[cryptography] Announcing the first SHA1 collision

[Jeffrey Walton]

https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

Cryptographic hash functions like SHA-1 are a cryptographer’s swiss
army knife. You’ll find that hashes play a role in browser security,
managing code repositories, or even just detecting duplicate files in
storage. Hash functions compress large amounts of data into a small
message digest. As a cryptographic requirement for wide-spread use,
finding two messages that lead to the same digest should be
computationally infeasible. Over time however, this requirement can
fail due to attacks on the mathematical underpinnings of hash
functions or to increases in computational power.

Today, more than 20 years after of SHA-1 was first introduced, we are
announcing the first practical technique for generating a collision.
This represents the culmination of two years of research that sprung
from a collaboration between the CWI Institute in Amsterdam and
Google. We’ve summarized how we went about generating a collision
below. As a proof of the attack, we are releasing two PDFs that have
identical SHA-1 hashes but different content.
...
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] What the World's First Quantum Satellite Launch Means

[Jeffrey Walton]

http://fortune.com/2016/08/16/china-quantum-satellite-launch/

That’s one small step for man, one quantum leap for China.

China blasted the world’s first quantum communications satellite into
orbit from the Gobi Desert early Tuesday.

The project signals the dawn of a potentially game-changing
communications technology: quantum key distribution—a dependable
system for exchanging secrets (more on this in a bit)—as beamed from
space. If the experiment is successful, it could lead to considerably
more secure global communications.

While many news outlets have followed Chinese state media’s cue and
described the technology as “hack-proof,” a more appropriate
descriptor would be “tamper resistant.” (Nothing is “hack-proof.”)
Quantum crypto-systems achieve this by exploiting the quirky
properties of subatomic particles

Here’s how the science works. The fundamental problem of cryptography
involves exchanging keys—secret alphanumeric strings—that enable
people to encode and decode messages. When two parties swap keys, they
normally have no indication whether anyone has intercepted them; an
interloper with stolen keys can eavesdrop on correspondence or
manipulate it.

When quantum science is applied, the keys can be made to self-destruct
or change if a third party interferes with their transmission. The
keys are sent using pairs of entangled photons, or light particles
that share a special bond, to carry the information.

The Wall Street Journal quoted an executive familiar with the
technology as comparing it to “sending a message written on a soap
bubble.” Touch, and it pops.

The technology is defensive in nature. China, which has increased
funding for basic science research in this area over the past few
years (likely in response to revelations about other countries’
hacking capabilities) played that aspect up by naming the satellite
Micius in honor of an ancient Chinese philosopher who preached a
philosophy of “universal love.”

Dubbed Quantum Experiments at Space Scale, the Chinese experiment is
not the first time quantum key distribution has been attempted.
Ground-based fiber optic networks have successfully transmitted
quantum keys in the United States, Europe, and China. Other countries
like the U.K. and Singapore have smaller experiments in the works.

Bringing this quantum technology to a satellite network will be a
grand feat, however. The team, led by Pan Jianwei, said they would
attempt to transmit quantum keys from Beijing to Vienna to test the
system’s feasibility.

The experiment of beaming finicky particles over vast distances will
be tricky. Yet it could vault China over the international competition
in counter-surveillance tech if it does succeed.

For space-based quantum cryptography, the race is on.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Symantec to Acquire Blue Coat and Define the Future of Cybersecurity

[Jeffrey Walton]

It feels like there's a loss of separation of concerns between CA unit
and the Interception unit under the Symantec umbrella. Given
Symantec's track record, I'm kind of suspicious.

http://www.symantec.com/about/newsroom/press-releases/2016/symantec_0612_01

MOUNTAIN VIEW, Calif. and SUNNYVALE, Calif. – June 12, 2016 – Symantec
(NASDAQ: SYMC) and Blue Coat, Inc. today announced that they have
entered into a definitive agreement under which Symantec will acquire
Blue Coat for approximately $4.651 billion in cash. The transaction
has been approved by the Boards of Directors of both companies and is
expected to close in the third calendar quarter of 2016. Greg Clark,
Chief Executive Officer of Blue Coat, will be appointed Chief
Executive Officer of Symantec and join the Symantec Board upon closing
of the transaction.

Blue Coat is the #1 market share leader and share gainer in Web
Security with a widely recognized portfolio of integrated technologies
serving as a trusted platform to deliver Cloud Generation Security to
more than 15,000 customers worldwide. For Blue Coat’s fiscal year
ending April 30, 2016, GAAP revenue was $598 million and non-GAAP
revenue was $755 million, with 17% year-over-year growth, supported by
new products and new customers. For the same time period, the company
had non-GAAP operating margins of 22% and cash flow from operations of
$135 million. Also for this time period, GAAP operating margins were
-42%.
...
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] MalwareBytes

[Jeffrey Walton]

On Fri, Jun 24, 2016 at 2:30 PM, Ron Garret  wrote:
> What matters is not the certificate.  The certificate is public.  You can’t 
> “steal" a certificate.
>
> What you *can* steal is the private key associated with a certificate, and 
> the more time goes by the more likely it becomes that someone has done so.
>
> However, the expiration date is completely arbitrary.  There’s nothing magic 
> that happens on the expiration date that makes a cert significantly less 
> secure the day after it expires than it was the day before

In principal, I think it does.

The CA's responsibility (warranty) ends when the certificate expires.
Once the certificate is expired it will not be added to a CRL, so it
could not be revoked. In fact, if it was revoked, then it will be
removed from the CRL.

Whether that system works in practice is a colorful subject that Dr.
Gutmann does a great job of poking fun at in his book Engineering
Security (http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf).

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] RDRAND not really random with Oracle Studio 12.3 + patches

[Jeffrey Walton]

> While the code doesn't follow the SDG guidelines (I.E. it doesn't check for
> the return status and it doesn't check for the instruction support) it
> should work because RdRand doesn't underflow in any of our chips. Is this
> running in a VM or on bare metal?

I'm not sure. I forwarded it to CERT. I hope they assign a CVE and
obtain more details.

> I tried compiling that code on an Ivy Bridge machine running Linux, but it
> failed to compile..
>
>>gcc rdrand.c -o rdrand
> rdrand.c:1:29: fatal error: sys/immintrin.h: No such file or directory
> compilation terminated.

I'm fairly certain you need to use Sun Studio's CC. E.g.,

$ /opt/solarisstudio12.3/bin/cc -native -m64 -xarch=aes test.cc -o test.exe

There's a procedure to acquire Sun Studio:
https://docs.oracle.com/cd/E37069_01/html/E37072/gozsz.html . Once you
have the keys, you can install 12.2, 12.3, 12.4, etc.

> So I pointed the header to the right place and spend an eternity finding I
> needed the -mrdrnd target to make the intrinsic happy.
>
> #include   --> #include 

Lol... For GCC and Clang, try . (There's a long history
behind that chuckle).

> So it must be some sort of compiler bug or VM problem.

Yeah, it appears to be related to Sun Studio. Bare metal and VMs are a
different story.

Bare metal XEON 5200's (no RDRAND, expected):

$ isainfo -v
64-bit amd64 applications
ssse3 ahf cx16 sse3 sse2 sse fxsr mmx cmov amd_sysc cx8 tsc fpu
32-bit i386 applications
ssse3 ahf cx16 sse3 sse2 sse fxsr mmx cmov sep cx8 tsc fpu

VM on top of Core i5-3200 (+AES, +RDRAND, -RDSEED):

64-bit amd64 applications
sse4.2 sse4.1 ssse3 tscp ahf sse3 sse2 sse fxsr mmx cmov amd_sysc cx8
tsc fpu
32-bit i386 applications
sse4.2 sse4.1 ssse3 tscp ahf sse3 sse2 sse fxsr mmx cmov sep cx8 tsc
fpu

Same Core i5-3200 host with a Linux guest shows aes, rdrand, xsave,
pcclmulqdq, etc.

I have a Core i7-5000 (+AES, +RDRAND, +RDSEED) on a headless server
with Libvirt. I have to perform the net install, but its been giving
me trouble. I hope to have it stood up over the next couple of days.

Jeff

 -

The following may be helpful. Some familiar preprocessor macros are
missing. In this respect, its kind of like Microsoft where you base
feature availability on compiler version. In this case, Sun Studio
12.3 is __SUNPRO_CC 0x5130, and that means AES is available if
-xarch=aes is on the command line.

$ /opt/solarisstudio12.4/bin/CC -native -m64 -xarch=aes -E
-xdumpmacros /dev/null 2>&1 | sort

#1 "/dev/null"
#define __alignof__ __alignof
#define __amd64 1
#define __amd64__ 1
#define __ARRAYNEW 1
#define __asm asm
#define __asm__ asm
#define __attribute __attribute__
#define __builtin_constant_p __oracle_builtin_constant_p
#define __builtin_fpclassify __oracle_builtin_fpclassify
#define __builtin_huge_val __oracle_builtin_huge_val
#define __builtin_huge_valf __oracle_builtin_huge_valf
#define __builtin_huge_vall __oracle_builtin_huge_vall
#define __builtin_infinity __oracle_builtin_infinity
#define __builtin_isfinite __oracle_builtin_isfinite
#define __builtin_isgreater __oracle_builtin_isgreater
#define __builtin_isgreaterequal __oracle_builtin_isgreaterequal
#define __builtin_isinf __oracle_builtin_isinf
#define __builtin_isless __oracle_builtin_isless
#define __builtin_islessequal __oracle_builtin_islessequal
#define __builtin_islessgreater __oracle_builtin_islessgreater
#define __builtin_isnan __oracle_builtin_isnan
#define __builtin_isnormal __oracle_builtin_isnormal
#define __builtin_isunordered __oracle_builtin_isunordered
#define __builtin_nan __oracle_builtin_nan
#define __builtin_signbit __oracle_builtin_signbit
#define __BUILTIN_VA_STRUCT 1
#define __cplusplus 199711L
#define __DATE__ "Jun 13 2016"
#define __FILE__
#define __has_attribute(x) __oracle_has_attribute(x)
#define __has_nothrow_assign(x) __oracle_has_nothrow_assign(x)
#define __has_nothrow_constructor(x) __oracle_has_nothrow_constructor(x)
#define __has_nothrow_copy(x) __oracle_has_nothrow_copy(x)
#define __has_trivial_assign(x) __oracle_has_trivial_assign(x)
#define __has_trivial_constructor(x) __oracle_has_trivial_constructor(x)
#define __has_trivial_copy(x) __oracle_has_trivial_copy(x)
#define __has_trivial_destructor(x) __oracle_has_trivial_destructor(x)
#define __has_virtual_destructor(x) __oracle_has_virtual_destructor(x)
#define __is_abstract(x) __oracle_is_abstract(x)
#define __is_base_of(x,y) __oracle_is_base_of(x,y)
#define __is_class(x) __oracle_is_class(x)
#define __is_empty(x) __oracle_is_empty(x)
#define __is_enum(x) __oracle_is_enum(x)
#define __is_final(x) __oracle_is_final(x)
#define __is_literal_type(x) __oracle_is_literal_type(x)
#define __is_pod(x) __oracle_is_pod(x)
#define __is_polymorphic(x) __oracle_is_polymorphic(x)
#define __is_standard_layout(x) __oracle_is_standard_layout(x)
#define __is_trivial(x) __oracle_is_trivial(x)
#define __is_union(x) __oracle_is_union(x)
#define __LINE__
#define __LP64__ 1
#define __PRAGMA_REDEFINE_EXTNAME 1
#define 

Re: [cryptography] RDRAND not really random with Oracle Studio 12.3 + patches

[Jeffrey Walton]

On Fri, Jun 10, 2016 at 7:50 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
> Ouch... just came across this...
> https://community.oracle.com/thread/2565486?start=0=0
>
> I did not think it was possible to foul the hardware generated random
> numbers (sans an occasional underflow).

Yuck, and this: "_rdrand32_step still broken (Solaris Studio 12.4
Beta)", http://community.oracle.com/thread/3539230?start=0=0.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] RDRAND not really random with Oracle Studio 12.3 + patches

[Jeffrey Walton]

Ouch... just came across this...
https://community.oracle.com/thread/2565486?start=0=0

I did not think it was possible to foul the hardware generated random
numbers (sans an occasional underflow).

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] You can be too secure

[Jeffrey Walton]

On Thu, May 5, 2016 at 2:45 PM, Ron Garret  wrote:
>
> On May 5, 2016, at 11:13 AM, Kevin  wrote:
>
>> One can never be to secure!
>
> Actually, I learned the hard way last week that this is not true.
>
> Four years ago I bought a 2010 MacBook air from a private party (i.e. I’ve 
> owned it for four years, and it was two years old when I bought it).  I did a 
> clean install of OS X, and used the machine with no problems for the next 
> four years.
>
> Last week, someone apparently put an iCloud lock on the machine.  It turns 
> out that wiping the hard drive does not remove the machine’s iCloud binding.  
> If the machine has been associated with an iCloud account at any time in its 
> history, only the owner of the associated account (or Apple) can remove that 
> binding.  And Apple will only do it if you can produce a proof-of-purchase, 
> which for them is a receipt from an authorized reseller.  The iCloud lock is 
> implemented in EFI firmware, so not even replacing the internal drive will 
> remove it.
>
> It gets worse: Apple refuses to contact the owner of the iCloud account that 
> placed the lock.  The lock message provides no information (it simply says, 
> “Machine locked pending investigation.”)  So even if the machine I bought was 
> stolen (I have a lot of evidence that it wasn’t, but no proof) I can’t return 
> it to its rightful owner because I have no idea who it is.  Apple knows, but 
> they won’t tell me (which is understandable) nor will they contact that 
> person on my behalf (which is not).  They also don’t provide any way of 
> checking whether a Mac has an existing iCloud binding.  (They provide this 
> service for mobile devices, but not for Macs.)  The only way to tell is to 
> take the machine into an Apple store and have them check it.
>

Drag them into court... Let them spend $25,000 attempting to defend
their position. It will cost you about $50.00 to file it.

Money is the only thing corporations care about. Hit back where it hurts.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] USG-Apple - 3/22/16 Hearing Procedures, Add 3 USGs

[Jeffrey Walton]

It sounds like its turning into a circus sideshow:

... in addition to Courtroom 4, there will be additional overflow
rooms in which the hearing will be shown on video screens. All of
these rooms together can accommodate up to a total of 324 spectators.
Admission tickets for these seats will be distributed outside the
courthouse starting at 7:00 a.m. on March 22, 2016.

I hope it gets good media coverage, like the OJ Simpson trial. If the
government sides with the government (what a surprise that would be) I
hope the US citizen riot orders of magnitude larger than Rodney King.


On Fri, Mar 18, 2016 at 8:52 AM, John Young  wrote:
> USG-Apple - 3/22/16 Hearing Procedures, Add 3 USGs
>
> https://cryptome.org/2016/03/usg-apple-181-184.pdf
>
>
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] NIST SP 800-90 B, Random Bit Generators Recommendation for the Entropy Sources Used for Random Bit Generation

[Jeffrey Walton]

http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-90-B
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Hi all, would like your feedback on something

[Jeffrey Walton]

On Mon, Dec 21, 2015 at 10:39 AM, Brian Hankey  wrote:
>
>> From: Givon Zirkind 
>>
>> On 12/20/2015 2:14 AM, Jeffrey Goldberg wrote:
>>> The problem you address is certainly real. And a lot of people have
>>> looked at various approaches over the decades. None, so far, is fully
>>> satisfactory. (I obviously believe that a well designed password
>>> manager is the best solution for most people available today, but I do
>>> not see them as the long term solution.) One common mistake
>> IMHO, the basic problem [on a meta level] is, that if you put all your
>> passwords [eggs] into one basket, all you have to do is steal the
>> basket.  crack the master password to the password file and you have all
>> the passwords.
>>
>> old school, manually, ppl used to keep a rolodex of which files to look
>> in for the passwords to certain items.  and, passwords would be hidden
>> in those files.  obstensively, the CIA does this with files that need to
>> "disappear".  e.g. keeping a record in the Atomic Energy Commissions
>> files of some covert op.  with a cross reference that tells someone
>> where to find it.  who's going to look through a warehouse of files to
>> find a record?  it's like a needle in a haystack.  if you could
>> implement that electronically, that would probably be the best way to
>> go.  imho.
>
> This particular needle got lost in the haystack of my inbox… very interesting 
> idea.  Do you have any preliminary ideas on how to implement that 
> electronically? I am not sure where to begin.
>

Yeah, its good idea for many users under a number of threat models and
use cases. Its also the reason that, say, Gmail recovery codes that
are printed and sit in a desk drawer are usually OK. The primary
threat is the network attacker, and he/she does not have access to
your desk drawer.

As Gutmann wrote in his book (p. 528):


This 1960s perspective of computing is the type of threat model that
some of the password-security guidelines that are in use today were
designed to counter! What’s worse is that even today, decades after
these archaic threat models were employed as the basis for
password-usage guidelines, we’re still fairly consistently giving
users the wrong advice about password security such as “Passwords are
like underwear, change them often” (solving no identifiable problem
but creating several new ones, see “Password Lifetimes” on page 537)
and “Firewalls are useless if passwords are stuck to the monitor with
a Post-it” [9] (phishers are pretty creative but the one thing they
haven’t managed to do yet is reach out of the monitor to read your
Post-it notes, see “Passwords on the Client” on page 577). As Bob
Blakley puts it, “despite the fact that both attacks and losses have
approximately doubled every year since 1992, we continue to rely on
old models that are demonstrably ill-suited to the current reality and
don’t inhibit the ongoing march of failure” [10].


Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Hi all, would like your feedback on something

[Jeffrey Walton]

> The question we are trying to answer here is how could we all have ultra
> strong passwords i.e. “!3AbDEE9eE45DCea” that are you unique for each and
> every website, email, social media, etc. service that we use but without
> having to trust any third parties to store them for us protected by single
> password (perhaps with 2 factor authentication, hardware key, etc.,
> admittedly), or to use some kind of local password manager that needs to be
> installed on every device you want to use it on with a local encrypted
> password file.  Lastly, it should be extremely resistant to rainbow tables
> if and when one of your passwords is leaked.

Peter Gutmann's Security Engineering
(https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) has a good
treatment of Passwords in general. See Chapter 7 on page 563.

John Stevens of OWASP performed threat modelling of passwords in
storage on the server. See Secure Password Storage
(https://docs.google.com/document/d/1R6c9NW6wtoEoT3CS4UVmthw1a6Ex6TGSBaEqDay5U7g).
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] "There is something Google can do. So they should do it."

[Jeffrey Walton]

On Fri, Nov 27, 2015 at 5:47 PM, Greg  wrote:
> Thought this list would be interested in reading about the roll that Google 
> played in compromising 100k+ users (in addition to Dell):
>
> https://www.reddit.com/r/crypto/comments/3u92aw/dells_tumble_googles_fumble_and_how_government/cxejl5y

They seem to be missing the issue (if I am parsing it correctly):

  REDDIT > So you are saying that Chrome should roll out its own
  REDDIT > cert store because relying on Windows 10's cert store is
  REDDIT > insecure?
  REDDIT >
  REDDIT > Sorry your argument seems very weak and odd to me.
  REDDIT > It also detracts away from the severity of what Dell has done.

That's not Chrome or Windows per se. Rather, that it is a feature of
the Web/Browser security model. In the security model, proxying and
interception is a valid use case. You can thank the browser
(in)security engineers for that.

It not just limited to W3C participants. The IETF just jumped on the
"proxying and interception is a valid use case" bandwagon with RFC
7469, "Public Key Pinning with Overrides"
(https://tools.ietf.org/html/rfc7469). Checkout section 4, and then
try to find what the override is supposed to do, or additional
information or guidance on using it.

Finally, don't look to the IETF to help distinguish the "good" bad
guys from the "bad" bad guys when a conforming user agent does
override (or tries to decide if it should override). I've been trying
to discover that myself. See "How do we differentiate authentic
servers from proxies performing TLS interception",
https://www.ietf.org/mail-archive/web/pkix/current/msg33425.html.

And finally (and either humorously or sadly, depending on your state
of mind), the PKIX's position is there's no difference between
authentic server authentication and an imposter pretending to be an
authentic server. They are happy to allow a CA to issue certificates
for either usage, even though they appear to be as diametrically
opposed as you can get.

The NSA and GCHQ does not need to limit cryptography or algorithms.
They just need more browser (in)security engineers in more working
groups.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] This is bad. THis is really bad. (Isn't it?)

[Jeffrey Walton]

On Wed, Nov 25, 2015 at 9:16 AM, Dave Howe
 wrote:
> On 25/11/2015 12:59, Florian Schütz wrote:
>> This is true for Chrome and, I think, for Firefox as well. Some
>> enterprises insist on MITMing TLS connections at a proxy, and at least
>> Chrome will not break this. They argue if they were to strictly
>> enforce Pins, people would just switch to a more permissive browser. I
>> agree with their line of thought.
> Yup. Firefox of course isn't aware of this Dell key, as it is in the
> windows keystore, so will fail to validate such a certificate

Chrome will fall victim because they use the OS store
(http://www.chromium.org/Home/chromium-security/root-ca-policy)...

Chrome will even break a known good pinset. Priorities of
Constituencies and all the other web/security model goodness
(http://www.w3.org/TR/html-design-principles/#priority-of-constituencies)...

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Varoufakis claims had approval to plan parallel banking system for Greece

[Jeffrey Walton]

On Sun, Jul 26, 2015 at 6:38 PM, John Young j...@pipeline.com wrote:
 Varoufakis claims had approval to plan parallel banking system for Greece

 http://www.ekathimerini.com/199945/article/ekathimerini/news/varoufakis-claims-had-approval-to-plan-parallel-banking-system

 Allegedly aided by Columbia University IT professor  to design a hack of
 existing taxation systems.

 Columbia Computer Science Faculty

 http://www.cs.columbia.edu/people/faculty

Forgive my ignorance...

Is this one of Greenspan's disciples? Maybe one of Summer's friends.
(US Academia seems to publish whatever the US Financial sector wants
them to publish, regardless of how wrong it is. There are still
economists who swear by the experiment in Iceland, and how well
derivatives temper the US markets...).

I thought one of the cruelest joke on the Soviet Union's collapse was
the US sending economist to help the new Federation with their
economies back in the 1980s... That was around the time of the SL
bailouts (and we were told that would never happen again...). And
Greenspan audited Keating's holdings, and extolled how healthy his
banks were

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] RSA signatures without padding

[Jeffrey Walton]

 Suppose I have a message M for which I generate an RSA-2048 digital
 signature as follows:

   H = SHA-256(M)
   S = H^d mod N

 Assume N = p*q is properly generated and d is the RSA private key.


 And I verify the signature as follows:

   S^e mod N == H'

 where H' is the SHA-256 of the message to be authenticated. Assume e is the
 RSA public key.

I *think* the signature could be malleable. That is, you could get
both S to verify, and N - S to verify. Whether its a problem (or not)
depends on your expectations.

 Since I've not used any padding then are there any flaws with the above
 approach? What if e = 3? What if e = 2^16+1?

Bernstein provides a really good history in RSA signatures and
Rabin–Williams signatures: the state of the art,
http://cr.yp.to/sigs/rwsota-20080131.pdf. He discusses why various
steps are performed, like hashing the message rather than using the
message directly.

You should be OK with 3 or even 2, though it complicates signing.
Taking from Bernstein:

State-of-the-art systems use exponent 2 rather than
exponent 3. This speeds up verification, and improves
the signature-compression and signature-expansion
features discussed in subsequent sections. The signer’s
secret primes p and q are chosen from 3 + 4 Z to
simplify signing

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Caspar Bowden has died

[Jeffrey Walton]

On Thu, Jul 9, 2015 at 10:12 AM, John Young j...@pipeline.com wrote:
 Privacy activist Caspar Bowden has died

 https://translate.google.com/translate?sl=autotl=enjs=yprev=_thl=enie=UTF-8u=https%3A%2F%2Fnetzpolitik.org%2F2015%2Fdatenschutz-aktivist-caspar-bowden-ist-gestorben%2Fedit-text=

Oh wow.

We had dinner in Washington, DC last year. He was not old by any
measures, and he surely did not appear unhealthy.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] chromium: unconditionally downloads binary blob

[Jeffrey Walton]

 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909

 After upgrading chromium to 43, I noticed that when it is running and
 immediately after the machine is on-line it silently starts
 downloading Chrome Hotword Shared Module extension, which contains a
 binary without source code. There seems no opt-out config.

 that extension:
 - doesn't appear in the extension list;
 - is apparently used to provide an “ok google” voice activation stuff.

 The fact that Audio Capture Allowed is set to yes, and that both the
 extension and the shared module are marked as “enabled” are definitely
 bothering me...

I think that's more browser security model goodness.

All you need is a certificate because authentication = authorization.
Its entrenched in powerful features and privileged contexts, which
are discussed at Requirements for Powerful Features
(http://www.w3.org/TR/powerful-features/). It includes things like
Credential Management, Bluetooth, Location Services, and Service
Workers (see section 3 for a more complete listing).

You may not even need an authentic certificate. Try intercepting it
and see if it still ships off your data to whoever answers.

The Java applet sandbox was ruined with authentication =
authorization thinking. Its to the point that authentic code should
*not* be signed so the applet cannot escape the sandbox. See
http://threatpost.com/javas-losing-security-legacy.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] LastPass have been hacked, so it seems.

[Jeffrey Walton]

On Tue, Jun 16, 2015 at 9:24 AM, Givon Zirkind givo...@gmx.com wrote:
 keeping something safe in the cloud inherently requires trusting a third
 party.
 yeah, that says it all.

Right. And third parties cannot protect against the threat posed by
officers of the court/legal jurisdiction.

(Are National Security Letters considered in this threat, or are they
a new threat due to operating outside the law in the US?).

 cloud computing is good for non critical stuff and stuff you want ppl to see
 anyway.  like your web page.  even then, javascript injection jacking your
 page, blah, blah.
 if the cloud is not good for HIPAA, banks, financial institutions, that
 should be a clue.

Studies are showing medical data is less safe in the cloud. See, for
example, Study: Healthcare Industry Contains Most Cloud Data
Breaches, 
http://talkincloud.com/cloud-computing-security/06152015/study-healthcare-industry-contains-most-cloud-data-breaches.

And remember, Apple moved user Keychains to its iCloud and they were
subsequently breached. Apparently, Apple does not feel its important
enough to ensure it meets its own secure coding standards or properly
QA it. Confer, CVE-2015-1065.

Jeff

 Sent: Monday, June 15, 2015 at 6:46 PM
 From: Moti m...@cyberia.org.il
 To: cryptography@randombit.net
 Subject: [cryptography] LastPass have been hacked, so it seems.
 I always had my doubts about keeping my passwords in the cloud.
 Let's hope for LastPass users that their data is as secure as LastPass
 claims it is.
 No reason to think otherwise of course, but still. If i read correctly
 between the lines, some people's (sensitive) data maybe on the wrong hands.
 I mean, what if Chinese hackers got it? (Yeah, it feels like i sound a bit
 Paranoid, but in this day and age, Chinese hackers are actually a thing:)
 are we sure that the Chinese government don't have enough computing power to
 unhash whatever was taken?
 just saying...
 https://blog.lastpass.com/2015/06/lastpass-security-notice.html/

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] OpenPGP in Python: Security evaluations?

[Jeffrey Walton]

 The main problem we were interested in solving here was to be able to keep
 key management tasks within a single memory address space, to avoid the
 problems relating to securely sending passphrases to other processes, and to
 be able to use the keys without the additional disk IO involved in needing
 to import the key into an on-disk keyring before being able to use it for
 anything.

I think the trend appears to be the opposite - you have a consumer in
one process and a producer in another process. If the consumer gets
compromised (like a web server), then the secrets don't get
compromised as easily because the producer is out of process.

I'm pretty sure GnuPG switched to that model. Libassuan is the
dependency that's part of that mechanism. And I believe Microsoft's
CryptoNG uses it too (but I may be wrong).

 We did an internal security audit of PGPy 0.3.0 shortly before releasing it,
 but I would definitely be grateful for additional eyes on the code, maybe
 when 0.4.0 comes out (which I am working toward). If anyone is interested,
 wants to share concerns, etc, I would welcome the discussion.

There are are a few ways to approach it. The first thing I would do is
pick the low hanging fruit. Its like folks like Bellovin and Guttman
say: why go through the crypto when you can go around it?

Get static and dynamic analyzers on the library. Compilers and their
warning system are a good first line defense. Clang and its sanitzers
are a good tool (https://docs.python.org/devguide/clang.html). And
don't forget about Coverity's free scanning service for FOSS software
(https://scan.coverity.com/).

Once the low hanging fruit is picked, then move onto the specialized
audits, like secure coding for the platform, platform security
integration, and cryptography.

Jeff

On Fri, Jun 12, 2015 at 12:05 AM, Michael Greene
mgre...@securityinnovation.com wrote:
 Hello there, I am the author of PGPy - I figured I’d chime in here, even
 though I have clearly noticed this discussion a little bit late.

 When I decided that taking up the project of building a pure-Python OpenPGP
 implementation would be worthwhile, I did so after evaluating all of the
 existing Python libraries I could manage to find. The main reason I started
 the project was because very nearly all of the Python libraries for working
 with PGP were either wrappers around the gpg binary, or GPGME bindings
 (which itself is a wrapper around the gpg binary, but written in C).

 To be honest, I’m not sure if calling PGPy “pure-Python” is necessarily 100%
 correct. Although PGPy itself is 100% implemented in Python, I did not
 implement any of the actual crypto myself - that is handled by the
 Cryptography library, which uses cffi to invoke methods from existing
 libraries (the default currently being OpenSSL, but the possibility to plug
 into alternate backends exists as well)

 So basically, practically the only way to be able to use PGP in Python was,
 one way or another, to call out to the GPG binary (and as it turns out,
 platform portability in that context is a difficult proposition - the
 largest category of related StackOverflow questions I happened across while
 searching for as many of these libraries as I could were questions from
 people who were having difficulty getting them to work on different
 platforms - often Windows, but probably not all of them. That particular
 issue was not something we were necessarily gunning for, but it might be
 nice for a handful of people, at least.)

 The main problem we were interested in solving here was to be able to keep
 key management tasks within a single memory address space, to avoid the
 problems relating to securely sending passphrases to other processes, and to
 be able to use the keys without the additional disk IO involved in needing
 to import the key into an on-disk keyring before being able to use it for
 anything.

 As a bonus, it turns out that doing the parsing natively in Python and not
 having to incur the additional overhead of spinning up an external process
 and communicate with it over pipes is actually tangibly faster, especially
 when repeating relatively quick operations (like signing a number of
 separate things in a row).

 We did an internal security audit of PGPy 0.3.0 shortly before releasing it,
 but I would definitely be grateful for additional eyes on the code, maybe
 when 0.4.0 comes out (which I am working toward). If anyone is interested,
 wants to share concerns, etc, I would welcome the discussion.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Designing a key stretching crypto that maximize use of WebCrypto?

[Jeffrey Walton]

On Mon, May 4, 2015 at 2:10 AM, Fabio Pietrosanti (naif) - lists
li...@infosecurity.ch wrote:
 Hi all,

 testing the lovely slowness of a pure scrypt implementation in
 javascript running into the browser, i was wondering anyone ever tried
 to think/design an cryptosystem for key stretching purposes that
 leverage only existing webcrypto API
 (https://www.chromium.org/blink/webcrypto) with the goal to use let's
 say 80% of cpu time on native-crypto-code rather than JS code?

 In the browser native crypto code trough WebCrypto API works obviously
 much faster than JS crypto code (how much?)!

Just bike shedding, but I don't think that's fair to WebCrypto.
WebCrypto provides a standard set of primitives, like hahses. But the
selected hashes are designed to be fast, and not slow or memory hard.

So comparing a WebCrypto PBKDF based on SHA-X is akin to comparing
apples and oranges.

Also see 
https://lists.w3.org/Archives/Public/public-webapps/2015JanMar/0706.html.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] AES Implementation

[Jeffrey Walton]

On Tue, May 12, 2015 at 5:47 AM, Givon Zirkind givo...@gmx.com wrote:
 Hi,

 Can anyone recommend an open source AES library in some flavor of C?

It depends on your goals and threat models. If any old library will
do, then check out https://wiki.openssl.org/index.php/Related_Links
and http://www.cryptopp.com/wiki/Related_Links. They are fairly
comprehensive and up-to-date lists of security libraries. Pick the one
you find the best documentation that suits your taste.

If you are interested in correctness, speed, and hardening from
not-so-common attacks like side channel attacks, then you should see
if Bernstein has anything. Libraries like Crypto++ and OpenSSL use
table driven implementations, and they are susceptible to the side
channel attacks. Bernstein makes great effort to avoid them.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Chinese CA banned in Chrome

[Jeffrey Walton]

Chinese CA banned in Chrome:

http://arstechnica.com/security/2015/04/google-chrome-will-banish-chinese-certificate-authority-for-breach-of-trust/

Apple is not following suit with this:

https://threatpost.com/apple-leaves-cnnic-root-in-ios-osx-certificate-trust-lists/112086
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] GeoTrust Launches GeoRoot; Allows Organizations with Their Own Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public Root

[Jeffrey Walton]

On Sun, Apr 5, 2015 at 6:25 PM, ITechGeek i...@itechgeek.com wrote:
 So does this mean Iran  the like can stop hacking CAs and buy their own
 Geotrust cert to MITM their population?

Yeah, its been around for a while. What's surprising is (or maybe not)
is the CA is still not constraining the organizations even though a
technical control is available to do so.

Do away with the independent third party that assesses the signing
request, don't bother with the security controls to limit impact of a
bad actor, and then allow the organization to operate on best
behavior. Sigh...
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] GeoTrust Launches GeoRoot; Allows Organizations with Their Own Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public Root

[Jeffrey Walton]

http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html

It appears Google's Internet Authority G2 (https://pki.google.com)
could be part of this program since the subordinate CA is certified by
GeoTrust Global CA. If you look at the certificate, it is *not* name
constrained so Google can mint certificates for any domain (and not
just its web properties). I'm not too worried about Google. But I
can't say the same for any old organization that joins this program.

Both the IETF and CA/B Forums have name constraints that could be used
to enforce policy. The relevant documents are RFC 5280, 4.2.1.10 Name
Constraints and Baseline Requirements, 9.7 Technical Constraints in
Subordinate CA Certificates via Name Constraints.

I'm not sure if the program targeting organizations as a subordinate
CA is a bad idea or if GeoTrust is doing a bad job by not using name
constraints. But as it stands, I don't like the smell of things.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] SRP 6a + storage of password's related material strength?

[Jeffrey Walton]

On Fri, Mar 13, 2015 at 5:06 PM, Fabio Pietrosanti (naif) - lists
li...@infosecurity.ch wrote:
 On 3/13/15 3:11 PM, Solar Designer wrote:
 Because SRP protocol is cool, but i'm really wondering if the default
 methods are strong enough against bruteforcing.
 They are not.
 That was my concern.

 Does anyone ever tried to make SRP  authentication protocol
 extensions/specs to work with server-side storage of hashes based on scrypt?

I believe the SRP verifiers are the equivalent to a salted, digested
password in traditional password-based systems.  (Some hand waiving -
for example, the verifiers are taken modulo n).

If Scrypt provides the same security properties as provided by SHA and
Whirlpool, then Scrypt should be a compatible replacement. It should
not matter that Scrypt provides more security properties (namely, the
memory hardness).

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] OT: THE GREAT SIM HEIST

[Jeffrey Walton]

 https://firstlook.org/theintercept/2015/02/19/great-sim-heist/

AMERICAN AND BRITISH spies hacked into the internal computer network
of the largest manufacturer of SIM cards in the world, stealing
encryption keys used to protect the privacy of cellphone
communications across the globe, according to top-secret documents
provided to The Intercept by National Security Agency whistleblower
Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from
the NSA and its British counterpart Government Communications
Headquarters, or GCHQ. The breach, detailed in a secret 2010
GCHQdocument, gave the surveillance agencies the potential to secretly
monitor a large portion of the world’s cellular communications,
including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a
multinational firm incorporated in the Netherlands that makes the
chips used in mobile phones and next-generation credit cards. Among
its clients are ATT, T-Mobile, Verizon, Sprint and some 450 wireless
network providers around the world. The company operates in 85
countries and has more than 40 manufacturing facilities. One of its
three global headquarters is in Austin, Texas and it has a large
factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is
“Security to be Free.”

With these stolen encryption keys, intelligence agencies can monitor
mobile communications without seeking or receiving approval from
telecom companies and foreign governments. Possessing the keys also
sidesteps the need to get a warrant or a wiretap, while leaving no
trace on the wireless provider’s network that the communications were
intercepted. Bulk key theft additionally enables the intelligence
agencies to unlock any previously encrypted communications they had
already intercepted, but did not yet have the ability to decrypt.

As part of the covert operations against Gemalto, spies from GCHQ —
with support from the NSA — mined the private communications of
unwitting engineers and other company employees in multiple countries.

Gemalto was totally oblivious to the penetration of its systems — and
the spying on its employees. “I’m disturbed, quite concerned that this
has happened,” Paul Beverly, a Gemalto executive vice president, told
The Intercept. “The most important thing for me is to understand
exactly how this was done, so we can take every measure to ensure that
it doesn’t happen again, and also to make sure that there’s no impact
on the telecom operators that we have served in a very trusted manner
for many years. What I want to understand is what sort of
ramifications it has, or could have, on any of our customers.” He
added that “the most important thing for us now is to understand the
degree” of the breach.

Leading privacy advocates and security experts say that the theft of
encryption keys from major wireless network providers is tantamount to
a thief obtaining the master ring of a building superintendent who
holds the keys to every apartment. “Once you have the keys, decrypting
traffic is trivial,” says Christopher Soghoian, the principal
technologist for the American Civil Liberties Union. “The news of this
key theft will send a shock wave through the security community.”
...
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Just how bad is OpenSSL ?

[Jeffrey Walton]

 The source code is mostly written to the OpenSSL coding standards, which
 are seriously different from any other coding standard I've seen (it's
 not Linux/KR, nor GNU, nor Microsoft, nor Sun/Oracle).  Nonconformance
 with the coding standards in later patches is very common, so it's a
 mishmash of indentation standards on top of that ...

Sorry to dig up an old thread. This seems news worthy for anyone who
has spent time staring at the sources.

[openssl-users] OpenSSL source reformat,
http://openssl.6102.n7.nabble.com/openssl-users-OpenSSL-source-reformat-td55691.html.

On Fri, Oct 26, 2012 at 3:38 PM, Andy Isaacson a...@hexapodia.org wrote:
 On Fri, Oct 26, 2012 at 06:29:47PM +, John Case wrote:
 So, given what is in the stanford report and then reading this rant
 about openssl, I am wondering just how bad openssl is ?  I've never
 had to implement it or code with it, so I really have no idea.

 How long has it been understood that it's a mess (if it is indeed
 a mess) ?  How dangerous is it ?

 It looks like the rant was published in 2009 

 Bad is such a subjective measurement.

 OpenSSL is very very hard for a non-expert to code against.  It's hard
 to figure out what interfaces you should use, what interfaces are well
 tested, what interfaces are known to be unsafe, and what interfaces are
 buggy but can be used safely with careful coding.  It's fairly easy to
 accidentally disable security critical codepaths in the process of
 iterative hmm that doesn't quite work, the docs are unclear, maybe this
 is a bug in my code or maybe a bug in OpenSSL? that is a normal part of
 software development.  If you need to implement anything even slightly
 different from what was expected by the authors.

 The source code is mostly written to the OpenSSL coding standards, which
 are seriously different from any other coding standard I've seen (it's
 not Linux/KR, nor GNU, nor Microsoft, nor Sun/Oracle).  Nonconformance
 with the coding standards in later patches is very common, so it's a
 mishmash of indentation standards on top of that.  Naming conventions
 sometimes indicate that functions are strictly internal and should not
 be used by applications, but sometimes you have to use an internal API
 to get a necessary result and other times there are clearly internal
 APIs in the public namespace.  I could go on.

 Overall, I would say that yes, OpenSSL is a huge mess for application
 developers.  In that sense, it's very bad.  On the other hand, it's the
 most thoroughly reviewed open source crypto implementation, and hasn't
 had very many security bugs found in the library per se.  Its
 performance is fairly good.  In that sense it's still the best option
 for some use cases.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] John Gilmore: Cryptography list is censoring my emails

[Jeffrey Walton]

On Thu, Jan 1, 2015 at 1:48 PM, Sadiq Saif li...@sadiqs.com wrote:
 On 1/1/2015 13:40, Adam Back wrote:
 nah what am I thinking probably! 1988 if not earlier, 27 years :)

 The point is block lists suck, they're always blocking false things,
 and vigilante abusive takes 3x longer to take you off than for you to
 complain or unresponsive etc.

 DNSBLs do occasionally get false positives, this is true. In this case,
 it is not really a false positive if spammers are relaying spam through
 your insecure server is it?
Some of them willfully misclassify.

In the past, one of the blacklist services used to escalate the range
of the blacklist surrounding an IP if a provider/ISP did not stop a
spammer. The blacklist range was made ever broader to apply pressure
to the provider/ISP. I'm not sure if its a current practice.

It got so bad with ATT in the past, that I could not send emails from
a US federal agency to my home account because the home account was
using one of those blacklists services.  So my home account would
reject the email from the federal agency because the list was expanded
to a Class B or C (IIRC) to apply pressure to ATT.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Misuses/abuses of Sony's compromised root certificate?

[Jeffrey Walton]

Has anyone come across any reports of abuse due to Sony's compromised
root? I believe its named Sony Corp. CA 2 Root?

I did not find it in the Windows 8.1 certificate store. Are any of the
browsers carrying it around?
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Question About Best Practices for Personal File Encryption

[Jeffrey Walton]

On Sun, Aug 17, 2014 at 12:09 AM, Jeffrey Goldberg jeff...@goldmark.org wrote:
 On 2014-08-16, at 4:51 PM, David I. Emery d...@dieconsulting.com wrote:

 On Sat, Aug 16, 2014 at 04:21:53PM -0500, Christopher Nielsen wrote:
 The comment about Apple is simply false. Apple does not have a key to
 FileVault2 unless you escrow your key with them. I know this because a dear
 friend recently passed, and his family was not able to gain access to his
 encrypted drives through Apple.

   You may be right or may not, but I certainly have to think that
 if there is a backdoor password to Filevault2 it is quite likely that
 Apple would not choose to disclose that fact to just some random user
 who had lost files due to forgotten passwords.

 Right. We don’t know whether Apple escrows the key in the absence of
 people asking them to, but we do know that they do offer to store a
 “recovery” key when someone sets up FileVault2.
Did you know OS X ships the Keychain off to the iCloud in 10.9?
http://www.apple.com/osx/whats-new/#icloud-keychain.

 So an instance of Apple being able to help someone recover their FileVault2
 data proves absolutely nothing.
Did you know Apple did not revoke the defective FileVault2 binary? Who
needs an angry maid when you can downgrade to a defective binary that
spews the user password into a log?
http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-passwords-in-clear-text/11963

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Question About Best Practices for Personal File Encryption

[Jeffrey Walton]

On Sat, Aug 16, 2014 at 5:21 PM, Christopher Nielsen
m4dh4t...@gmail.com wrote:
 On Aug 15, 2014 11:06 PM, Mark Thomas mark00tho...@gmail.com wrote:

 I have a question for the group, if I may ask it here and in this manner
 (?).

 What are you guys using to encrypt individual files and folders or even
 entire drives like a USB?

 I am thinking that:

 1. any commercial product could be compromised and not completely secure.
 Like Apple’s FileVault2, which Apple has a key to.

 The comment about Apple is simply false. Apple does not have a key to
 FileVault2 unless you escrow your key with them. I know this because a dear
 friend recently passed, and his family was not able to gain access to his
 encrypted drives through Apple.
You can't trust Apple as far as you can pick them up and throw them.
There's nothing special about Apple, and others are just as bad.

Also, less than one month old: Apple Confirms 'Backdoors'; Downplays
Their Severity, http://www.zdziarski.com/blog/?p=3466.

And remember, according to Apple, they were not tracking users either.
Apple faces class action suit for tracking users without consent,
http://nakedsecurity.sophos.com/2014/08/04/apple-faces-class-action-suit-for-tracking-users-without-consent/.

And let's not forget this: Apple deluged by police demands to decrypt
iPhones, 
http://www.cnet.com/news/apple-deluged-by-police-demands-to-decrypt-iphones/.

They've been caught lying so much they have no credibility.

Sorry to hear about your friend. Apple's unwillingness to help allows
provides them with cover. They can't have documented cases of
circumventing their security controls. That's bad for business.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] A post-spy world

[Jeffrey Walton]

On Mon, Aug 11, 2014 at 4:52 PM, John Young j...@pipeline.com wrote:
 We are moving toward a post-spy world, according to the guy that runs the
 CIA’s venture capital arm.

 http://www.defenseone.com/technology/2014/08/10-ways-make-internet-safe-cyber-attacks/90866/?oref=d-channelriver

The video of the keynote is available at
http://www.lawfareblog.com/2014/08/dan-geer-cybersecurity-keynote-at-black-hat/.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Implementing constant-time string comparison

[Jeffrey Walton]

On Wed, Jun 18, 2014 at 5:18 PM, D. J. Bernstein d...@cr.yp.to wrote:
 ...
 would be unable to shortcut the loop if the
 arguments were merely declared as pointers to volatile storage

 The compiler would be required to access the storage but would still be
 allowed to skip the intermediate calculations. For example, it could
 convert

int result = 0;
int iszero;
for (i = 0;i  n;++i) result |= (x[i] ^ y[i]);
iszero = (result == 0);
return iszero - 1;

 into

int iszero = 1;
for (i = 0;i  n;++i) if (x[i] ^ y[i]) iszero = 0;
return iszero - 1;

 or into

int iszero = 1;
for (i = 0;i  n;++i) if (x[i] != y[i]) iszero = 0;
return iszero - 1;

 or into

for (i = 0;i  n;++i) if (x[i] != y[i]) goto shortcut;
return 0;
shortcut: while (++i  n) { x[i]; y[i]; }
return -1;

 without violating the C language specification. You're deluding yourself
 if you think that the guarantees made by the C specification are
 adequate for writing constant-time code.

 What's the chance of a compiler screwing things up in this way? This
 isn't a question of language lawyering; it's a question of what the
 compiler writer is thinking. Has the compiler writer seen examples where
 it might seem useful to replace

result = 0; result |= ...; result |= ...; result == 0

 with

iszero = 1; if (...) iszero = 0; if (...) iszero = 0; iszero

 which would then hook nicely into early exits? Sure, the early exits
 should check for volatile memory accesses in the skipped calculations,
 but this doesn't mean that the replacement has to check for volatile.
The GCC folks interpret the standard to mean volatile applies to
memory mapped from hardware. Using it in software to tame the
optimizer is an abuse. [1]

Microsoft compilers, on the other hand, interpret volatile that's
amicable to software (for example, a second thread changing the value
at a memory location). [2]

Jeff

[1] https://gcc.gnu.org/onlinedocs/gcc/Qualifiers-implementation.html
[2] http://msdn.microsoft.com/en-us/library/12a04hfd%28v=vs.100%29.aspx
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] new OpenSSL exploitable bug?

[Jeffrey Walton]

On Thu, Jun 5, 2014 at 8:17 AM, ianG i...@iang.org wrote:
 Another in the rash of weaknesses.  This might mean that the fabled many
 eyeballs have opened up?

 https://www.openssl.org/news/secadv_20140605.txt

 An attacker using a carefully crafted handshake can force the use of
 weak keying material in OpenSSL SSL/TLS clients and servers. This can be
 exploited by a Man-in-the-middle (MITM) attack where the attacker can
 decrypt and  modify traffic from the attacked client and server.


For others interested in how this affects key bits, Rich Salz pointed
to Adam Langley's write up at
https://www.imperialviolet.org/2014/06/05/earlyccs.html. Its the best
write up I have seen.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] TrueCrypt

[Jeffrey Walton]

Does anyone know if Greenwald or Poitras are holding relevant documents?

Dr. Schneier does not have much to add: I have no idea what's going
on with TrueCrypt.

On Wed, May 28, 2014 at 4:35 PM, Sadiq Saif li...@sadiqs.com wrote:
 http://truecrypt.sourceforge.net/
 https://gist.github.com/anonymous/e5791d5703325b9cf6d1
 https://twitter.com/matthew_d_green

 So WTF happened?

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] OT: Snowden Interview

[Jeffrey Walton]

The interview is airing tonight.

http://www.nbcnews.com/storyline/nsa-snooping/exclusive-edward-snowden-gives-wide-ranging-interview-brian-williams-n110351
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Best practices for paranoid secret buffers

[Jeffrey Walton]

On Tue, May 6, 2014 at 11:56 PM, Tony Arcieri basc...@gmail.com wrote:
 Can anyone point me at some best practices for implementing buffer types for
 storing secrets?

 There are the general coding rules at cryptocoding.net for example, that say
 you should use unsigned bytes and zero memory when you're done, but I'm more
 curious about specific strategies, like:

 - malloc/free + separate process for crypto
I think this is a good idea. I seem to recall the new FIPS 140 will
have some language for it. I also seem to recall something about
Microsoft's CryptNG, but I don't recall the details.

 - malloc/free + mlock/munlock + secure zeroing
On Microsoft platforms, you have `SecureZeroMemory`
(http://msdn.microsoft.com/en-us/library/windows/desktop/aa366877(v=vs.85).aspx).
It is guaranteed *not* to be removed by the optimizer. On Linux, you
have `bzero`, but I'm not sure about any guarantees. On OpenSSL, you
have OpenSSL_cleanse. OpenSSL_cleanse is most acrobatic of the three.

 - mmap/munmap (+ mlock/munlock)
Keeping secrets out of the page file or swap file can be tricky. VMs
can be trickier.

 Should finalizers be explicit or implicit? (or should an implicit finalizer
 try to make sure buffers are finalized if you don't do it yourself?)
Not all languages have finalizers.

Java has finalizers but tells you to put secrets in a char[] or byte[]
so you can overwrite them manually: See, for example,
http://docs.oracle.com/javase/1.4.2/docs/guide/security/jce/JCERefGuide.html#PBEEx
(I think that link may be dead now).

For those languages that do provide fianlizers, its sometimes
impossible to ask them to wipe. See, for example,  EditText and
Sensitive Information (Wipe/Zeroize),
https://code.google.com/p/android/issues/detail?id=36233.

 Are paranoid buffers worth the effort? Are the threats they'd potentially
 mitigate realistic? Are there too many other things that can go wrong (e.g.
 rewindable VMs) for this to matter?
I think they are worth the effort. Target's data breach was the result
of (among others): memory scraping malware. At minimum, they cost next
to nothing.

You also have wrapping. That is, a buffer get a quick dose of XOR to
mask the secrets while in memory but not in use.

.Net's SecureString uses wrapping
(http://msdn.microsoft.com/en-us/library/system.security.securestring(v=vs.80).aspx),
and NIST has a key wrap for symmetric encryption keys
(http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf).

Maybe the later would have helped with Heartbleed, too... who knows.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Request - PKI/CA History Lesson

[Jeffrey Walton]

 For me the sentence, “I had little choice but to trust X” is perfectly
 coherent.

 Is it possible that you are letting your righteous anger at what
 browser vendors have done interfere with how you are defining “trust”?

That's the question with the elusive answer: how do you define trust.
One of the better answers I have seen: X trust Y to do Z.

Plug in PKI: Users trust CAs to abide by their CP and CPS. (Now policy
(CP) and procedures (CPS) need to be accepted).

Nonsensical counter example: Trustwave did not follow their CP, but
they are still trusted. Does not compute...

Jeff

On Fri, May 2, 2014 at 1:41 AM, Jeffrey Goldberg jeff...@goldmark.org wrote:

 On 2014-05-01, at 8:49 PM, ianG i...@iang.org wrote:

 On 1/05/2014 02:54 am, Jeffrey Goldberg wrote:
 On 2014-04-30, at 6:36 AM, ianG i...@iang.org wrote:

 OK. So let me back peddle on “Ann trusts her browser to maintain a list of
 trustworthy CAs” and replace that with “Ann trusts her browser to do
 the right thing”.

 Right, with that caveat about choice.

 I think that we are in fierce agreement. At first
 I didn’t understand the significance of your insistence
 on *choice*, but I see it now. More below.

 In this context, we would claim that users b-trust because they know
 they can switch.  With browsers they cannot switch.

 Their choice is to transmit private information using their browsers.
 Their choice is to not participate in e-commerce.

 Right, there is always in economics some form of substitute.  But
 actually we've probably moved beyond that as a society.

 I would say that e-commerce is utility grade now, so it isn't a
 choice you can really call a choice in competition terms.

 I agree that the behavior in b-trust must be about “choice behavior”
 in that Ann behaves one way instead of another.

 But I don’t think that we should have some minimal threshold of choice
 before can call the behavior b-trust. As long as there is some
 non-zero amount of choice the behavior (in these cases) will exhibit
 a non-zero amount of trust.

 For me the sentence, “I had little choice but to trust X” is perfectly
 coherent.

 Is it possible that you are letting your righteous anger at what
 browser vendors have done interfere with how you are defining “trust”?

 All I’m asking is that we consider the people we are asking to
 “b-trust” the system. Can we build a system that is b-trustworthy
 for the mass of individuals who are not going to make c-trust
 judgements.


 Right, this is the question, how do we do that?

 That is what Certificate Transparency and Perspectives seek to do, as
 well as other thoughts.  First they make the c-trust available by
 setting up alternate groups and paths. Then the c-trusters develop their
 followings of b-trusters.

 I agree with that last bit. In a sense, if people see that experts trust
 the system they will too. But how will this play out with Certificate
 Transparency for most users? What do they actually need to know and do
 to follow some c-trusters?

 There likely needs to be a group of c-trusters in the middle
 that mediate the trust of the b-trusters.

 And how will that work without putting unrealistic expectations on
 the vast major of users. How do they pick which c-trusters to trust?

 I think that we have a higher chance of success if we use a language that
 can talk about agents who do not have a deep or accurate understanding of
 why a system is supposed to work. And so, I think that, with some 
 refinement,
 my notion of b-trust is worthwhile.


 Yes it could be.  It might not be applicable to web-PKI because the
 vendors confuse X do the right thing by users with X' maintain a good
 CA list.”

 I’m confused. (Perhaps by the vendors?)
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Request - PKI/CA History Lesson

[Jeffrey Walton]

On Wed, Apr 30, 2014 at 10:07 AM, Marcus Brinkmann
marcus.brinkm...@ruhr-uni-bochum.de wrote:
 On 04/30/2014 02:59 PM, d...@geer.org wrote:


 As is so often found, there are multiple nuanced definitions of a
 word, trust being the word in the current case.

 Simply as a personal definition, trust is that state wherein I accept
 assertions at face value and do so because I have effective recourse
 should having let my guard down later prove to have been unwise.

 Restated as logic,

 If I can trust, then I have effective recourse.

 and in contrapositive

 If I have no effective recourse, then I cannot trust.

 ...
 If you have effective recourse, then by that definition trust is not
 required.
Exactly.

Trust is what is used when you don't have a security control to place.
Or won't place...

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Request - PKI/CA History Lesson

[Jeffrey Walton]

On Mon, Apr 28, 2014 at 8:20 PM, Ryan Carboni rya...@gmail.com wrote:
 One can always start with the difficult first step of uninstalling
 certificate authorities you do not trust.

Opera will autorepair damage to the certificate repository, a missing
Certificate Authority is considered damage. Opera ships with a list of
frequently used certificates, and if any of these are missing they
will be added the next time the repository is read from disk. Other
certificates will be added from the online repository as needed. -
http://my.opera.com/community/forums/topic.dml?id=1580452

Its not just Opera. Others are using similar innovative methods to
reduce the support load and costs.

Jeff

 On Mon, Apr 28, 2014 at 4:42 PM, ianG i...@iang.org wrote:

 On 29/04/2014 00:12 am, Ryan Carboni wrote:
  trust is outsourced all the time in the non-cryptographic world

 trust is built up all the time, risks are taken all the time, choice is
 taken all the time.

  unless you do not have a bank account

 That's not outsourced, that's direct, person to bank, the person has a
 choice, chooses to place her trust in that bank.  Also, it is limited to
 defined things that are required, can't be done by the person, and
 bolstered by real backing such as FIDC.

 When you suggest it's probably best we trust authorities that is
 CA-playbook crapola meaning you must trust the authorities that have
 been picked for you.  The vector has been reversed, people are told
 what has to happen, so there is no trust.

 Trust derives from choice.  Where is the choice?

  On Mon, Apr 28, 2014 at 3:00 PM, James A. Donald jam...@echeque.com
  mailto:jam...@echeque.com wrote:
 
  On 2014-04-29 05:58, Ryan Carboni wrote:
 
  We happen to live on a planet where most users are ordinary
  users.
 
 
  given the extent of phishing, it's probably best we outsource
  trust to
  centralized authorities.
  Although it should be easier establishing your own certificate
  authority.
 
  Cannot outsource trust  Ann usually knows more about Bob than a
  distant authority does.  A certificate authority does not certify
  that Bob is trustworthy, but that his name is Bob.
 
  In practice, however we find that diverse entities have very similar
  names, and a single entity may have many names.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] OT: Speeding up and strengthening HTTPS connections for Chrome on Android

[Jeffrey Walton]

Somewhat off-topic, but Google took ChaCha20/Poly1305 live.

http://googleonlinesecurity.blogspot.com/2014/04/speeding-up-and-strengthening-https.html

Earlier this year, we deployed a new TLS cipher suite in Chrome that
operates three times faster than AES-GCM on devices that don’t have
AES hardware acceleration, including most Android phones, wearable
devices such as Google Glass and older computers. This improves user
experience, reducing latency and saving battery life by cutting down
the amount of time spent encrypting and decrypting data.

To make this happen, Adam Langley, Wan-Teh Chang, Ben Laurie and I
began implementing new algorithms -- ChaCha 20 for symmetric
encryption and Poly1305 for authentication -- in OpenSSL and NSS in
March 2013. It was a complex effort that required implementing a new
abstraction layer in OpenSSL in order to support the Authenticated
Encryption with Associated Data (AEAD) encryption mode properly. AEAD
enables encryption and authentication to happen concurrently, making
it easier to use and optimize than older, commonly-used modes such as
CBC. Moreover, recent attacks against RC4 and CBC also prompted us to
make this change.

...
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] NSA Said to Exploit Heartbleed Bug for Intelligence for Years

[Jeffrey Walton]

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

The U.S. National Security Agency knew for at least two years about a
flaw in the way that many websites send sensitive information, now
dubbed the Heartbleed bug, and regularly used it to gather critical
intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national
security interests threatens to renew the rancorous debate over the
role of the government’s top computer experts.

Heartbleed appears to be one of the biggest glitches in the Internet’s
history, a flaw in the basic security of as many as two-thirds of the
world’s websites. Its discovery and the creation of a fix by
researchers five days ago prompted consumers to change their
passwords, the Canadian government to suspend electronic tax filing
and computer companies including Cisco Systems Inc. to Juniper
Networks Inc. to provide patches for their systems.
...
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?

[Jeffrey Walton]

https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013

Yesterday afternoon, Ars Technica published a story reporting two
possible logs of Heartbleed attacks occurring in the wild, months
before Monday's public disclosure of the vulnerability. It would be
very bad news if these stories were true, indicating that blackhats
and/or intelligence agencies may have had a long period when they knew
about the attack and could use it at their leisure.

In response to the story, EFF called for further evidence of
Heartbleed attacks in the wild prior to Monday. The first thing we
learned was that the SeaCat report was a possible false positive; the
pattern in their logs looks like it could be caused by ErrataSec's
masscan software, and indeed one of the source IPs was ErrataSec.

The second log seems much more troubling. We have spoken to Ars
Technica's second source, Terrence Koeman, who reports finding some
inbound packets, immediately following the setup and termination of a
normal handshake, containing another Client Hello message followed by
the TCP payload bytes 18 03 02 00 03 01 40 00 in ingress packet logs
from November 2013. These bytes are a TLS Heartbeat with contradictory
length fields, and are the same as those in the widely circulated
proof-of-concept exploit.
...
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] [Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

[Jeffrey Walton]

On Tue, Apr 8, 2014 at 6:46 AM, ianG i...@iang.org wrote:
 On 7/04/2014 22:53 pm, Edwin Chu wrote:
 ...
 E.g., if we cannot show any damages from this breach, it isn't worth
 spending a penny on it to fix!  Yes, that's outrageous and will be
 widely ignored ... but it is economically and scientifically sound, at
 some level.
This system works great for the firms involved.

The first data breach I was part of, it cost me over $10,000 to fix. I
did not find out until I had judgements against me, and the collection
agencies came after me.

The latest breach I got sucked into only involved a compromised credit
card, so it only cost me $75 to have a new one shipped to me while I
was out of town (I only have one credit card).

Saving those pennies has worked out great for me. I'm glad the
executives got their bonuses and the stock holders got their
dividends.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Client certificates, Tor-exit nodes and renegotiation

[Jeffrey Walton]

On Thu, Apr 3, 2014 at 4:41 AM, Guido Witmond gu...@witmond.nl wrote:
 On 04/03/14 01:31, Ryan Carboni wrote:
 hackers will always take the path of least resistance as rational human
 beings
 you will see more trojans in the wild as a result of this

 Agreed, when passive spying is impossible, spies go for active attacks.

 Current operating systems (Windows, Linux, MacOS) are not designed to
 protect against trojan horses.

 Android does slightly better with its permission model. However, it
 forces people to think like programmers to decide whether a certain
 permission is needed for an app or not. Adding to the problem you mention.
Android is all-or-nothing perms/caps at install time. You can't
selectively turn off, for example, access to the network and address
book for the flashlight app. Gutmann pokes fun at the model in his
Engineering Security book.

Selective enable/disable of perms/cpas was recently added to Android
via App Ops in 4.3. App Ops continued for a while in Android 4.4, but
was removed in Android 4.4.2. See Google Removes Vital Privacy
Feature From Android, Claiming Its Release Was Accidental,
https://www.eff.org/deeplinks/2013/12/google-removes-vital-privacy-features-android-shortly-after-adding-them.

Apple and Microsoft allow selective perms/caps at runtime.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] 2010 TAO QUANTUMINSERT trial against 300 (hard) targets

[Jeffrey Walton]

On Thu, Mar 13, 2014 at 1:57 AM, coderman coder...@gmail.com wrote:
 https://s3.amazonaws.com/s3.documentcloud.org/documents/1076891/there-is-more-than-one-way-to-quantum.pdf

 TAO implants were deployed via QUANTUMINSERT to targets that were
 un-exploitable by _any_ other means.

And Schneier's Guardian article on the Quantum and FoxAcid systems:
http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] 2010 TAO QUANTUMINSERT trial against 300 (hard) targets

[Jeffrey Walton]

On Thu, Mar 13, 2014 at 9:17 AM, Jason Iannone jason.iann...@gmail.com wrote:
 Are there details regarding Hammerstein?  Are they actually breaking
 routers?
Cisco makes regular appearances on Bugtraq an Full Disclosure. Pound
for pound, there's probably more exploits for Cisco gear than Linux
and Windows combined.

Jeff

 On Thu, Mar 13, 2014 at 2:40 AM, Jeffrey Walton noloa...@gmail.com wrote:

 On Thu, Mar 13, 2014 at 1:57 AM, coderman coder...@gmail.com wrote:
 
  https://s3.amazonaws.com/s3.documentcloud.org/documents/1076891/there-is-more-than-one-way-to-quantum.pdf
 
  TAO implants were deployed via QUANTUMINSERT to targets that were
  un-exploitable by _any_ other means.
 
 And Schneier's Guardian article on the Quantum and FoxAcid systems:

 http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Comsec as Public Utility Beyond Illusory Privacy

[Jeffrey Walton]

 Freedom of comsec, say, as a new entry in the US Bill of Rights
 could lead the way for it to be a fundamental element of Human
 Rights.
The Right to Privacy by Warren and Brandeis (1890) FTW!

 NSA's ubiquitous spying on everybody at home and elsewhere
 with technology beyond accountability does raise the chances of
 getting agreement of all targets -- gov, com, edu, org -- to say
 enough is enough, national security has become a catchall for
 inexcusable invasion of the public realm.
Privacy is a human right in some parts of the world. See, for example,
European Convention on Human Rights, Article 8.

I wonder if anyone will be prosecuted for their human rights
violations... I say hunt them all down like Nazi war criminals. Once a
few politicans and top adminstartion officials are exectued, the rest
will fall into place (one thing we *can* count on is a politician is
out for himself/herself).

Jeff

On Thu, Mar 13, 2014 at 9:59 AM, John Young j...@pipeline.com wrote:
 Snowden may have raised the prospect of comsec as a public utility
 like power, water, gas, sewage, air quality, environmental protection
 and telecommunications. Privacy protection has been shown to be
 illusory at best, deceptive at worst, due to the uncontrollable
 technology applied erroneously for national security.

 Each of the other public utilities began as private offerings before
 becoming commercialized and then institutionalized as necessities,
 many eventually near or wholly monopolies.

 Each also evolved into military targets for control, contamination,
 destruction, and in some cases excluded as too essential for
 civilian livelihood to target.

 Comsec as a right for human discourse rather than a commercial
 service could enforce privacy beyond easy violation for official
 and commercial purposes.

 Freedom of comsec, say, as a new entry in the US Bill of Rights
 could lead the way for it to be a fundamental element of Human
 Rights.

 The problem will be as ever the commercial and governmental
 exploiters aiming to protect their interests against that of
 the public.

 FCC and NIST, indeed, the three branches, are hardly reliable to
 pursue this, so beholden to the spy agencies they cannot be trusted.

 NSA's ubiquitous spying on everybody at home and elsewhere
 with technology beyond accountability does raise the chances of
 getting agreement of all targets -- gov, com, edu, org -- to say
 enough is enough, national security has become a catchall for
 inexcusable invasion of the public realm.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] OT: Possible Backdoor in SSL/TLS Implementation

[Jeffrey Walton]

Related to the earlier threads Design Strategies for Defending
against Backdoors and Backdoors in software.

https://www.imperialviolet.org/2014/02/22/applebug.html
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Snowden Drop to Poitras and Greenwald Described

[Jeffrey Walton]

On Sat, Feb 8, 2014 at 6:28 PM, John Young j...@pipeline.com wrote:
 http://cryptome.org/2014/02/snowden-drop.pdf (7.6MB)

That should be titled, How Greenwald nearly missed the scoop of the
millennium. It appears the man did nearly everything in his power to
undermine the contacts and the meetings.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] NSA, FBI creep rule of law, democracy itself (Re: To Protect and Infect Slides)

[Jeffrey Walton]

(Sorry to top post - I want to cherry pick one point).

 What is a game changer is the relationship between the NSA and the other
 USA civilian agencies.  The breach of the civil/military line is the one
 thing that has sent the fear level rocketing sky high,
Information sharing among agencies such as the FBI and CIA was written
into the original NSA charter back in the 1950s. In fact, some would
argue the failure to abide by the charter with respect to information
sharing contributed to 9/11.

From the charter (http://w2.eff.org/Privacy/Key_escrow/Clipper/nsa.charter):

b.  The  Board  shall  be  composed  of  the  following
members:
 (1) The  Director  of  Central Intelligence,  who shall be
 the Chairman of the Board.
 (2) A representative of the Secretary of State.
 (3) A representative of the Secretary of Defense
 (4) A representative of the Director of the Federal
 Bureau of Investigation.
 (5) The Director of the National Security Agency.
 (6) A representative of the Department of the Army.
 (7) A representative of the Department of the Navy.
 (8) A representative of the Department of the Air Force.
 (9) A representative of the Central Intelligence Agency.

Jeff

On Tue, Jan 7, 2014 at 10:24 AM, Adam Back a...@cypherspace.org wrote:
 This is indeed an interesting and scary question:

 On Sun, Jan 05, 2014 at 08:31:42PM +0300, ianG wrote:

 What is a game changer is the relationship between the NSA and the other
 USA civilian agencies.  The breach of the civil/military line is the one
 thing that has sent the fear level rocketing sky high, as there is a
 widespread suspicion that the civil agencies cannot be trusted to keep their
 fingers out of the pie.  AKA systemic corruption.  If allied to national
 sigint capabilities, we're in a world of pain.

 Question:  Is there anything that can put some meatmetrics on how
 developed and advanced this relationship is, how far the poison has spread?
 How afraid should people in America be?


 maybe the most interesting and portenteous shift in power towards
 Orwellianism and totalitarianism in a century, as it affects the
 effectiveness of rule of law, and already weak separation of politics from
 law enforcement and justice system in the (current though slipping)
 super-power with unfortunate aspirations of extra-territorialism and
 international bullying.  We're still a few decades from the cross over of
 financial dominance to Asia and BRICs, and most of those places are probably
 worse than the US by aspiration if thats possible, though less internet
 spying budget and capability.  Unless something shapes up towards democracy
 in the super-power competitors we're in for a dismal century seemingly.

 That the NSA, and now seemingly FBI, see this I think maybe this FBI mission
 creep suggests the national security / law enforcement separation is
 slipping badly:

 http://news.slashdot.org/story/14/01/07/0015255/fbi-edits-mission-statement-removes-law-enforcement-as-primary-purpose

 | Following the 9/11 attacks, the FBI picked up scores of new
 | responsibilities related to terrorism and counterintelligence while
 | maintaining a finite amount of resources.  What's not in question is that
 | government agencies tend to benefit in numerous ways when considered
 | critical to national security as opposed to law enforcement.  'If you tie
 | yourself to national security, you get funding and you get exemptions on
 | disclosure cases,' said McClanahan.  'You get all the wonderful arguments
 | about how if you don't get your way, buildings will blow up and the
 | country will be less safe.'

 so if even the FBI are getting their nose into the tent of unfetter access
 to historical data on everyone, plus informal channels and tip-offs on
 dirt on politically unpopular pepople - eg say effective security
 researchers like Applebaum, or effective journalists like Greenwald.  (No
 foreigners dont feel very comforted, and the explict acknowledgment of
 tip-offs, and inforation channels to US domestic and international law
 enforcement, basically puts the entire planet at risk of politicaly
 motivated interference.)

 With retroactive search of your entire lifes electronic foot print including
 every encrypted IM, skype voip channel, contacts, emails, attorney client
 privileged and not, with no warrant or evidence presented to a judge for
 subpoena, the Orwell 2.0 system can probably fabricate or concoct trouble
 for 99% of the adult population of the planet.  George Orwell 30 years late.

 We're pretty close to fucked as a civilization unless something pretty
 radical shifts in the political thinking and authorizations.  And
 realistically it not even clear the NSA can politically be controlled
 anymore by the political system.  Its very hard to influence something with
 that much skull-duggery built into its DNA, that many 10s of billions in
 outsourced defense contractor lobbying power, that much inertia and 

Re: [cryptography] pie in sky suites - long lived public key pairs for persistent identity

[Jeffrey Walton]

On Sat, Jan 4, 2014 at 4:26 AM, ianG i...@iang.org wrote:
 On 3/01/14 22:42 PM, coderman wrote:

 use case is long term (decade+) identity rather than privacy or
 session authorization.
 ...

 Which in today's world is pointing to the phone.   If we're talking the
 identity on the phone, we're now talking about 2 or more things,
 horizontally:  an app by itself, or an app that integrates vertically with
 the telco (SIM card).  We can also bifurcate vertically with Apple v.
 Android, and also-rans.
That may be moving to a single Yubikey. See Google U2F (Gnubby):
Overview for Partners,
https://docs.google.com/presentation/d/16mB3Nptab1i4-IlFbn6vfkWYk-ozN6j3-fr7JL8XVyA/
(thanks AR).

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] To Protect and Infect Slides

[Jeffrey Walton]

On Wed, Jan 1, 2014 at 7:22 AM, coderman coder...@gmail.com wrote:
 On Wed, Jan 1, 2014 at 3:56 AM, Ralph Holz h...@net.in.tum.de wrote:
 Hi Jake,

 Ian Grigg just made a point on metzdowd that I think is true: if you
 want to change the NSA, you need to address the [...]
 [... money] Because the chain goes like this:

 corporate money - election campaigns - representatives - NSA


 it should be noted that corporate money influence is currently aimed
 at privacy eroding efforts in myriad manner.
In the US, I believe Step 1 is to recognize citizens' the Right to
Privacy. Step 2 applies to the US and abroad, and its recognize a
Right to be Forgotten.

The US is well behind the curve for the first step considering privacy
is a right in many places like Europe. That's what makes the US
activities so egregious: these are human rights violations, and not
merely minor transgressions.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] New Hand Cipher - The Drunken Bishop

[Jeffrey Walton]

On Thu, Dec 26, 2013 at 2:44 PM, Aaron Toponce aaron.topo...@gmail.com wrote:
 ... I've thought of incorporating
 Blum Blum Shub into the algorithm, but then the cipher is getting decidedly
 difficult to execute by hand.
BBS is not practical in practice due to the size of the moduli
required. You could probably go outside, take an atmospheric reading,
and then run it through sha1 quicker. See, for example,
http://crypto.stackexchange.com/questions/3454/blum-blum-shub-vs-aes-ctr-or-other-csprngs.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Can we move to a forum, please?

[Jeffrey Walton]

On Thu, Dec 26, 2013 at 12:59 AM, Eric Mill e...@konklone.com wrote:
 ...
 I've been distantly watching http://www.discourse.org and I like their
 vision. I believe they allow, or want to allow, email-only interaction. I
 don't know if it does, and I don't know if Discourse is easy to set up, or
 appropriate for the task.
From their page: Log in with … anything. I suppose that means one
must share all their selected account details with the folks providing
the service. Some of the more egregious require access to contacts to
send personalized spam. (I don't believe I've found one yet that's
happy with just being a relying party and only using the email address
provider assertion).

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Practical malleability attack against CBC-Encrypted LUKS partitions

[Jeffrey Walton]

[Originally sent to Full Disclosure]

http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/

I. Abstract

The most popular full disk encryption solution for Linux is LUKS
(Linux Unified Key Setup), which provides an easy to use encryption
layer for block devices. By default, newly generated LUKS devices are
set up with 256-bit AES in CBC mode. Since there is no integrity
protection/checksum, it is obviously possible to destroy parts of
plaintext files by changing the corresponding ciphertext blocks.
Nevertheless many users expect the encryption to make sure that an
attacker can only change the plaintext to an unpredictable random
value. The CBC mode used by default in LUKS however allows some more
targeted manipulation of the plaintext file given that the attacker
knows the original plaintext. This article demonstrates how this can
be used to inject a full remote code execution backdoor into an
encrypted installation of Ubuntu 12.04 created by the alternate
installer (the default installer of Ubuntu 12.04 doesn’t allow setting
up full disk encryption).
...
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Exclusive: Secret contract tied NSA and security industry pioneer

[Jeffrey Walton]

(Thanks to PF on another list)

http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220

(Reuters) - As a key part of a campaign to embed encryption software
that it could crack into widely used computer products, the U.S.
National Security Agency arranged a secret $10 million contract with
RSA, one of the most influential firms in the computer security
industry, Reuters has learned.

Documents leaked by former NSA contractor Edward Snowden show that the
NSA created and promulgated a flawed formula for generating random
numbers to create a back door in encryption products, the New York
Times reported in September. Reuters later reported that RSA became
the most important distributor of that formula by rolling it into a
software tool called Bsafe that is used to enhance security in
personal computers and many other products.

Undisclosed until now was that RSA received $10 million in a deal that
set the NSA formula as the preferred, or default, method for number
generation in the BSafe software, according to two sources familiar
with the contract. Although that sum might seem paltry, it represented
more than a third of the revenue that the relevant division at RSA had
taken in during the entire previous year, securities filings show.

The earlier disclosures of RSA's entanglement with the NSA already had
shocked some in the close-knit world of computer security experts. The
company had a long history of championing privacy and security, and it
played a leading role in blocking a 1990s effort by the NSA to require
a special chip to enable spying on a wide range of computer and
communications products.

RSA, now a subsidiary of computer storage giant EMC Corp, urged
customers to stop using the NSA formula after the Snowden disclosures
revealed its weakness.

RSA and EMC declined to answer questions for this story, but RSA said
in a statement: RSA always acts in the best interest of its customers
and under no circumstances does RSA design or enable any back doors in
our products. Decisions about the features and functionality of RSA
products are our own.

The NSA declined to comment.

The RSA deal shows one way the NSA carried out what Snowden's
documents describe as a key strategy for enhancing surveillance: the
systematic erosion of security tools. NSA documents released in recent
months called for using commercial relationships to advance that
goal, but did not name any security companies as collaborators.

The NSA came under attack this week in a landmark report from a White
House panel appointed to review U.S. surveillance policy. The panel
noted that encryption is an essential basis for trust on the
Internet, and called for a halt to any NSA efforts to undermine it.

Most of the dozen current and former RSA employees interviewed said
that the company erred in agreeing to such a contract, and many cited
RSA's corporate evolution away from pure cryptography products as one
of the reasons it occurred.

But several said that RSA also was misled by government officials, who
portrayed the formula as a secure technological advance.

They did not show their true hand, one person briefed on the deal
said of the NSA, asserting that government officials did not let on
that they knew how to break the encryption.

STORIED HISTORY

Started by MIT professors in the 1970s and led for years by ex-Marine
Jim Bidzos, RSA and its core algorithm were both named for the last
initials of the three founders, who revolutionized cryptography.
Little known to the public, RSA's encryption tools have been licensed
by most large technology companies, which in turn use them to protect
computers used by hundreds of millions of people.

At the core of RSA's products was a technology known as public key
cryptography. Instead of using the same key for encoding and then
decoding a message, there are two keys related to each other
mathematically. The first, publicly available key is used to encode a
message for someone, who then uses a second, private key to reveal it.

From RSA's earliest days, the U.S. intelligence establishment worried
it would not be able to crack well-engineered public key cryptography.
Martin Hellman, a former Stanford researcher who led the team that
first invented the technique, said NSA experts tried to talk him and
others into believing that the keys did not have to be as large as
they planned.

The stakes rose when more technology companies adopted RSA's methods
and Internet use began to soar. The Clinton administration embraced
the Clipper Chip, envisioned as a mandatory component in phones and
computers to enable officials to overcome encryption with a warrant.

RSA led a fierce public campaign against the effort, distributing
posters with a foundering sailing ship and the words Sink Clipper!

A key argument against the chip was that overseas buyers would shun
U.S. technology products if they were ready-made for spying. Some
companies say that is just what has happened in the wake 

[cryptography] Diffie-Hellman Params Best Practice on Web Server?

[Jeffrey Walton]

Hi All,

Is there a best practice for Diffie-Hellman parameters (p, g, and q)
used on a web server?

The server is using ephemeral keys, but should the parameters be
rotated on a regular basis ? Is it OK for the server to keep them
fixed for years (in the source code)? Or should they be generated
uniquely for each site?

This server does not appear to be under NIST and FIPS, so I don't
believe they need to be fixed for compliance.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] [Cryptography] Email is unsecurable

[Jeffrey Walton]

On Wed, Nov 27, 2013 at 3:34 PM, Nico Williams n...@cryptonector.com wrote:
 On Wed, Nov 27, 2013 at 08:01:19PM +, Stephen Farrell wrote:
 On 11/27/2013 06:58 PM, Nico Williams wrote:
  [...]


 The problem with DANE is the lack of DNSSEC. If we had both [...]

 When I refer to DANE, I also mean that DNSSEC must be there.  We're
 getting there.
Isn't the key distribution problem being pushed into DNS? The
underlying problem still exists.

Perhpas we could have higher confidence in DNS if it was not
controlled by the US. A diversification strategy won't work when 10 or
so of the 13 servers are required to give bad answers. That is, cross
checking A (Verisign) with, for example, E, F, G, and H (ISC, GOV and
DoD) won't validate anything.

And getting an authentic answer from a non-US controlled server is
another problem altogether.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Lavabit-DOJ dispute zeroes in on encryption key ownership

[Jeffrey Walton]

http://www.computerworld.com/s/article/9244057/Lavabit_DOJ_dispute_zeroes_in_on_encryption_key_ownership

The government's insistence, in its dispute with Lavabit, that cloud
service providers hand over their encryption keys when asked, has
refocused attention of key ownership and management in the cloud.

Security experts agree that the best way for companies to ensure that
their data is safe from snooping eyes in the cloud is to encrypt all
their data and to maintain total ownership of the encryption keys.
However, pulling off that feat is not always easy, practical or cheap.

Lavabit, a provider of secure hosted email services, shut down
operations in August citing concerns that the FBI was coercing it into
divulging personal information on its customers.

Founder Ladar Levison claimed at the time that he would rather shut
down the company than be part of what he described as crimes against
the American people. His actions were prompted by government demands
for his company's private Secure Sockets Layer (SSL) keys for
decrypting email communications believed to belong to former NSA
contract worker-turned document leaker Edward Snowden.

Levison maintained that the keys would allow the government to unlock
all encrypted communications belonging to Lavabit's users. He claimed
the government's request was similar to someone asking for the master
key to open all the rooms in a hotel, when all that was needed was
access to a single room.

After initially digging in his heels and getting slapped with a
$10,000 fine by a federal court, Levison finally hand-delivered a disk
containing the keys to the FBI in August.

The U.S. Department of Justice accused Levison of compromising its
investigation by shutting down the company and going public with his
complaints. In a motion filed in the U.S. Court of Appeals for the
Fourth Circuit this week, the DOJ maintained that Levison did not have
the right to thwart the government's legitimate surveillance
activities by shutting down the service altogether.

The DOJ angrily dismissed Levison's parade of hypotheticals
regarding the actions the government could take with the encryption
keys and likened his actions to that of a business locking its front
gate to thwart execution of a search warrant.

The situation shows why companies that want to protect their data in
the cloud need to encrypt everything and maintain full control of the
encryption keys.

This disclosure issue at Lavabit is one very good example of an
organization's inability to maintain ownership and control of data in
traditional cloud computing environments, said Elad Yoran, CEO of
Vaultive, a vendor of cloud encryption technologies. If a third party
can turn our data over without our knowledge or authorization, do we
really own or control our data in the cloud? he said.

If a company maintains its own encryption keys, the government will
need to make a legal request for the keys with the company and not the
cloud provider, he said. Otherwise, all they would get from the cloud
provider would be encrypted useless gibberish, he said. This puts
the power of ownership back into the hands of businesses.
...
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Password Blacklist that includes Adobe's Motherload?

[Jeffrey Walton]

Hi All,

Is anyone aware of a blacklist that includes those 150 million records
from Adobe's latest breach?

I tried finding a list and was not successful. Bonus points if
implemented as a bloom filter (I'm interested in seeing how small that
list can be in practice, and I'd like to use it for its small
footprint).

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Snowden: Fabricating Digital Keys?

[Jeffrey Walton]

On Tue, Jun 25, 2013 at 5:17 PM, Bill Scannell b...@scannell.org wrote:
 This Daily Beast story on Causa Snowden 
 (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html)
  contains the following sentence:

 Last week NSA Director Keith Alexander told the House Permanent Select 
 Committee on Intelligence that Snowden was able to access files inside the 
 NSA by fabricating digital keys that gave him access to areas he was not 
 allowed to visit as a low-level contractor and systems administrator. 

Snowden persuaded other NSA workers to give up passwords,
http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] the spell is broken

[Jeffrey Walton]

On Sat, Oct 5, 2013 at 3:13 PM, Erwann Abalea eaba...@gmail.com wrote:

 2013/10/4 Paul Wouters p...@cypherpunks.ca

 [...]
 People forget the NSA has two faces. One side is good.  NIST and FIPS
 and NSA are all related. One lesson here might be, only use FIPS when
 the USG requires it. That said, a lot of FIPS still makes sense. I'm
 surely not going to stick with md5 or sha1.


 We're still using HMAC-SHA1 for most TLS ciphersuites, RSA(MD5||SHA1) for
 TLS signatures (until TLS1.2), and RSA(SHA1) to sign (EC)DHE parameters.
 SHA1 is still there.

 There are alternatives, it doesn't hurt to get them in place.

 Yes, like the IETF brainpool drafts.

 RFC5639 standardized the curves, RFC7027 allows them to be used for TLS.
 They're no more drafts.

Do you know if there's a standard name and OID assigned to Dr.
Bernstein's gear? IETF only makes one mention of 25519 in the RFC
search, and its related to TLS and marked TBD.

Lack of a mailing list for NACl is crippling.

(Sorry to wander a bit).

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Curve25519 OID (was: Re: the spell is broken)

[Jeffrey Walton]

On Sat, Oct 5, 2013 at 7:35 PM, Patrick Pelletier
c...@funwithsoftware.org wrote:
 On 10/5/13 2:47 PM, Jeffrey Walton wrote:

 Do you know if there's a standard name and OID assigned to Dr.
 Bernstein's gear? IETF only makes one mention of 25519 in the RFC
 search, and its related to TLS and marked TBD.

 Not yet.  See this thread:

 http://www.ietf.org/mail-archive/web/tls/current/msg10074.html

 (In short, the argument was that an OID for Curve25519 is only useful if
 it's going to be used for signatures, and Curve25519 shouldn't directly be
 used for signatures; Ed25519 should be used instead.)
Thanks Patrick. I tend to agree with Simon when he remarked [OID
assignment for ed25519] doesn't belong in the TLS WG though.

For completeness, Crypto++ has a factory-like method that serves
curves. The curves are sorted by OID in the function, so Crypto++
would need an OID for ed25519. See around line of 120 and 250 at
http://www.cryptopp.com/docs/ref/eccrypto_8cpp_source.html.

I doubt Wei Dai will accept a patch which breaks from his design.

In the meantime, folks are hacking in something (from other
conversations I've had with some folks). That makes it hard to use
ed25519 correctly, and possibly easy to use incorrectly.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] the spell is broken

[Jeffrey Walton]

On Thu, Oct 3, 2013 at 10:32 PM, James A. Donald jam...@echeque.com wrote:
 On 2013-10-04 11:41, Jeffrey Walton wrote:

 We could not get rid of Trustwave in the public sector (so much for
 economics).

 What is wrong with trustwave?
The company operates in an industry where trust is a commodity. The
company violated the trust,which essentially means they have no
product. Rewarding bad behavior was the last thing that should have
happened.

 There's no way we can get rid of the US agency responsible
 for crypto standards

 If no one pays attention to their standards, we have gotten rid of them.
Well, that's going to be a tough sell for US Federal US DoD, and a
number of private sector organizations, such as some in US Financial.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] the spell is broken

[Jeffrey Walton]

On Thu, Oct 3, 2013 at 9:26 PM, Jeffrey Goldberg jeff...@goldmark.org wrote:
...

 I would put it more strongly than that. I think that NIST needs to be 
 punished. Even if Dual_EC_DRBG were their only lapse, any entity that has 
 allowed themselves to be used that way should be forced to exit the business 
 of being involved in making recommendations on cryptography. I don’t have to 
 think that they are bad people or even that they could have prevented what 
 happened. But I think there needs to be an unambiguous signal to every other 
 (potential) standards body about what happens if you even think of allowing 
 for the sabotage of crypto.

We could not get rid of Trustwave in the public sector (so much for
economics). There's no way we can get rid of the US agency responsible
for crypto standards (government is not held responsible for the act
or accountable after the act).

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] [Cryptography] What is Intel(R) Core™ vPro™ Technology Animation

[Jeffrey Walton]

On Sun, Sep 22, 2013 at 7:56 PM, d.nix d@comcast.net wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1



 On 9/22/2013 2:23 PM, Jerry Leichter wrote:
 On Sep 21, 2013, at 10:05 PM, d.nix wrote:
 Hah hah hah. Uh, reading between the lines, color me *skeptical*
 that this is really what it claims to be, given the current
 understanding of things...

 http://www.intel.com/content/www/us/en/enterprise-security/what-is-vpro-technology-video.html


 The question isn't whether it's what it claims to be.  It is that.  But
 is it's *more* than it claims to be.

 Yes, in my haste I neglected the only disclaimer bit; it is indeed a
 means by which the *rightful owner/administrator* might perform very
 useful tasks. The obvious crux of the biscuit is *who else* has
 access, and what can they do surreptitiously?
Painting with a broad brush, part of the solution is a remote
administration board that can''t be removed. Cf, Fujitsu LOM (Lights
Out Management), HP ILO (Integrated Lights Out) HP RILO (Remote
Integrated Lights Out), Compaq RIB (Remote Insight Board), and Dell
DRAC (Dell Remote Access Card).

As for who has access, that depends on the quality of the
implementations.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4784.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Using same key for ECDSA and ECIES

[Jeffrey Walton]

On Fri, Sep 20, 2013 at 2:35 PM, Dominik Schürmann
domi...@dominikschuermann.de wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 ...
 After reading related literature, I came to the conclusion to use
 ECDSA and ECIES (Both with Koblitz curves, as I am sceptical about the
 random curves ;),
 Bernstein's curve25519 would be too difficult to integrate, as I
 didn't found a library, which is present in current linux distros and
 handles both EC sign and encryption schemes.
Crypto++ has the schemes and Dr. Bernstein's curve. The library is
available on all major Linux and BSD platforms.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] It's time for a Whistleblowing / Leaking Initiative for Cryptographer ?

[Jeffrey Walton]

On Mon, Sep 16, 2013 at 5:17 PM, Fabio Pietrosanti (naif)
li...@infosecurity.ch wrote:
 http://threatpost.com/uk-cryptographers-call-for-outing-of-deliberately-weakened-protocols-products/102301

Right now, whistle blowers are vilified in the US. Just ask Jesselyn
Radack, Thomas Drake, William Binney, Bradley Manning, et al. The
irony is the US recognized the usefulness of whistle blowing hundreds
of years ago during colonial times:
https://en.wikipedia.org/wiki/Qui_tam. (Thanks CB).

I'm all for monetization of whistle blowing to encourage the behavior.
But that would take a proverbial 'paradigm shift', because the sneaky
assholes who need to be uncovered are the same assholes who hold the
power and control popular thinking.

From the article:

 ... that calls on authorities in that country and the United States to
 conduct an investigation to determine which security products,
 protocols and standards have been deliberately weakened by the
 countries’ intelligence services.

I think MQV and Dual_EC_DRBG events are kind of rare, and I'm not sure
about this.

Does an intelligence agency need to backdoor code when: (1)
architectural and design defects are incumbent; and (2) shitty code is
regularly checked-in? I think the agency's best course of action is to
do nothing and wait for the defects to become widely available through
normal channels.

Given the above, an agency probably benefitted by doing nothing with,
for example, MQV and Dual_EC_DRBG. In this case, would the panel of
scientists be asking to investigate lack of agency action? I think
that's going to be pretty tenuous.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] motivation, research ethics organizational criminality (Re: Forward Secrecy Extensions for OpenPGP: Is this still a good proposal?)

[Jeffrey Walton]

On Sat, Sep 14, 2013 at 7:08 PM, Jeffrey Goldberg jeff...@goldmark.org wrote:
 On 2013-09-13, at 9:28 AM, David D da...@7tele.com wrote:

...
 Obviously, we should insist on due process for the NSA stooges. If they 
 confess their activities and name their co-conspirators, we may allow them 
 some limited role, but those who don’t cooperate will need to be dealt with 
 more firmly, for the good of their souls and for our community.
Ship them off to Guantanamo Bay. They are more dangerous to the
democracy, the country and its citizens than Bin Laden and friends.
Or, put a bullet in their heads like they did Bin Laden. It makes no
difference to me as long as we are rid of them.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] What is Security World architecture?

[Jeffrey Walton]

I was reading on a HSM, and the marketing literature stated, ...
because it utilizes the Security World architecture, XXX provides an
ideal combination of high assurance and operational ease.

What is Security World architecture? What are the criteria used for
high assurance and operational ease?
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] What is Security World architecture?

[Jeffrey Walton]

On Wed, Sep 11, 2013 at 12:41 AM, Ben Laurie b...@links.org wrote:
 On 11 September 2013 01:17, Jeffrey Walton noloa...@gmail.com wrote:

 I was reading on a HSM, and the marketing literature stated, ...
 because it utilizes the Security World architecture, XXX provides an
 ideal combination of high assurance and operational ease.

 What is Security World architecture?


 http://lmgtfy.com/?q=security+world+architecturel=1
Thanks Ben. I got that one hit also.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Random number generation influenced, HW RNG

[Jeffrey Walton]

On Sat, Sep 7, 2013 at 1:48 PM, David Johnston d...@deadhat.com wrote:
 On 9/6/2013 2:03 PM, grarpamp wrote:
 ...
 However, I claim that the fear is well founded and should be taken into
 account by all threat models.
 It interesting to consider the possibilities of corruption and deception
 that may exist in product design. It's a lot more alarming when it's your
 own design that is being accused of having been backdoored. Claiming the NSA
 colluded with intel to backdoor RdRand is also to accuse me personally of
 having colluded with the NSA in producing a subverted design. I did not.
I don't think it was a personal attack.

 A quick googling revealed many such instances of statements to this effect,
 strewn across the internet, based on inferences from the Snowden leaks and
 resulting Guardian and NYT articles.
Its our job to be paranoid. As long as our adversaries enjoy secrecy
(and no responsibility or accountability), we have to speculate on
capabilities.

 I personally know it not to be true and from my perspective, the effort we
 went to improve computer security by making secure random numbers available
 and ubiquitous in a low attack-surface model is now being undermined by
 speculation that would lead people to use less available, less secure RNGs.
 This I expect would serve the needs of the NSA well.
Well, because you did not know or participate does not mean it did not occur.

In [1], Caspar Bowden, who was the former Chief Privacy Officer at
Microsoft, speculated a handful of top Microsoft managers were
involved with the backdooring of Microsoft products. Even Bowden was
not privileged to the full depth and breadth of corporate cooperation.
If you asked David LeBlanc, Michael Howard, and a number of other
senior security guys, they likely had no knowledge either.

Jeff

[1] https://www.youtube.com/watch?v=-Cx_vumGbXM.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Compositing Ciphers?

[Jeffrey Walton]

On Fri, Sep 6, 2013 at 8:53 PM, Natanael natanae...@gmail.com wrote:
 http://blog.cryptographyengineering.com/2012/02/multiple-encryption.html
 Apparently it's called cascade encryption or cascade encipherment,
 and the implementations are apparently called robust combiners. And
 by the way, Truecrypt already lets you pick your chosen combo of AES
 and two other ciphers.
Ah, right. I knew that was called cascading. I'm not sure why I called
it compositing (it sucks getting old).

I did not know Truecrypt provided it.

 I think you should worry about your PRNG and it's seed before you
 focus on AES. Your key should both have enough entropy and be secret.
 Is your PRNG backdoored already? And I'm guessing the cipher mode
 probably matters a bit more than the exact choice of algorithm.
I believe the PRNG is good. The PRNG fetches from the OS, fetches from
device sensors (accelerometers, gyroscopes, magnetometers), and
practices hedging.

I'm more worried about key exchange or agreement.

Jeff

 On Sat, Sep 7, 2013 at 2:27 AM, Jeffrey Walton noloa...@gmail.com wrote:
 Hi All,

 With all the talk of the NSA poisoning NIST, would it be wise to
 composite ciphers? (NY Times, Guardian, Dr. Green's blog, et seq).

 I've been thinking about running a fast inner stream cipher (Salsa20
 without a MAC) and wrapping it in AES with an authenticated encryption
 mode (or CBC mode with {HMAC|CMAC}).

 I'm aware of, for example, NSA's Fishbowl running IPSec at the network
 layer (the outer encryption) and then SRTP and the application
 level (the inner encryption). But I'd like to focus on hardening one
 cipherstream at one level, and not cross OSI boundaries.

 I'm also aware of the NSA's lightweight block ciphers
 (http://eprint.iacr.org/2013/404). I may have been born at night, but
 it was not last night

 Has anyone studied the configuration and security properties of a
 inner stream cipher with an outer block cipher?
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Android SecureRandom poor entropy

[Jeffrey Walton]

On Sun, Aug 25, 2013 at 4:45 PM, Marco Pozzato mpodr...@gmail.com wrote:
 ...
 Recently, android SecureRandom PRNG proved to be seriously flawed
 (http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html)
 because, by default, it is not properly initialized with good entropy.

 The weakness is very critical, because initial state is practically affected
 only by process ID: when an application starts with the same PID, it
 generates the very same sequence of pseudo-random numbers.
I think its even worse than that - even the system entropy pool needs
help. Take a look at addDeviceSpecificEntropy() in
EntropyService.java. For the most part, AOSP repeatably adds the same
data from the device. The only differentiating data is
System.currentTimeMillis() and System.nanoTime().

There's even some developer humor in their:

out = new PrintWriter(new FileOutputStream(randomDevice));
out.println(Copyright (C) 2009 The Android Open Source Project);
out.println(All Your Randomness Are Belong To Us);

See 
https://code.google.com/p/android-source-browsing/source/browse/services/java/com/android/server/EntropyService.java?repo=platform--frameworks--basename=b8cba95fr=6907891b1f2d706fa2bd6c40b986f73e5666e00e.

In the past, Hedging was suggested to improve the pool state, but I'm
not aware of any interest in the improvements. See
https://groups.google.com/d/msg/android-security-discuss/BM4t_DhbCeQ/70SsSouaqZ4J.

 Many bitcoin applications suffered this issue and some bucks has been lost.

 Are you aware of some lists of flawed applications, not only related to
 bitcoin, but also in other cryptography and security domain?
Not quite the answer you are looking for, but it may help with
determining the breadth of the issue. Symantec performed an analysis,
and over 360,000 applications were using SecureRandom. Of those,
320,000 could be affected. Unfortunately, the categories were
Productivity, Fun and Games, and similar; and not Cryptography or
Security. 
http://www.symantec.com/connect/blogs/android-cryptographic-issue-may-affect-hundreds-thousands-apps.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Reflection Attacks in Challenge/Response Protocols

[Jeffrey Walton]

Hi All,

When a symmetric key based challenge response is used, an attacker can
perform a reflection attack by starting a second instance of a
protocol and having the server answer its own questions.

To guard against the attack, is it sufficient to ensure all challenges
sent from server to client are equal to 1 mod 2; and all client to
server challenges are equal to 0 mod 2? Is it enough to break the
symmetry?

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] urandom vs random

[Jeffrey Walton]

On Mon, Aug 19, 2013 at 9:20 AM, Aaron Toponce aaron.topo...@gmail.com wrote:
 ...

 It's a shame http://entropykey.co.uk is no longer in business. I was able to
 procure 5 entropy keys just before they folded, and they're awesome.
Yeah, I really liked EntropyKey. I tried to place an order last year
(or early this year). It was never fulfilled and no one responded.

I knew the were having some troubles, but I could not determine the
cause. Why did they fold?

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] urandom vs random

[Jeffrey Walton]

Hi Aaron,

Here is the last I saw of them (besides the website being up):
http://lists.simtec.co.uk/pipermail/entropykey-users/2013-July/thread.html.

They claim to still be around (from the last in the thread):

We've gone through a major crisis, but are still here... just.  To say
any more in public at this stage might be unwise from a legal
standpoint.

We currently have no manufacturing capability for ekeys but are
working towards getting things up and running again.  There's no
timescale on that yet, I'm afraid.

Jeff

On Mon, Aug 19, 2013 at 11:21 AM, Aaron Toponce aaron.topo...@gmail.com wrote:
 On Mon, Aug 19, 2013 at 09:41:20AM -0400, Jeffrey Walton wrote:
 Yeah, I really liked EntropyKey. I tried to place an order last year
 (or early this year). It was never fulfilled and no one responded.

 I knew the were having some troubles, but I could not determine the
 cause. Why did they fold?

 I don't know why they folded. I'm guessing lack of demand didn't justify
 their costs. Possibly understaffed as well. When I placed my order, it took
 them 8 weeks to ship it, and I was emailing anyone and everyone I could to
 get a status update or anything. It's too bad. They had the best product.

 --
 . o .   o . o   . . o   o . .   . o .
 . . o   . o o   o . o   . o o   . . o
 o o o   . o .   . o o   o o .   o o o

 ___
 cryptography mailing list
 cryptography@randombit.net
 http://lists.randombit.net/mailman/listinfo/cryptography

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] urandom vs random

[Jeffrey Walton]

On Sat, Aug 17, 2013 at 7:46 AM, Ben Laurie b...@links.org wrote:

 ...

 Also, if there are other sources, why are they not being fed in to the
 system PRNG?
Linux 3.x kernels decided to stop using IRQ interrupts (removal of the
IRQF_SAMPLE_RANDOM flag, without an alternative to gather entropy).

[PATCH 17/17] random: final removal of IRQF_SAMPLE_RANDOM,
http://lkml.indiana.edu/hypermail/linux/kernel/1207.2/01043.html.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Reply to Zooko (in Markdown)

[Jeffrey Walton]

On Sat, Aug 17, 2013 at 3:49 AM, Bryan Bishop kanz...@gmail.com wrote:
 On Sat, Aug 17, 2013 at 1:04 AM, Jon Callas j...@callas.org wrote:

 It's very hard, even with controlled releases, to get an exact
 byte-for-byte recompile of an app. Some compilers make this impossible
 because they randomize the branch prediction and other parts of code
 generation. Even when the compiler isn't making it literally impossible,
 without an exact copy of the exact tool chain with the same linkers,
 libraries, and system, the code won't be byte-for-byte the same. Worst of
 all, smart development shops use the *oldest* possible tool chain, not the
 newest one because tool sets are designed for forwards-compatibility (apps
 built with old tools run on the newest OS) rather than
 backwards-compatibility (apps built with the new tools run on older OSes).
 Code reliability almost requires using tool chains that are trailing-edge.


 Would providing (signed) build vm images solve the problem of distributing
 your toolchain?
You might try Fully Countering Trusting Trust through Diverse
Double-Compiling, http://www.dwheeler.com/trusting-trust/
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Expired/Revoked certificates + private keys

[Jeffrey Walton]

On Fri, Aug 16, 2013 at 11:03 AM, Dominik Schürmann
domi...@dominikschuermann.de wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 For a research project on OCSP, we are searching for expired and
 revoked X.509 certificates with their corresponding private keys. Any
 help or pointers to find leaked keys are much appreciated.
littleblackbox (http://code.google.com/p/littleblackbox/) is a
database of well known private keys from a number of devices and
appliances. As far as I know, most have never been revoked (or the
device/appliance updated) even though they are well known.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Paypal phish using EV certificate

[Jeffrey Walton]

On Tue, Aug 13, 2013 at 5:10 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
 I recently got a another of the standard phishing emails for Paypal, directing
 me to https://email-edg.paypal.com, which redirects to
 https://view.paypal-communication.com, which has a PayPal EV certificate from
 Verisign.  According to this post
 http://www.onelogin.com/a-paypal-phishing-attack/ it may or may not be a
 phishing attack (no-one's really sure), and this post
 http://www.linuxevolution.net/?p=12 says it is a phishing attack and the site
 will be shut down by Paypal... back in May 2011.

 Can anyone explain this?  It's either a really clever phish (or the CAs are
 following their historically lax levels of checking), or Paypal has joined the
 ranks of US banks in training their users to become phishing victims.
If that's true, I think the more interesting fact is: it appears
email-edg.paypal.com is controlled by the attacker. Why else would
Paypal redirect from a host in their domain to a host not in their
domain controlled by the adversary? (Its a bit different than standard
phishing training where both hosts/domains are controlled by Paypal).

Has Paypal fess'ed up to any break-ins or  breaches?

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] NSA Today on Missions, Authorities, Oversight, Partnershps

[Jeffrey Walton]

On Fri, Aug 9, 2013 at 4:14 PM, John Young j...@pipeline.com wrote:
 NSA statement today on Missions, Authorties, Oversight, Partnerships:

 http://cryptome.org/2013/08/nsa-13-0809.pdf

This was probably one of the more amusing statements. Perhaps William
Binney would have a different opinion:

In addition to the NSA's compliance safeguards, NSA personnel are
obligated to report when they believe NSA is not, or may not be,
acting consistently with law, policy, or procedure. This
self-reporting is part of the culture and fabric of NSA. If NSA is not
acting in accordance with law, policy, or procedure, NSA will report
through its internal and external intelligence oversight channels,
conduct reviews to understand the root cause, and make appropriate
adjustments to constantly improve.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Updated Certificate Transparency site

[Jeffrey Walton]

On Thu, Aug 1, 2013 at 5:04 PM, Nico Williams n...@cryptonector.com wrote:
 On Thu, Aug 1, 2013 at 12:57 PM, wasa bee wasabe...@gmail.com wrote:

 ... If everyone does their part CT causes the risk
 of dishonest CA behavior discovery to become to great for CAs to
 engage in such behavior.
Sorry to drift a bit, but how so? The best I can tell, there is little
to no risk because browsers (and others in similar positions) often
refuse to take action. As Trustwave and Mozilla, Microsoft, et al
recently demonstrated, its just a dog and pony show.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Must have seemed like a good idea at the time

[Jeffrey Walton]

On Tue, Jul 23, 2013 at 4:54 AM, ianG i...@iang.org wrote:
 ...

 Banks will say that international wires are irreversible, but it isn't true.
 If the banks cooperate they can do a return of funds.  It all depends...

This was kind of interesting: According to Li, the larger problem [of
Chinese car theft fraud] is the Chinese financial system, which
requires every bank-to-bank transaction to be routed through the
central government’s banking authority. As a result, anti-fraud
measures are usually slower than criminals. Stopping a payment could
take as long as three days, by which time the money is usually
unrecoverable.
http://www.theverge.com/2013/7/24/4549124/how-google-uncovered-a-chinese-ring-of-car-thieves.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Snowden: Fabricating Digital Keys?

[Jeffrey Walton]

On Tue, Jun 25, 2013 at 5:17 PM, Bill Scannell b...@scannell.org wrote:
 This Daily Beast story on Causa Snowden 
 (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html)
  contains the following sentence:

 Last week NSA Director Keith Alexander told the House Permanent Select 
 Committee on Intelligence that Snowden was able to access files inside the 
 NSA by fabricating digital keys that gave him access to areas he was not 
 allowed to visit as a low-level contractor and systems administrator. 

General Keith Alexander admitted just last week that the NSA is using
MS SharePoint to share security information with other state agencies.
These tools are favored because they tend to support the ad-hoc ebb
and flow of natural human collaboration across blurry corporate
boundaries 
http://www.wired.com/insights/2013/07/snowdens-impact-on-the-enterprise-how-mobile-security-is-evolving-post-nsa-leak/.

I really question who is fabricating what.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] [liberationtech] Random number generator, failure in Rasperri Pis?

[Jeffrey Walton]

On Sat, Jul 20, 2013 at 2:57 AM, Peter Bowen pzbo...@gmail.com wrote:
 On Fri, Jul 19, 2013 at 10:35 PM, Yaron Sheffer yar...@porticor.com wrote:
 A few months ago I posted a query to the Amazon Web Services (the
 largest public cloud, running on Xen) forum on whether they're using libvirt
 for this purpose, and it was never answered. Does anybody around here have a
 clue?

 Amazon EC2 does not support virtio-rng today.  Finding good sources of
 entropy in a virtual machine is always hard, so solutions like
 virtio-rng and Intel's RDRAND instruction can be very useful.
Also see:

When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities
and Hedging Deployed Cryptography,
http://pages.cs.wisc.edu/~rist/papers/sslhedge.pdf

When Virtual is Harder than Real: Security Challenges in Virtual
Machine Based Computing Environments,
https://www.usenix.org/legacy/event/hotos05/final_papers/full_papers/garfinkel/garfinkel.pdf

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] [liberationtech] Heml.is - The Beautiful Secure Messenger

[Jeffrey Walton]

On Tue, Jul 16, 2013 at 5:04 AM, coderman coder...@gmail.com wrote:
...

 in short:

 rather than considering just one or another type of attack, these
 agencies should be assumed to be using all of them with the exploit
 method tailored to the particular access needs and target difficulty
 of every tasking.
From In his own words: Confessions of a cyber warrior
(http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-66),
page 3:

QUOTES
Grimes [Interviewer]: How many exploits does your unit have access to?

Cyber warrior: Literally tens of thousands -- it's more than that. We
have tens of thousands of ready-to-use bugs in single applications,
single operating systems.

Grimes [Interviewer]: Is most of it zero-days?

Cyber warrior: It's all zero-days. Literally, if you can name the
software or the controller, we have ways to exploit it. There is no
software that isn't easily crackable. In the last few years, every
publicly known and patched bug makes almost no impact on us. They
aren't scratching the surface.
/QUOTE
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] skype backdoor confirmation

[Jeffrey Walton]

On Thu, May 16, 2013 at 3:52 PM, Adam Back a...@cypherspace.org wrote:
 So when I saw this article
 http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html

 I was disappointed the rumoured skype backdoor is claimed to be real, and
 that they have evidence.  The method by which they confirmed is kind of odd
 - not only is skype eavesdropping but its doing head requests on SSL sites
 that have urls pasted in the skype chat!
Sorry to dig up an old thread

According to [1], Skype provided the backdoor before Microsoft
purchased the service (but interception increased after M$'s
purchase):

The NSA also praised the collaboration with the FBI in the case of
messaging and VoIP service Skype. According to the documents, Skype
joined PRISM in early 2011, before it was acquired by Microsoft. That
takeover is alleged to have resulted in a redoubling of efforts to
enable PRISM to access Skype communications. According to the NSA, in
July 2012, the volume of intercepted Skype data tripled following the
introduction of new surveillance capability. There have been repeated
rumours of backdoors in Skype intended to enable encrypted
communications to be intercepted by the security services. Skype has
always denied these reports.

[1] 
http://www.h-online.com/security/news/item/Microsoft-gave-NSA-s-PRISM-access-to-Skype-Outlook-com-and-SkyDrive-1916730.html
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] [liberationtech] Heml.is - The Beautiful Secure Messenger

[Jeffrey Walton]

On Mon, Jul 15, 2013 at 7:27 AM, Eugen Leitl eu...@leitl.org wrote:
 On Fri, Jul 12, 2013 at 10:29:49PM +0300, ianG wrote:

 Not to mention, Intel have been in bed with the NSA for the longest
 time.  Secret areas on the chip, pop instructions, microcode and all
 that ...  A more interesting question is whether the non-USA
 competitors are also similarly friendly.

 It seems there's a good niche for open hardware, either
 run in FPGAs (which are backdoorable, of course), or
 designs which can be verified optically, preferably using
 relatively large, obsolete structures.
An Open Source Cryptographic Coprocessor,
http://www.cypherpunks.to/~peter/usenix00.pdf (obfuscated version at
https://www.usenix.org/conference/9th-usenix-security-symposium/open-source-cryptographic-coprocessor).
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)

[Jeffrey Walton]

On Mon, Jul 1, 2013 at 6:47 PM, Nico Williams n...@cryptonector.com wrote:
 On Mon, Jul 1, 2013 at 4:57 PM, grarpamp grarp...@gmail.com wrote:
 And when LEA
 get caught doing this nothing terribly bad happens to LEA (no officers
 go to prison, for example).

 It is often in the interest/whim of the executive to decline to
 prosecute its own,
 even if only to save embarassment, so many of these cases will never see a 
 jury.
 That's why you need citizen prosecutors who can bring cases before both grand
 and final jury. For example, how many times have you seen a LE vehicle 
 failing
 to signal, speeding/reckless, with broken running lights, etc... now
 try to criminally
 (not administratively) prosecute that just as you might be prosecuted for 
 same.

 I'd love to see proposals for how to criminal prosecutions by the
 public would work.
Sparta, one of the first democracies, would put the public officials
on trial at the end of their term. It was part of the process.

I imagine their Spartan was sufficiently different so that folks like
Ted Kennedy (liar, cheat, murderer) would not have been able to serve
the class.

Sorry for the OT chatter.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)

[Jeffrey Walton]

On Mon, Jul 1, 2013 at 8:33 PM, mtm marctmil...@gmail.com wrote:
 as a spartan of sorts, and one thats shared laphroig with both a plank
 member of the nsa and the creator of fbi's hrt, id like to say these fellas
 are decent men and not petty.
Then they would have nothing to fear if put on trial for potential
crimes they've committed.

(At least, that's what they tell us - if you don't do anything wrong,
then you don't have anything to worry about).

 On Jul 2, 2013 12:55 AM, Jeffrey Walton noloa...@gmail.com wrote:

 On Mon, Jul 1, 2013 at 6:47 PM, Nico Williams n...@cryptonector.com
 wrote:
  On Mon, Jul 1, 2013 at 4:57 PM, grarpamp grarp...@gmail.com wrote:
  And when LEA
  get caught doing this nothing terribly bad happens to LEA (no officers
  go to prison, for example).
 
  It is often in the interest/whim of the executive to decline to
  prosecute its own,
  even if only to save embarassment, so many of these cases will never
  see a jury.
  That's why you need citizen prosecutors who can bring cases before both
  grand
  and final jury. For example, how many times have you seen a LE vehicle
  failing
  to signal, speeding/reckless, with broken running lights, etc... now
  try to criminally
  (not administratively) prosecute that just as you might be prosecuted
  for same.
 
  I'd love to see proposals for how to criminal prosecutions by the
  public would work.
 Sparta, one of the first democracies, would put the public officials
 on trial at the end of their term. It was part of the process.

 I imagine their Spartan was sufficiently different so that folks like
 Ted Kennedy (liar, cheat, murderer) would not have been able to serve
 the class.

 Sorry for the OT chatter.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Snowden: Fabricating Digital Keys?

[Jeffrey Walton]

On Tue, Jun 25, 2013 at 5:47 PM, Mark Seiden m...@seiden.com wrote:
 maybe he just used other people's ssh keys that were protected by a weak (or 
 no) passphrase?

 fabricate is a pretty strong word, but under the least untruthful 
 standard that James Clapper says he's applied to
 congressional testimony, there are numerous interpretive possibilities.
What's more likely is there were little/no/improper access controls
(Bradley Manning FTW!), and the the government is fabricating the
claim.

Jeff

 On Jun 25, 2013, at 2:32 PM, Natanael natanae...@gmail.com wrote:

 That depends on the system. Consider how HDCP encryption was broken;

 https://en.wikipedia.org/wiki/High-bandwidth_Digital_Content_Protection

 It used a scheme where access to enough keys allowed you to calculate the 
 master key, breaking the entire scheme.


 2013/6/25 Bill Scannell b...@scannell.org
 This Daily Beast story on Causa Snowden 
 (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html)
  contains the following sentence:

 Last week NSA Director Keith Alexander told the House Permanent Select 
 Committee on Intelligence that Snowden was able to access files inside the 
 NSA by fabricating digital keys that gave him access to areas he was not 
 allowed to visit as a low-level contractor and systems administrator. 

 How would one fabricate a digital key?
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] skype backdoor confirmation

[Jeffrey Walton]

On Wed, May 22, 2013 at 10:07 AM, Mark Seiden m...@seiden.com wrote:

 On May 22, 2013, at 5:59 AM, Jacob Appelbaum ja...@appelbaum.net wrote:

 James A. Donald:

 http://www.scmagazine.com/finfisher-command-and-control-hubs-turn-up-in-11-new-countries/article/291252/
 That governments attempt to spy on people is not evidence that they any
 good at it.

 Of course. They are quite good at it. Their successes are well documented:

 https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/

 https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global-proliferation-2/

 also the very colorful

 http://epic.org/crypto/scarfo.html

 (this is all from memory, but…

 a keylogger was installed in a black bag job with a magistrate warrant (on 
 nicky scarfo jr, the son of an imprisoned mobster nicky scarfo sr)
 accused of loan sharking and racketeering (as i recall).  in a previous 
 search they had found a pgp encrypted spreadsheet and wanted the passphrase.

 the keylogger supposedly satisfied the minimization requirements (suppressing 
 logging when he used aol on a dialup…)  (i really want to know
 how that worked…)
http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf:

The  Pen/Trap  statute  authorizes  a  government  attorney  to  apply
 to  a court for an order authorizing the installation of a pen
register and/or trap and  trace  device  if  “the  information  likely
 to  be  obtained  is  relevant  to  an ongoing criminal
investigation.”

and

The government must also use “technology reasonably available to it”
to avoid recording or decoding the contents of any wire or electronic
communications. 18 U.S.C. § 3121(c). When there is no way to avoid the
inadvertent collection of  content  through  the  use  of  reasonably
available  technology,  DOJ  policy requires that the government may
not use any inadvertently collected content in  its  investigation.
However,  a  few  courts  have  gone  beyond  the  statute’s
requirement that the government use technology reasonable available to
it to avoid collecting content. Citing the exclusion of contents from
the definitions of pen register and trap and trace device, these
courts have stated or implied that  the  government  cannot  use
pen/trap  devices  that  might  collect  any content at all. ...

 they didn't get the passphrase during the first term of the first warrant 
 (couple months, as i recall.)   not much of a loanshark, doesn't update
 his books in a couple months, hm… then they renewed the warrant…   and 
 finally got him typing the passphrase….
 which was  his father's federal prison number.   duh.
http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf:

A pen/trap order may authorize the installation and use of a pen/trap
device for up to sixty days and may be extended for additional
sixty-day periods. See 18 U.S.C. § 3123(c).

and

At  least  one  court  has  adopted  the  severe  position  that
suppression  is appropriate when the government fails to comply with
court-imposed limits on the time period for reviewing seized
computers. In United States v. Brunette, 76 F. Supp. 2d 30 (D. Me.
1999), a magistrate judge permitted agents to seize the computers of a
child pornography suspect on the condition that the agents searched
through  the  computers  for  evidence  “within  30  days.”  The
agents executed the search five days later and seized several
computers. A few days before the thirty-day period elapsed, the
government applied for and obtained a thirty-day extension of the time
for review. The agents then reviewed all but one of the seized
computers within the thirty-day extension period, and found hundreds
of images of child pornography. However, the agents did not begin
reviewing the last of the computers until two days after the extension
period had elapsed. The defendant moved for suppression of the child
pornography images found in the last computer, on the ground that the
search outside of the sixty-day period violated the terms of the
warrant and subsequent extension order. The court agreed, stating that
“because the Government failed to adhere to the requirements of the
search warrant and subsequent order, any evidence gathered from the .
. . computer is suppressed.” Id.at 42.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] skype backdoor confirmation

[Jeffrey Walton]

On Sat, May 18, 2013 at 3:15 PM, Adam Back a...@cypherspace.org wrote:
 Actually I think that was the point, as far as anyone knew and from the last
 published semi-independent review (some years ago on the crypto list as I
 recall) it indeed was end2end secure.  Many IM systems are not end2end so
 for skype to benefit from the impression that they still are end2end secure
 while actually not being is the focus of this thread.
The original Skype homepage (circa 2003/2004) claims the service is
secure: Skype calls have excellent sound quality and are highly
secure with end-to-end encryption.
(http://web.archive.org/web/20040701004241/http://skype.com/).

The new web page does not even use the word
(web.archive.org/web/20130426221613/http://www.skype.com/).

(Sorry to rewind so far back in the thread).

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] skype backdoor confirmation

[Jeffrey Walton]

On Mon, May 20, 2013 at 1:30 PM, Nico Williams n...@cryptonector.com wrote:
 On Mon, May 20, 2013 at 12:22 PM, Jeffrey Walton noloa...@gmail.com wrote:
 The original Skype homepage (circa 2003/2004) claims the service is
 secure: Skype calls have excellent sound quality and are highly
 secure with end-to-end encryption.
 (http://web.archive.org/web/20040701004241/http://skype.com/).

 Secure in what way though?  Probably: relative to passive
 eavesdroppers.  As for LEA, forget it.  (Nothing is secure w.r.t. LEA
 that have jurisdiction, as ultimately there's the rubber hose.)
Well, I take 'secure' to mean confidentiality and authenticity,
including an authenticated key agreement. If we don't know who we are
talking to, or someone else can listen in, or someone else can tamper,
then its surely not secure by any reasonable definition.

For a typical user, they would probably take 'secure' to mean that
only both users (the endpoints) can read the message, hear, the
conversation, see the video, etc. I'm not sure how they would react to
'highly secure', other than its 'secure' plus some other good stuff
they can't even imagine.

 The new web page does not even use the word
 (web.archive.org/web/20130426221613/http://www.skype.com/).

 So their advertising/terms changed.
It appears so. In the US, I believe that's a Material Adverse Change
and usually requires explicit notification (credit card issuers were
especially bad about changing terms). Do any Skype users recall being
informed the terms changed dramatically?  There was a time the FTC
would do something about it. In the end, does it matter since it
appears there are only carrots and no sticks?

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] skype backdoor confirmation

[Jeffrey Walton]

On Mon, May 20, 2013 at 8:55 PM, Jacob Appelbaum ja...@appelbaum.net wrote:
 James A. Donald:
 ...

 Zombie computers are seldom of high value.

 Some malware is designed to keep people communicating, under heavy
 watch; it is not always designed to abuse a system the traditional
 manner befitting script kiddie botnets.
In Skype's case, it appears there is no need for the malware to coerce
communications since the service is always on
(http://www.sec.gov/Archives/edgar/data/1498209/000119312510182561/ds1.htm):
The number of connected users is subject to uncertainties and in some
ways may overstate the number of users actively using our products
during a given period. For example, for a number of our users, once a
user has downloaded our software onto their device, the software will
automatically be logged in to when the device is turned on, even if
the customer takes no steps to affirmatively engage our software
client after initial registration.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Question on Handling of Authenticated Plaintext Data

[Jeffrey Walton]

Hi All,

I'm having trouble finding a reference to the way additional data is
authenticated. In the past, I simply used the following (under an
independent key):

tag = HMAC(AAD, Ciphertext)

Recently, I came across a post by Dr. Bernstein [1] that states I
find it quite strange to see a call for minimalism from people who
keep writing definitions that treat associated data separately from
plaintext. It's clearly more minimal for the cryptographer to allow
just plaintext, and to tell the user to put a hash of the associated
data into the plaintext.

I think that means is:

tag = HMAC(HASH(AAD) , Ciphertext)

That raises a few questions for me: what problem does HASH(AAD) solve?
How does the handling change if I want to use a digital signature
rather than an HMAC/CMAC?

In both cases (HMAC/CMAC or digital signature), is leaking timing
information during the hash comparison a concern? (I feel like it
should be because the adversary might not know the hash in advance
under some use cases).

Or is the concern over leaking timing information limited to the
secret data, such as the HMAC/CMAC key or the private exponent?

Jeff

[1] 
https://groups.google.com/forum/#!msg/crypto-competitions/n5ECGwYr6Vk/St1FEZoQ-E8J
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] skype backdoor confirmation

[Jeffrey Walton]

On Sat, May 18, 2013 at 9:49 AM, Adam Back a...@cypherspace.org wrote:
 On Fri, May 17, 2013 at 04:52:07AM -0400, bpmcontrol wrote:

 On 05/17/2013 04:19 AM, Eugen Leitl wrote:

 It is unreasonable for an closed source product by a commercial
 vendor to go any other way [putting backdoors in security products]

 Makes perfect sense. as its sometimes required by law,
 other times required to keep the users safe or companies away from legal
 harm.

 Well that seems like a bold and controversial claim to me, maybe with its
 own liability and legal implications!

 Would you expect microsoft IIS web server to contain an SSL backdoor?  Or
 microsoft VPN client?  Or cisco?  A lot of businesses and individuals are
 relying on these things to do what is advertised.  Not doing what is
 advertised can itself get companies in trouble, in many jurisdictions.
 Skype has/had as a differentiator that it was end2end encrypted, it is my
 impression that a number of people used it for that purpose.
Correct. It does not match a user's mental model; nor does it meet a
user's expectations (to borrow from Dr. Gutmann).

Cisco is kind of an odd case since it advertises its backdoors.
http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography