.c defines a function pem64_decode_bytes(). This function takes an incoming sequence of chars (possibly supplied by an attacker), promotes them to int values, and uses them to dereference a fixed-sized array 'inverse_dictionary[128]'. Thus when built with compiler settings which treat char as signed, an attacker can supply corrupt PEM64 strings which, rather than decoding correctly, can be instead read from chosen locations of the 128 bytes of space prior to the start of inverse_dictionary. If char is unsigned, the bad guy can read subsequent bytes. If the daemon was built on a good day, it will just have uninteresting stuff in those locations. On a bad day, you'll end up with key material there. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Favourite signature scheme?
Rose, Greg wrote: Some people have been referring to the Rabin signature algorithm as either Rabin-Miller or R-W (I assume meaning Rabin-Williams). Credit where credit is due: the scheme is entirely due to Michael Rabin according to my understanding. His name gets tied to the others in other contexts such as checking primality. Greg. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography The mathematician Hugh C. Williams submitted a manuscript "A Modification of the RSA Public-Key Encryption Procedure" on July 17, 1979, to the journal IEEE Transactions on Information Theory, which was published in Vol IT-26, issue 6, in November 1980. This original work includes characteristics which are essential to the R-W scheme as it is practiced today (and were absent from the prior TR-212 MIT research report by Rabin which is referred to by Williams). Rabin and Williams were in contact during these days. The fact that Williams did not work for a US University bound by a rule that inventions (funded by US gov money?) had to be covered by a patent application may have caused the absence of a patent for the R-W scheme. Hope it clarifies a bit! -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, QC, Canada H2M 2A1 Tel. +1-514-385-5691 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Favourite signature scheme?
Some people have been referring to the Rabin signature algorithm as either Rabin-Miller or R-W (I assume meaning Rabin-Williams). Credit where credit is due: the scheme is entirely due to Michael Rabin according to my understanding. His name gets tied to the others in other contexts such as checking primality. Greg. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] True Random Source, Thoughts about a Global System Perspective
On Wed, 26 Jan 2011, Thierry Moreau wrote: 2) a host plus some H/W for true random source Speaking of hardware entropy sources, has anyone analyzed the Simtek Electronics Entropy Key (http://www.entropykey.co.uk/)? It's a USB dongle, recommended to me by several remailer operators. To quote the web site: "The Entropy Key contains two high-quality noise generators, and an ARM Cortex CPU that actively measures, checks and confirms all generated random numbers, before encrypting them and sending them to the server. It also actively detects attempts to corrupt or sway the device. It aims towards FIPS-140-2 Level 3 compliance with some elements of Level 4, including tamper-evidence, tamper-proofing, role-based authentication, and environmental attacks. If it detects that one of its two generators has failed, may be about to fail, or if it detects a physical attack, it will automatically shut down." I have to wonder how it is 2010 and this sort of hardware isn't a standard motherboard component, but if the Entropy Key dongle is sound, it's an affordable solution to this problem. --Len. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography