[cryptography] Announcing the first SHA1 collision
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Cryptographic hash functions like SHA-1 are a cryptographer’s swiss army knife. You’ll find that hashes play a role in browser security, managing code repositories, or even just detecting duplicate files in storage. Hash functions compress large amounts of data into a small message digest. As a cryptographic requirement for wide-spread use, finding two messages that lead to the same digest should be computationally infeasible. Over time however, this requirement can fail due to attacks on the mathematical underpinnings of hash functions or to increases in computational power. Today, more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. We’ve summarized how we went about generating a collision below. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content. ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] What the World's First Quantum Satellite Launch Means
http://fortune.com/2016/08/16/china-quantum-satellite-launch/ That’s one small step for man, one quantum leap for China. China blasted the world’s first quantum communications satellite into orbit from the Gobi Desert early Tuesday. The project signals the dawn of a potentially game-changing communications technology: quantum key distribution—a dependable system for exchanging secrets (more on this in a bit)—as beamed from space. If the experiment is successful, it could lead to considerably more secure global communications. While many news outlets have followed Chinese state media’s cue and described the technology as “hack-proof,” a more appropriate descriptor would be “tamper resistant.” (Nothing is “hack-proof.”) Quantum crypto-systems achieve this by exploiting the quirky properties of subatomic particles Here’s how the science works. The fundamental problem of cryptography involves exchanging keys—secret alphanumeric strings—that enable people to encode and decode messages. When two parties swap keys, they normally have no indication whether anyone has intercepted them; an interloper with stolen keys can eavesdrop on correspondence or manipulate it. When quantum science is applied, the keys can be made to self-destruct or change if a third party interferes with their transmission. The keys are sent using pairs of entangled photons, or light particles that share a special bond, to carry the information. The Wall Street Journal quoted an executive familiar with the technology as comparing it to “sending a message written on a soap bubble.” Touch, and it pops. The technology is defensive in nature. China, which has increased funding for basic science research in this area over the past few years (likely in response to revelations about other countries’ hacking capabilities) played that aspect up by naming the satellite Micius in honor of an ancient Chinese philosopher who preached a philosophy of “universal love.” Dubbed Quantum Experiments at Space Scale, the Chinese experiment is not the first time quantum key distribution has been attempted. Ground-based fiber optic networks have successfully transmitted quantum keys in the United States, Europe, and China. Other countries like the U.K. and Singapore have smaller experiments in the works. Bringing this quantum technology to a satellite network will be a grand feat, however. The team, led by Pan Jianwei, said they would attempt to transmit quantum keys from Beijing to Vienna to test the system’s feasibility. The experiment of beaming finicky particles over vast distances will be tricky. Yet it could vault China over the international competition in counter-surveillance tech if it does succeed. For space-based quantum cryptography, the race is on. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Symantec to Acquire Blue Coat and Define the Future of Cybersecurity
It feels like there's a loss of separation of concerns between CA unit and the Interception unit under the Symantec umbrella. Given Symantec's track record, I'm kind of suspicious. http://www.symantec.com/about/newsroom/press-releases/2016/symantec_0612_01 MOUNTAIN VIEW, Calif. and SUNNYVALE, Calif. – June 12, 2016 – Symantec (NASDAQ: SYMC) and Blue Coat, Inc. today announced that they have entered into a definitive agreement under which Symantec will acquire Blue Coat for approximately $4.651 billion in cash. The transaction has been approved by the Boards of Directors of both companies and is expected to close in the third calendar quarter of 2016. Greg Clark, Chief Executive Officer of Blue Coat, will be appointed Chief Executive Officer of Symantec and join the Symantec Board upon closing of the transaction. Blue Coat is the #1 market share leader and share gainer in Web Security with a widely recognized portfolio of integrated technologies serving as a trusted platform to deliver Cloud Generation Security to more than 15,000 customers worldwide. For Blue Coat’s fiscal year ending April 30, 2016, GAAP revenue was $598 million and non-GAAP revenue was $755 million, with 17% year-over-year growth, supported by new products and new customers. For the same time period, the company had non-GAAP operating margins of 22% and cash flow from operations of $135 million. Also for this time period, GAAP operating margins were -42%. ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] MalwareBytes
On Fri, Jun 24, 2016 at 2:30 PM, Ron Garretwrote: > What matters is not the certificate. The certificate is public. You can’t > “steal" a certificate. > > What you *can* steal is the private key associated with a certificate, and > the more time goes by the more likely it becomes that someone has done so. > > However, the expiration date is completely arbitrary. There’s nothing magic > that happens on the expiration date that makes a cert significantly less > secure the day after it expires than it was the day before In principal, I think it does. The CA's responsibility (warranty) ends when the certificate expires. Once the certificate is expired it will not be added to a CRL, so it could not be revoked. In fact, if it was revoked, then it will be removed from the CRL. Whether that system works in practice is a colorful subject that Dr. Gutmann does a great job of poking fun at in his book Engineering Security (http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RDRAND not really random with Oracle Studio 12.3 + patches
> While the code doesn't follow the SDG guidelines (I.E. it doesn't check for > the return status and it doesn't check for the instruction support) it > should work because RdRand doesn't underflow in any of our chips. Is this > running in a VM or on bare metal? I'm not sure. I forwarded it to CERT. I hope they assign a CVE and obtain more details. > I tried compiling that code on an Ivy Bridge machine running Linux, but it > failed to compile.. > >>gcc rdrand.c -o rdrand > rdrand.c:1:29: fatal error: sys/immintrin.h: No such file or directory > compilation terminated. I'm fairly certain you need to use Sun Studio's CC. E.g., $ /opt/solarisstudio12.3/bin/cc -native -m64 -xarch=aes test.cc -o test.exe There's a procedure to acquire Sun Studio: https://docs.oracle.com/cd/E37069_01/html/E37072/gozsz.html . Once you have the keys, you can install 12.2, 12.3, 12.4, etc. > So I pointed the header to the right place and spend an eternity finding I > needed the -mrdrnd target to make the intrinsic happy. > > #include --> #include Lol... For GCC and Clang, try . (There's a long history behind that chuckle). > So it must be some sort of compiler bug or VM problem. Yeah, it appears to be related to Sun Studio. Bare metal and VMs are a different story. Bare metal XEON 5200's (no RDRAND, expected): $ isainfo -v 64-bit amd64 applications ssse3 ahf cx16 sse3 sse2 sse fxsr mmx cmov amd_sysc cx8 tsc fpu 32-bit i386 applications ssse3 ahf cx16 sse3 sse2 sse fxsr mmx cmov sep cx8 tsc fpu VM on top of Core i5-3200 (+AES, +RDRAND, -RDSEED): 64-bit amd64 applications sse4.2 sse4.1 ssse3 tscp ahf sse3 sse2 sse fxsr mmx cmov amd_sysc cx8 tsc fpu 32-bit i386 applications sse4.2 sse4.1 ssse3 tscp ahf sse3 sse2 sse fxsr mmx cmov sep cx8 tsc fpu Same Core i5-3200 host with a Linux guest shows aes, rdrand, xsave, pcclmulqdq, etc. I have a Core i7-5000 (+AES, +RDRAND, +RDSEED) on a headless server with Libvirt. I have to perform the net install, but its been giving me trouble. I hope to have it stood up over the next couple of days. Jeff - The following may be helpful. Some familiar preprocessor macros are missing. In this respect, its kind of like Microsoft where you base feature availability on compiler version. In this case, Sun Studio 12.3 is __SUNPRO_CC 0x5130, and that means AES is available if -xarch=aes is on the command line. $ /opt/solarisstudio12.4/bin/CC -native -m64 -xarch=aes -E -xdumpmacros /dev/null 2>&1 | sort #1 "/dev/null" #define __alignof__ __alignof #define __amd64 1 #define __amd64__ 1 #define __ARRAYNEW 1 #define __asm asm #define __asm__ asm #define __attribute __attribute__ #define __builtin_constant_p __oracle_builtin_constant_p #define __builtin_fpclassify __oracle_builtin_fpclassify #define __builtin_huge_val __oracle_builtin_huge_val #define __builtin_huge_valf __oracle_builtin_huge_valf #define __builtin_huge_vall __oracle_builtin_huge_vall #define __builtin_infinity __oracle_builtin_infinity #define __builtin_isfinite __oracle_builtin_isfinite #define __builtin_isgreater __oracle_builtin_isgreater #define __builtin_isgreaterequal __oracle_builtin_isgreaterequal #define __builtin_isinf __oracle_builtin_isinf #define __builtin_isless __oracle_builtin_isless #define __builtin_islessequal __oracle_builtin_islessequal #define __builtin_islessgreater __oracle_builtin_islessgreater #define __builtin_isnan __oracle_builtin_isnan #define __builtin_isnormal __oracle_builtin_isnormal #define __builtin_isunordered __oracle_builtin_isunordered #define __builtin_nan __oracle_builtin_nan #define __builtin_signbit __oracle_builtin_signbit #define __BUILTIN_VA_STRUCT 1 #define __cplusplus 199711L #define __DATE__ "Jun 13 2016" #define __FILE__ #define __has_attribute(x) __oracle_has_attribute(x) #define __has_nothrow_assign(x) __oracle_has_nothrow_assign(x) #define __has_nothrow_constructor(x) __oracle_has_nothrow_constructor(x) #define __has_nothrow_copy(x) __oracle_has_nothrow_copy(x) #define __has_trivial_assign(x) __oracle_has_trivial_assign(x) #define __has_trivial_constructor(x) __oracle_has_trivial_constructor(x) #define __has_trivial_copy(x) __oracle_has_trivial_copy(x) #define __has_trivial_destructor(x) __oracle_has_trivial_destructor(x) #define __has_virtual_destructor(x) __oracle_has_virtual_destructor(x) #define __is_abstract(x) __oracle_is_abstract(x) #define __is_base_of(x,y) __oracle_is_base_of(x,y) #define __is_class(x) __oracle_is_class(x) #define __is_empty(x) __oracle_is_empty(x) #define __is_enum(x) __oracle_is_enum(x) #define __is_final(x) __oracle_is_final(x) #define __is_literal_type(x) __oracle_is_literal_type(x) #define __is_pod(x) __oracle_is_pod(x) #define __is_polymorphic(x) __oracle_is_polymorphic(x) #define __is_standard_layout(x) __oracle_is_standard_layout(x) #define __is_trivial(x) __oracle_is_trivial(x) #define __is_union(x) __oracle_is_union(x) #define __LINE__ #define __LP64__ 1 #define __PRAGMA_REDEFINE_EXTNAME 1 #define
Re: [cryptography] RDRAND not really random with Oracle Studio 12.3 + patches
On Fri, Jun 10, 2016 at 7:50 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > Ouch... just came across this... > https://community.oracle.com/thread/2565486?start=0=0 > > I did not think it was possible to foul the hardware generated random > numbers (sans an occasional underflow). Yuck, and this: "_rdrand32_step still broken (Solaris Studio 12.4 Beta)", http://community.oracle.com/thread/3539230?start=0=0. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] RDRAND not really random with Oracle Studio 12.3 + patches
Ouch... just came across this... https://community.oracle.com/thread/2565486?start=0=0 I did not think it was possible to foul the hardware generated random numbers (sans an occasional underflow). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] You can be too secure
On Thu, May 5, 2016 at 2:45 PM, Ron Garretwrote: > > On May 5, 2016, at 11:13 AM, Kevin wrote: > >> One can never be to secure! > > Actually, I learned the hard way last week that this is not true. > > Four years ago I bought a 2010 MacBook air from a private party (i.e. I’ve > owned it for four years, and it was two years old when I bought it). I did a > clean install of OS X, and used the machine with no problems for the next > four years. > > Last week, someone apparently put an iCloud lock on the machine. It turns > out that wiping the hard drive does not remove the machine’s iCloud binding. > If the machine has been associated with an iCloud account at any time in its > history, only the owner of the associated account (or Apple) can remove that > binding. And Apple will only do it if you can produce a proof-of-purchase, > which for them is a receipt from an authorized reseller. The iCloud lock is > implemented in EFI firmware, so not even replacing the internal drive will > remove it. > > It gets worse: Apple refuses to contact the owner of the iCloud account that > placed the lock. The lock message provides no information (it simply says, > “Machine locked pending investigation.”) So even if the machine I bought was > stolen (I have a lot of evidence that it wasn’t, but no proof) I can’t return > it to its rightful owner because I have no idea who it is. Apple knows, but > they won’t tell me (which is understandable) nor will they contact that > person on my behalf (which is not). They also don’t provide any way of > checking whether a Mac has an existing iCloud binding. (They provide this > service for mobile devices, but not for Macs.) The only way to tell is to > take the machine into an Apple store and have them check it. > Drag them into court... Let them spend $25,000 attempting to defend their position. It will cost you about $50.00 to file it. Money is the only thing corporations care about. Hit back where it hurts. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] USG-Apple - 3/22/16 Hearing Procedures, Add 3 USGs
It sounds like its turning into a circus sideshow: ... in addition to Courtroom 4, there will be additional overflow rooms in which the hearing will be shown on video screens. All of these rooms together can accommodate up to a total of 324 spectators. Admission tickets for these seats will be distributed outside the courthouse starting at 7:00 a.m. on March 22, 2016. I hope it gets good media coverage, like the OJ Simpson trial. If the government sides with the government (what a surprise that would be) I hope the US citizen riot orders of magnitude larger than Rodney King. On Fri, Mar 18, 2016 at 8:52 AM, John Youngwrote: > USG-Apple - 3/22/16 Hearing Procedures, Add 3 USGs > > https://cryptome.org/2016/03/usg-apple-181-184.pdf > > > ___ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] NIST SP 800-90 B, Random Bit Generators Recommendation for the Entropy Sources Used for Random Bit Generation
http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-90-B ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Hi all, would like your feedback on something
On Mon, Dec 21, 2015 at 10:39 AM, Brian Hankeywrote: > >> From: Givon Zirkind >> >> On 12/20/2015 2:14 AM, Jeffrey Goldberg wrote: >>> The problem you address is certainly real. And a lot of people have >>> looked at various approaches over the decades. None, so far, is fully >>> satisfactory. (I obviously believe that a well designed password >>> manager is the best solution for most people available today, but I do >>> not see them as the long term solution.) One common mistake >> IMHO, the basic problem [on a meta level] is, that if you put all your >> passwords [eggs] into one basket, all you have to do is steal the >> basket. crack the master password to the password file and you have all >> the passwords. >> >> old school, manually, ppl used to keep a rolodex of which files to look >> in for the passwords to certain items. and, passwords would be hidden >> in those files. obstensively, the CIA does this with files that need to >> "disappear". e.g. keeping a record in the Atomic Energy Commissions >> files of some covert op. with a cross reference that tells someone >> where to find it. who's going to look through a warehouse of files to >> find a record? it's like a needle in a haystack. if you could >> implement that electronically, that would probably be the best way to >> go. imho. > > This particular needle got lost in the haystack of my inbox… very interesting > idea. Do you have any preliminary ideas on how to implement that > electronically? I am not sure where to begin. > Yeah, its good idea for many users under a number of threat models and use cases. Its also the reason that, say, Gmail recovery codes that are printed and sit in a desk drawer are usually OK. The primary threat is the network attacker, and he/she does not have access to your desk drawer. As Gutmann wrote in his book (p. 528): This 1960s perspective of computing is the type of threat model that some of the password-security guidelines that are in use today were designed to counter! What’s worse is that even today, decades after these archaic threat models were employed as the basis for password-usage guidelines, we’re still fairly consistently giving users the wrong advice about password security such as “Passwords are like underwear, change them often” (solving no identifiable problem but creating several new ones, see “Password Lifetimes” on page 537) and “Firewalls are useless if passwords are stuck to the monitor with a Post-it” [9] (phishers are pretty creative but the one thing they haven’t managed to do yet is reach out of the monitor to read your Post-it notes, see “Passwords on the Client” on page 577). As Bob Blakley puts it, “despite the fact that both attacks and losses have approximately doubled every year since 1992, we continue to rely on old models that are demonstrably ill-suited to the current reality and don’t inhibit the ongoing march of failure” [10]. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Hi all, would like your feedback on something
> The question we are trying to answer here is how could we all have ultra > strong passwords i.e. “!3AbDEE9eE45DCea” that are you unique for each and > every website, email, social media, etc. service that we use but without > having to trust any third parties to store them for us protected by single > password (perhaps with 2 factor authentication, hardware key, etc., > admittedly), or to use some kind of local password manager that needs to be > installed on every device you want to use it on with a local encrypted > password file. Lastly, it should be extremely resistant to rainbow tables > if and when one of your passwords is leaked. Peter Gutmann's Security Engineering (https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) has a good treatment of Passwords in general. See Chapter 7 on page 563. John Stevens of OWASP performed threat modelling of passwords in storage on the server. See Secure Password Storage (https://docs.google.com/document/d/1R6c9NW6wtoEoT3CS4UVmthw1a6Ex6TGSBaEqDay5U7g). ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] "There is something Google can do. So they should do it."
On Fri, Nov 27, 2015 at 5:47 PM, Gregwrote: > Thought this list would be interested in reading about the roll that Google > played in compromising 100k+ users (in addition to Dell): > > https://www.reddit.com/r/crypto/comments/3u92aw/dells_tumble_googles_fumble_and_how_government/cxejl5y They seem to be missing the issue (if I am parsing it correctly): REDDIT > So you are saying that Chrome should roll out its own REDDIT > cert store because relying on Windows 10's cert store is REDDIT > insecure? REDDIT > REDDIT > Sorry your argument seems very weak and odd to me. REDDIT > It also detracts away from the severity of what Dell has done. That's not Chrome or Windows per se. Rather, that it is a feature of the Web/Browser security model. In the security model, proxying and interception is a valid use case. You can thank the browser (in)security engineers for that. It not just limited to W3C participants. The IETF just jumped on the "proxying and interception is a valid use case" bandwagon with RFC 7469, "Public Key Pinning with Overrides" (https://tools.ietf.org/html/rfc7469). Checkout section 4, and then try to find what the override is supposed to do, or additional information or guidance on using it. Finally, don't look to the IETF to help distinguish the "good" bad guys from the "bad" bad guys when a conforming user agent does override (or tries to decide if it should override). I've been trying to discover that myself. See "How do we differentiate authentic servers from proxies performing TLS interception", https://www.ietf.org/mail-archive/web/pkix/current/msg33425.html. And finally (and either humorously or sadly, depending on your state of mind), the PKIX's position is there's no difference between authentic server authentication and an imposter pretending to be an authentic server. They are happy to allow a CA to issue certificates for either usage, even though they appear to be as diametrically opposed as you can get. The NSA and GCHQ does not need to limit cryptography or algorithms. They just need more browser (in)security engineers in more working groups. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] This is bad. THis is really bad. (Isn't it?)
On Wed, Nov 25, 2015 at 9:16 AM, Dave Howewrote: > On 25/11/2015 12:59, Florian Schütz wrote: >> This is true for Chrome and, I think, for Firefox as well. Some >> enterprises insist on MITMing TLS connections at a proxy, and at least >> Chrome will not break this. They argue if they were to strictly >> enforce Pins, people would just switch to a more permissive browser. I >> agree with their line of thought. > Yup. Firefox of course isn't aware of this Dell key, as it is in the > windows keystore, so will fail to validate such a certificate Chrome will fall victim because they use the OS store (http://www.chromium.org/Home/chromium-security/root-ca-policy)... Chrome will even break a known good pinset. Priorities of Constituencies and all the other web/security model goodness (http://www.w3.org/TR/html-design-principles/#priority-of-constituencies)... Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Varoufakis claims had approval to plan parallel banking system for Greece
On Sun, Jul 26, 2015 at 6:38 PM, John Young j...@pipeline.com wrote: Varoufakis claims had approval to plan parallel banking system for Greece http://www.ekathimerini.com/199945/article/ekathimerini/news/varoufakis-claims-had-approval-to-plan-parallel-banking-system Allegedly aided by Columbia University IT professor to design a hack of existing taxation systems. Columbia Computer Science Faculty http://www.cs.columbia.edu/people/faculty Forgive my ignorance... Is this one of Greenspan's disciples? Maybe one of Summer's friends. (US Academia seems to publish whatever the US Financial sector wants them to publish, regardless of how wrong it is. There are still economists who swear by the experiment in Iceland, and how well derivatives temper the US markets...). I thought one of the cruelest joke on the Soviet Union's collapse was the US sending economist to help the new Federation with their economies back in the 1980s... That was around the time of the SL bailouts (and we were told that would never happen again...). And Greenspan audited Keating's holdings, and extolled how healthy his banks were Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] RSA signatures without padding
Suppose I have a message M for which I generate an RSA-2048 digital signature as follows: H = SHA-256(M) S = H^d mod N Assume N = p*q is properly generated and d is the RSA private key. And I verify the signature as follows: S^e mod N == H' where H' is the SHA-256 of the message to be authenticated. Assume e is the RSA public key. I *think* the signature could be malleable. That is, you could get both S to verify, and N - S to verify. Whether its a problem (or not) depends on your expectations. Since I've not used any padding then are there any flaws with the above approach? What if e = 3? What if e = 2^16+1? Bernstein provides a really good history in RSA signatures and Rabin–Williams signatures: the state of the art, http://cr.yp.to/sigs/rwsota-20080131.pdf. He discusses why various steps are performed, like hashing the message rather than using the message directly. You should be OK with 3 or even 2, though it complicates signing. Taking from Bernstein: State-of-the-art systems use exponent 2 rather than exponent 3. This speeds up verification, and improves the signature-compression and signature-expansion features discussed in subsequent sections. The signer’s secret primes p and q are chosen from 3 + 4 Z to simplify signing Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Caspar Bowden has died
On Thu, Jul 9, 2015 at 10:12 AM, John Young j...@pipeline.com wrote: Privacy activist Caspar Bowden has died https://translate.google.com/translate?sl=autotl=enjs=yprev=_thl=enie=UTF-8u=https%3A%2F%2Fnetzpolitik.org%2F2015%2Fdatenschutz-aktivist-caspar-bowden-ist-gestorben%2Fedit-text= Oh wow. We had dinner in Washington, DC last year. He was not old by any measures, and he surely did not appear unhealthy. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] chromium: unconditionally downloads binary blob
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909 After upgrading chromium to 43, I noticed that when it is running and immediately after the machine is on-line it silently starts downloading Chrome Hotword Shared Module extension, which contains a binary without source code. There seems no opt-out config. that extension: - doesn't appear in the extension list; - is apparently used to provide an “ok google” voice activation stuff. The fact that Audio Capture Allowed is set to yes, and that both the extension and the shared module are marked as “enabled” are definitely bothering me... I think that's more browser security model goodness. All you need is a certificate because authentication = authorization. Its entrenched in powerful features and privileged contexts, which are discussed at Requirements for Powerful Features (http://www.w3.org/TR/powerful-features/). It includes things like Credential Management, Bluetooth, Location Services, and Service Workers (see section 3 for a more complete listing). You may not even need an authentic certificate. Try intercepting it and see if it still ships off your data to whoever answers. The Java applet sandbox was ruined with authentication = authorization thinking. Its to the point that authentic code should *not* be signed so the applet cannot escape the sandbox. See http://threatpost.com/javas-losing-security-legacy. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LastPass have been hacked, so it seems.
On Tue, Jun 16, 2015 at 9:24 AM, Givon Zirkind givo...@gmx.com wrote: keeping something safe in the cloud inherently requires trusting a third party. yeah, that says it all. Right. And third parties cannot protect against the threat posed by officers of the court/legal jurisdiction. (Are National Security Letters considered in this threat, or are they a new threat due to operating outside the law in the US?). cloud computing is good for non critical stuff and stuff you want ppl to see anyway. like your web page. even then, javascript injection jacking your page, blah, blah. if the cloud is not good for HIPAA, banks, financial institutions, that should be a clue. Studies are showing medical data is less safe in the cloud. See, for example, Study: Healthcare Industry Contains Most Cloud Data Breaches, http://talkincloud.com/cloud-computing-security/06152015/study-healthcare-industry-contains-most-cloud-data-breaches. And remember, Apple moved user Keychains to its iCloud and they were subsequently breached. Apparently, Apple does not feel its important enough to ensure it meets its own secure coding standards or properly QA it. Confer, CVE-2015-1065. Jeff Sent: Monday, June 15, 2015 at 6:46 PM From: Moti m...@cyberia.org.il To: cryptography@randombit.net Subject: [cryptography] LastPass have been hacked, so it seems. I always had my doubts about keeping my passwords in the cloud. Let's hope for LastPass users that their data is as secure as LastPass claims it is. No reason to think otherwise of course, but still. If i read correctly between the lines, some people's (sensitive) data maybe on the wrong hands. I mean, what if Chinese hackers got it? (Yeah, it feels like i sound a bit Paranoid, but in this day and age, Chinese hackers are actually a thing:) are we sure that the Chinese government don't have enough computing power to unhash whatever was taken? just saying... https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] OpenPGP in Python: Security evaluations?
The main problem we were interested in solving here was to be able to keep key management tasks within a single memory address space, to avoid the problems relating to securely sending passphrases to other processes, and to be able to use the keys without the additional disk IO involved in needing to import the key into an on-disk keyring before being able to use it for anything. I think the trend appears to be the opposite - you have a consumer in one process and a producer in another process. If the consumer gets compromised (like a web server), then the secrets don't get compromised as easily because the producer is out of process. I'm pretty sure GnuPG switched to that model. Libassuan is the dependency that's part of that mechanism. And I believe Microsoft's CryptoNG uses it too (but I may be wrong). We did an internal security audit of PGPy 0.3.0 shortly before releasing it, but I would definitely be grateful for additional eyes on the code, maybe when 0.4.0 comes out (which I am working toward). If anyone is interested, wants to share concerns, etc, I would welcome the discussion. There are are a few ways to approach it. The first thing I would do is pick the low hanging fruit. Its like folks like Bellovin and Guttman say: why go through the crypto when you can go around it? Get static and dynamic analyzers on the library. Compilers and their warning system are a good first line defense. Clang and its sanitzers are a good tool (https://docs.python.org/devguide/clang.html). And don't forget about Coverity's free scanning service for FOSS software (https://scan.coverity.com/). Once the low hanging fruit is picked, then move onto the specialized audits, like secure coding for the platform, platform security integration, and cryptography. Jeff On Fri, Jun 12, 2015 at 12:05 AM, Michael Greene mgre...@securityinnovation.com wrote: Hello there, I am the author of PGPy - I figured I’d chime in here, even though I have clearly noticed this discussion a little bit late. When I decided that taking up the project of building a pure-Python OpenPGP implementation would be worthwhile, I did so after evaluating all of the existing Python libraries I could manage to find. The main reason I started the project was because very nearly all of the Python libraries for working with PGP were either wrappers around the gpg binary, or GPGME bindings (which itself is a wrapper around the gpg binary, but written in C). To be honest, I’m not sure if calling PGPy “pure-Python” is necessarily 100% correct. Although PGPy itself is 100% implemented in Python, I did not implement any of the actual crypto myself - that is handled by the Cryptography library, which uses cffi to invoke methods from existing libraries (the default currently being OpenSSL, but the possibility to plug into alternate backends exists as well) So basically, practically the only way to be able to use PGP in Python was, one way or another, to call out to the GPG binary (and as it turns out, platform portability in that context is a difficult proposition - the largest category of related StackOverflow questions I happened across while searching for as many of these libraries as I could were questions from people who were having difficulty getting them to work on different platforms - often Windows, but probably not all of them. That particular issue was not something we were necessarily gunning for, but it might be nice for a handful of people, at least.) The main problem we were interested in solving here was to be able to keep key management tasks within a single memory address space, to avoid the problems relating to securely sending passphrases to other processes, and to be able to use the keys without the additional disk IO involved in needing to import the key into an on-disk keyring before being able to use it for anything. As a bonus, it turns out that doing the parsing natively in Python and not having to incur the additional overhead of spinning up an external process and communicate with it over pipes is actually tangibly faster, especially when repeating relatively quick operations (like signing a number of separate things in a row). We did an internal security audit of PGPy 0.3.0 shortly before releasing it, but I would definitely be grateful for additional eyes on the code, maybe when 0.4.0 comes out (which I am working toward). If anyone is interested, wants to share concerns, etc, I would welcome the discussion. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Designing a key stretching crypto that maximize use of WebCrypto?
On Mon, May 4, 2015 at 2:10 AM, Fabio Pietrosanti (naif) - lists li...@infosecurity.ch wrote: Hi all, testing the lovely slowness of a pure scrypt implementation in javascript running into the browser, i was wondering anyone ever tried to think/design an cryptosystem for key stretching purposes that leverage only existing webcrypto API (https://www.chromium.org/blink/webcrypto) with the goal to use let's say 80% of cpu time on native-crypto-code rather than JS code? In the browser native crypto code trough WebCrypto API works obviously much faster than JS crypto code (how much?)! Just bike shedding, but I don't think that's fair to WebCrypto. WebCrypto provides a standard set of primitives, like hahses. But the selected hashes are designed to be fast, and not slow or memory hard. So comparing a WebCrypto PBKDF based on SHA-X is akin to comparing apples and oranges. Also see https://lists.w3.org/Archives/Public/public-webapps/2015JanMar/0706.html. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] AES Implementation
On Tue, May 12, 2015 at 5:47 AM, Givon Zirkind givo...@gmx.com wrote: Hi, Can anyone recommend an open source AES library in some flavor of C? It depends on your goals and threat models. If any old library will do, then check out https://wiki.openssl.org/index.php/Related_Links and http://www.cryptopp.com/wiki/Related_Links. They are fairly comprehensive and up-to-date lists of security libraries. Pick the one you find the best documentation that suits your taste. If you are interested in correctness, speed, and hardening from not-so-common attacks like side channel attacks, then you should see if Bernstein has anything. Libraries like Crypto++ and OpenSSL use table driven implementations, and they are susceptible to the side channel attacks. Bernstein makes great effort to avoid them. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Chinese CA banned in Chrome
Chinese CA banned in Chrome: http://arstechnica.com/security/2015/04/google-chrome-will-banish-chinese-certificate-authority-for-breach-of-trust/ Apple is not following suit with this: https://threatpost.com/apple-leaves-cnnic-root-in-ios-osx-certificate-trust-lists/112086 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] GeoTrust Launches GeoRoot; Allows Organizations with Their Own Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public Root
On Sun, Apr 5, 2015 at 6:25 PM, ITechGeek i...@itechgeek.com wrote: So does this mean Iran the like can stop hacking CAs and buy their own Geotrust cert to MITM their population? Yeah, its been around for a while. What's surprising is (or maybe not) is the CA is still not constraining the organizations even though a technical control is available to do so. Do away with the independent third party that assesses the signing request, don't bother with the security controls to limit impact of a bad actor, and then allow the organization to operate on best behavior. Sigh... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] GeoTrust Launches GeoRoot; Allows Organizations with Their Own Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public Root
http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html It appears Google's Internet Authority G2 (https://pki.google.com) could be part of this program since the subordinate CA is certified by GeoTrust Global CA. If you look at the certificate, it is *not* name constrained so Google can mint certificates for any domain (and not just its web properties). I'm not too worried about Google. But I can't say the same for any old organization that joins this program. Both the IETF and CA/B Forums have name constraints that could be used to enforce policy. The relevant documents are RFC 5280, 4.2.1.10 Name Constraints and Baseline Requirements, 9.7 Technical Constraints in Subordinate CA Certificates via Name Constraints. I'm not sure if the program targeting organizations as a subordinate CA is a bad idea or if GeoTrust is doing a bad job by not using name constraints. But as it stands, I don't like the smell of things. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] SRP 6a + storage of password's related material strength?
On Fri, Mar 13, 2015 at 5:06 PM, Fabio Pietrosanti (naif) - lists li...@infosecurity.ch wrote: On 3/13/15 3:11 PM, Solar Designer wrote: Because SRP protocol is cool, but i'm really wondering if the default methods are strong enough against bruteforcing. They are not. That was my concern. Does anyone ever tried to make SRP authentication protocol extensions/specs to work with server-side storage of hashes based on scrypt? I believe the SRP verifiers are the equivalent to a salted, digested password in traditional password-based systems. (Some hand waiving - for example, the verifiers are taken modulo n). If Scrypt provides the same security properties as provided by SHA and Whirlpool, then Scrypt should be a compatible replacement. It should not matter that Scrypt provides more security properties (namely, the memory hardness). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] OT: THE GREAT SIM HEIST
https://firstlook.org/theintercept/2015/02/19/great-sim-heist/ AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden. The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQdocument, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data. The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are ATT, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania. In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.” With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt. As part of the covert operations against Gemalto, spies from GCHQ — with support from the NSA — mined the private communications of unwitting engineers and other company employees in multiple countries. Gemalto was totally oblivious to the penetration of its systems — and the spying on its employees. “I’m disturbed, quite concerned that this has happened,” Paul Beverly, a Gemalto executive vice president, told The Intercept. “The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn’t happen again, and also to make sure that there’s no impact on the telecom operators that we have served in a very trusted manner for many years. What I want to understand is what sort of ramifications it has, or could have, on any of our customers.” He added that “the most important thing for us now is to understand the degree” of the breach. Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. “Once you have the keys, decrypting traffic is trivial,” says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. “The news of this key theft will send a shock wave through the security community.” ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Just how bad is OpenSSL ?
The source code is mostly written to the OpenSSL coding standards, which are seriously different from any other coding standard I've seen (it's not Linux/KR, nor GNU, nor Microsoft, nor Sun/Oracle). Nonconformance with the coding standards in later patches is very common, so it's a mishmash of indentation standards on top of that ... Sorry to dig up an old thread. This seems news worthy for anyone who has spent time staring at the sources. [openssl-users] OpenSSL source reformat, http://openssl.6102.n7.nabble.com/openssl-users-OpenSSL-source-reformat-td55691.html. On Fri, Oct 26, 2012 at 3:38 PM, Andy Isaacson a...@hexapodia.org wrote: On Fri, Oct 26, 2012 at 06:29:47PM +, John Case wrote: So, given what is in the stanford report and then reading this rant about openssl, I am wondering just how bad openssl is ? I've never had to implement it or code with it, so I really have no idea. How long has it been understood that it's a mess (if it is indeed a mess) ? How dangerous is it ? It looks like the rant was published in 2009 Bad is such a subjective measurement. OpenSSL is very very hard for a non-expert to code against. It's hard to figure out what interfaces you should use, what interfaces are well tested, what interfaces are known to be unsafe, and what interfaces are buggy but can be used safely with careful coding. It's fairly easy to accidentally disable security critical codepaths in the process of iterative hmm that doesn't quite work, the docs are unclear, maybe this is a bug in my code or maybe a bug in OpenSSL? that is a normal part of software development. If you need to implement anything even slightly different from what was expected by the authors. The source code is mostly written to the OpenSSL coding standards, which are seriously different from any other coding standard I've seen (it's not Linux/KR, nor GNU, nor Microsoft, nor Sun/Oracle). Nonconformance with the coding standards in later patches is very common, so it's a mishmash of indentation standards on top of that. Naming conventions sometimes indicate that functions are strictly internal and should not be used by applications, but sometimes you have to use an internal API to get a necessary result and other times there are clearly internal APIs in the public namespace. I could go on. Overall, I would say that yes, OpenSSL is a huge mess for application developers. In that sense, it's very bad. On the other hand, it's the most thoroughly reviewed open source crypto implementation, and hasn't had very many security bugs found in the library per se. Its performance is fairly good. In that sense it's still the best option for some use cases. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] John Gilmore: Cryptography list is censoring my emails
On Thu, Jan 1, 2015 at 1:48 PM, Sadiq Saif li...@sadiqs.com wrote: On 1/1/2015 13:40, Adam Back wrote: nah what am I thinking probably! 1988 if not earlier, 27 years :) The point is block lists suck, they're always blocking false things, and vigilante abusive takes 3x longer to take you off than for you to complain or unresponsive etc. DNSBLs do occasionally get false positives, this is true. In this case, it is not really a false positive if spammers are relaying spam through your insecure server is it? Some of them willfully misclassify. In the past, one of the blacklist services used to escalate the range of the blacklist surrounding an IP if a provider/ISP did not stop a spammer. The blacklist range was made ever broader to apply pressure to the provider/ISP. I'm not sure if its a current practice. It got so bad with ATT in the past, that I could not send emails from a US federal agency to my home account because the home account was using one of those blacklists services. So my home account would reject the email from the federal agency because the list was expanded to a Class B or C (IIRC) to apply pressure to ATT. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Misuses/abuses of Sony's compromised root certificate?
Has anyone come across any reports of abuse due to Sony's compromised root? I believe its named Sony Corp. CA 2 Root? I did not find it in the Windows 8.1 certificate store. Are any of the browsers carrying it around? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
On Sun, Aug 17, 2014 at 12:09 AM, Jeffrey Goldberg jeff...@goldmark.org wrote: On 2014-08-16, at 4:51 PM, David I. Emery d...@dieconsulting.com wrote: On Sat, Aug 16, 2014 at 04:21:53PM -0500, Christopher Nielsen wrote: The comment about Apple is simply false. Apple does not have a key to FileVault2 unless you escrow your key with them. I know this because a dear friend recently passed, and his family was not able to gain access to his encrypted drives through Apple. You may be right or may not, but I certainly have to think that if there is a backdoor password to Filevault2 it is quite likely that Apple would not choose to disclose that fact to just some random user who had lost files due to forgotten passwords. Right. We don’t know whether Apple escrows the key in the absence of people asking them to, but we do know that they do offer to store a “recovery” key when someone sets up FileVault2. Did you know OS X ships the Keychain off to the iCloud in 10.9? http://www.apple.com/osx/whats-new/#icloud-keychain. So an instance of Apple being able to help someone recover their FileVault2 data proves absolutely nothing. Did you know Apple did not revoke the defective FileVault2 binary? Who needs an angry maid when you can downgrade to a defective binary that spews the user password into a log? http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-passwords-in-clear-text/11963 Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question About Best Practices for Personal File Encryption
On Sat, Aug 16, 2014 at 5:21 PM, Christopher Nielsen m4dh4t...@gmail.com wrote: On Aug 15, 2014 11:06 PM, Mark Thomas mark00tho...@gmail.com wrote: I have a question for the group, if I may ask it here and in this manner (?). What are you guys using to encrypt individual files and folders or even entire drives like a USB? I am thinking that: 1. any commercial product could be compromised and not completely secure. Like Apple’s FileVault2, which Apple has a key to. The comment about Apple is simply false. Apple does not have a key to FileVault2 unless you escrow your key with them. I know this because a dear friend recently passed, and his family was not able to gain access to his encrypted drives through Apple. You can't trust Apple as far as you can pick them up and throw them. There's nothing special about Apple, and others are just as bad. Also, less than one month old: Apple Confirms 'Backdoors'; Downplays Their Severity, http://www.zdziarski.com/blog/?p=3466. And remember, according to Apple, they were not tracking users either. Apple faces class action suit for tracking users without consent, http://nakedsecurity.sophos.com/2014/08/04/apple-faces-class-action-suit-for-tracking-users-without-consent/. And let's not forget this: Apple deluged by police demands to decrypt iPhones, http://www.cnet.com/news/apple-deluged-by-police-demands-to-decrypt-iphones/. They've been caught lying so much they have no credibility. Sorry to hear about your friend. Apple's unwillingness to help allows provides them with cover. They can't have documented cases of circumventing their security controls. That's bad for business. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] A post-spy world
On Mon, Aug 11, 2014 at 4:52 PM, John Young j...@pipeline.com wrote: We are moving toward a post-spy world, according to the guy that runs the CIA’s venture capital arm. http://www.defenseone.com/technology/2014/08/10-ways-make-internet-safe-cyber-attacks/90866/?oref=d-channelriver The video of the keynote is available at http://www.lawfareblog.com/2014/08/dan-geer-cybersecurity-keynote-at-black-hat/. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Implementing constant-time string comparison
On Wed, Jun 18, 2014 at 5:18 PM, D. J. Bernstein d...@cr.yp.to wrote: ... would be unable to shortcut the loop if the arguments were merely declared as pointers to volatile storage The compiler would be required to access the storage but would still be allowed to skip the intermediate calculations. For example, it could convert int result = 0; int iszero; for (i = 0;i n;++i) result |= (x[i] ^ y[i]); iszero = (result == 0); return iszero - 1; into int iszero = 1; for (i = 0;i n;++i) if (x[i] ^ y[i]) iszero = 0; return iszero - 1; or into int iszero = 1; for (i = 0;i n;++i) if (x[i] != y[i]) iszero = 0; return iszero - 1; or into for (i = 0;i n;++i) if (x[i] != y[i]) goto shortcut; return 0; shortcut: while (++i n) { x[i]; y[i]; } return -1; without violating the C language specification. You're deluding yourself if you think that the guarantees made by the C specification are adequate for writing constant-time code. What's the chance of a compiler screwing things up in this way? This isn't a question of language lawyering; it's a question of what the compiler writer is thinking. Has the compiler writer seen examples where it might seem useful to replace result = 0; result |= ...; result |= ...; result == 0 with iszero = 1; if (...) iszero = 0; if (...) iszero = 0; iszero which would then hook nicely into early exits? Sure, the early exits should check for volatile memory accesses in the skipped calculations, but this doesn't mean that the replacement has to check for volatile. The GCC folks interpret the standard to mean volatile applies to memory mapped from hardware. Using it in software to tame the optimizer is an abuse. [1] Microsoft compilers, on the other hand, interpret volatile that's amicable to software (for example, a second thread changing the value at a memory location). [2] Jeff [1] https://gcc.gnu.org/onlinedocs/gcc/Qualifiers-implementation.html [2] http://msdn.microsoft.com/en-us/library/12a04hfd%28v=vs.100%29.aspx ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] new OpenSSL exploitable bug?
On Thu, Jun 5, 2014 at 8:17 AM, ianG i...@iang.org wrote: Another in the rash of weaknesses. This might mean that the fabled many eyeballs have opened up? https://www.openssl.org/news/secadv_20140605.txt An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. For others interested in how this affects key bits, Rich Salz pointed to Adam Langley's write up at https://www.imperialviolet.org/2014/06/05/earlyccs.html. Its the best write up I have seen. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] TrueCrypt
Does anyone know if Greenwald or Poitras are holding relevant documents? Dr. Schneier does not have much to add: I have no idea what's going on with TrueCrypt. On Wed, May 28, 2014 at 4:35 PM, Sadiq Saif li...@sadiqs.com wrote: http://truecrypt.sourceforge.net/ https://gist.github.com/anonymous/e5791d5703325b9cf6d1 https://twitter.com/matthew_d_green So WTF happened? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] OT: Snowden Interview
The interview is airing tonight. http://www.nbcnews.com/storyline/nsa-snooping/exclusive-edward-snowden-gives-wide-ranging-interview-brian-williams-n110351 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Best practices for paranoid secret buffers
On Tue, May 6, 2014 at 11:56 PM, Tony Arcieri basc...@gmail.com wrote: Can anyone point me at some best practices for implementing buffer types for storing secrets? There are the general coding rules at cryptocoding.net for example, that say you should use unsigned bytes and zero memory when you're done, but I'm more curious about specific strategies, like: - malloc/free + separate process for crypto I think this is a good idea. I seem to recall the new FIPS 140 will have some language for it. I also seem to recall something about Microsoft's CryptNG, but I don't recall the details. - malloc/free + mlock/munlock + secure zeroing On Microsoft platforms, you have `SecureZeroMemory` (http://msdn.microsoft.com/en-us/library/windows/desktop/aa366877(v=vs.85).aspx). It is guaranteed *not* to be removed by the optimizer. On Linux, you have `bzero`, but I'm not sure about any guarantees. On OpenSSL, you have OpenSSL_cleanse. OpenSSL_cleanse is most acrobatic of the three. - mmap/munmap (+ mlock/munlock) Keeping secrets out of the page file or swap file can be tricky. VMs can be trickier. Should finalizers be explicit or implicit? (or should an implicit finalizer try to make sure buffers are finalized if you don't do it yourself?) Not all languages have finalizers. Java has finalizers but tells you to put secrets in a char[] or byte[] so you can overwrite them manually: See, for example, http://docs.oracle.com/javase/1.4.2/docs/guide/security/jce/JCERefGuide.html#PBEEx (I think that link may be dead now). For those languages that do provide fianlizers, its sometimes impossible to ask them to wipe. See, for example, EditText and Sensitive Information (Wipe/Zeroize), https://code.google.com/p/android/issues/detail?id=36233. Are paranoid buffers worth the effort? Are the threats they'd potentially mitigate realistic? Are there too many other things that can go wrong (e.g. rewindable VMs) for this to matter? I think they are worth the effort. Target's data breach was the result of (among others): memory scraping malware. At minimum, they cost next to nothing. You also have wrapping. That is, a buffer get a quick dose of XOR to mask the secrets while in memory but not in use. .Net's SecureString uses wrapping (http://msdn.microsoft.com/en-us/library/system.security.securestring(v=vs.80).aspx), and NIST has a key wrap for symmetric encryption keys (http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf). Maybe the later would have helped with Heartbleed, too... who knows. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Request - PKI/CA History Lesson
For me the sentence, “I had little choice but to trust X” is perfectly coherent. Is it possible that you are letting your righteous anger at what browser vendors have done interfere with how you are defining “trust”? That's the question with the elusive answer: how do you define trust. One of the better answers I have seen: X trust Y to do Z. Plug in PKI: Users trust CAs to abide by their CP and CPS. (Now policy (CP) and procedures (CPS) need to be accepted). Nonsensical counter example: Trustwave did not follow their CP, but they are still trusted. Does not compute... Jeff On Fri, May 2, 2014 at 1:41 AM, Jeffrey Goldberg jeff...@goldmark.org wrote: On 2014-05-01, at 8:49 PM, ianG i...@iang.org wrote: On 1/05/2014 02:54 am, Jeffrey Goldberg wrote: On 2014-04-30, at 6:36 AM, ianG i...@iang.org wrote: OK. So let me back peddle on “Ann trusts her browser to maintain a list of trustworthy CAs” and replace that with “Ann trusts her browser to do the right thing”. Right, with that caveat about choice. I think that we are in fierce agreement. At first I didn’t understand the significance of your insistence on *choice*, but I see it now. More below. In this context, we would claim that users b-trust because they know they can switch. With browsers they cannot switch. Their choice is to transmit private information using their browsers. Their choice is to not participate in e-commerce. Right, there is always in economics some form of substitute. But actually we've probably moved beyond that as a society. I would say that e-commerce is utility grade now, so it isn't a choice you can really call a choice in competition terms. I agree that the behavior in b-trust must be about “choice behavior” in that Ann behaves one way instead of another. But I don’t think that we should have some minimal threshold of choice before can call the behavior b-trust. As long as there is some non-zero amount of choice the behavior (in these cases) will exhibit a non-zero amount of trust. For me the sentence, “I had little choice but to trust X” is perfectly coherent. Is it possible that you are letting your righteous anger at what browser vendors have done interfere with how you are defining “trust”? All I’m asking is that we consider the people we are asking to “b-trust” the system. Can we build a system that is b-trustworthy for the mass of individuals who are not going to make c-trust judgements. Right, this is the question, how do we do that? That is what Certificate Transparency and Perspectives seek to do, as well as other thoughts. First they make the c-trust available by setting up alternate groups and paths. Then the c-trusters develop their followings of b-trusters. I agree with that last bit. In a sense, if people see that experts trust the system they will too. But how will this play out with Certificate Transparency for most users? What do they actually need to know and do to follow some c-trusters? There likely needs to be a group of c-trusters in the middle that mediate the trust of the b-trusters. And how will that work without putting unrealistic expectations on the vast major of users. How do they pick which c-trusters to trust? I think that we have a higher chance of success if we use a language that can talk about agents who do not have a deep or accurate understanding of why a system is supposed to work. And so, I think that, with some refinement, my notion of b-trust is worthwhile. Yes it could be. It might not be applicable to web-PKI because the vendors confuse X do the right thing by users with X' maintain a good CA list.” I’m confused. (Perhaps by the vendors?) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Request - PKI/CA History Lesson
On Wed, Apr 30, 2014 at 10:07 AM, Marcus Brinkmann marcus.brinkm...@ruhr-uni-bochum.de wrote: On 04/30/2014 02:59 PM, d...@geer.org wrote: As is so often found, there are multiple nuanced definitions of a word, trust being the word in the current case. Simply as a personal definition, trust is that state wherein I accept assertions at face value and do so because I have effective recourse should having let my guard down later prove to have been unwise. Restated as logic, If I can trust, then I have effective recourse. and in contrapositive If I have no effective recourse, then I cannot trust. ... If you have effective recourse, then by that definition trust is not required. Exactly. Trust is what is used when you don't have a security control to place. Or won't place... Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Request - PKI/CA History Lesson
On Mon, Apr 28, 2014 at 8:20 PM, Ryan Carboni rya...@gmail.com wrote: One can always start with the difficult first step of uninstalling certificate authorities you do not trust. Opera will autorepair damage to the certificate repository, a missing Certificate Authority is considered damage. Opera ships with a list of frequently used certificates, and if any of these are missing they will be added the next time the repository is read from disk. Other certificates will be added from the online repository as needed. - http://my.opera.com/community/forums/topic.dml?id=1580452 Its not just Opera. Others are using similar innovative methods to reduce the support load and costs. Jeff On Mon, Apr 28, 2014 at 4:42 PM, ianG i...@iang.org wrote: On 29/04/2014 00:12 am, Ryan Carboni wrote: trust is outsourced all the time in the non-cryptographic world trust is built up all the time, risks are taken all the time, choice is taken all the time. unless you do not have a bank account That's not outsourced, that's direct, person to bank, the person has a choice, chooses to place her trust in that bank. Also, it is limited to defined things that are required, can't be done by the person, and bolstered by real backing such as FIDC. When you suggest it's probably best we trust authorities that is CA-playbook crapola meaning you must trust the authorities that have been picked for you. The vector has been reversed, people are told what has to happen, so there is no trust. Trust derives from choice. Where is the choice? On Mon, Apr 28, 2014 at 3:00 PM, James A. Donald jam...@echeque.com mailto:jam...@echeque.com wrote: On 2014-04-29 05:58, Ryan Carboni wrote: We happen to live on a planet where most users are ordinary users. given the extent of phishing, it's probably best we outsource trust to centralized authorities. Although it should be easier establishing your own certificate authority. Cannot outsource trust Ann usually knows more about Bob than a distant authority does. A certificate authority does not certify that Bob is trustworthy, but that his name is Bob. In practice, however we find that diverse entities have very similar names, and a single entity may have many names. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] OT: Speeding up and strengthening HTTPS connections for Chrome on Android
Somewhat off-topic, but Google took ChaCha20/Poly1305 live. http://googleonlinesecurity.blogspot.com/2014/04/speeding-up-and-strengthening-https.html Earlier this year, we deployed a new TLS cipher suite in Chrome that operates three times faster than AES-GCM on devices that don’t have AES hardware acceleration, including most Android phones, wearable devices such as Google Glass and older computers. This improves user experience, reducing latency and saving battery life by cutting down the amount of time spent encrypting and decrypting data. To make this happen, Adam Langley, Wan-Teh Chang, Ben Laurie and I began implementing new algorithms -- ChaCha 20 for symmetric encryption and Poly1305 for authentication -- in OpenSSL and NSS in March 2013. It was a complex effort that required implementing a new abstraction layer in OpenSSL in order to support the Authenticated Encryption with Associated Data (AEAD) encryption mode properly. AEAD enables encryption and authentication to happen concurrently, making it easier to use and optimize than older, commonly-used modes such as CBC. Moreover, recent attacks against RC4 and CBC also prompted us to make this change. ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] NSA Said to Exploit Heartbleed Bug for Intelligence for Years
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems. ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?
https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013 Yesterday afternoon, Ars Technica published a story reporting two possible logs of Heartbleed attacks occurring in the wild, months before Monday's public disclosure of the vulnerability. It would be very bad news if these stories were true, indicating that blackhats and/or intelligence agencies may have had a long period when they knew about the attack and could use it at their leisure. In response to the story, EFF called for further evidence of Heartbleed attacks in the wild prior to Monday. The first thing we learned was that the SeaCat report was a possible false positive; the pattern in their logs looks like it could be caused by ErrataSec's masscan software, and indeed one of the source IPs was ErrataSec. The second log seems much more troubling. We have spoken to Ars Technica's second source, Terrence Koeman, who reports finding some inbound packets, immediately following the setup and termination of a normal handshake, containing another Client Hello message followed by the TCP payload bytes 18 03 02 00 03 01 40 00 in ingress packet logs from November 2013. These bytes are a TLS Heartbeat with contradictory length fields, and are the same as those in the widely circulated proof-of-concept exploit. ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
On Tue, Apr 8, 2014 at 6:46 AM, ianG i...@iang.org wrote: On 7/04/2014 22:53 pm, Edwin Chu wrote: ... E.g., if we cannot show any damages from this breach, it isn't worth spending a penny on it to fix! Yes, that's outrageous and will be widely ignored ... but it is economically and scientifically sound, at some level. This system works great for the firms involved. The first data breach I was part of, it cost me over $10,000 to fix. I did not find out until I had judgements against me, and the collection agencies came after me. The latest breach I got sucked into only involved a compromised credit card, so it only cost me $75 to have a new one shipped to me while I was out of town (I only have one credit card). Saving those pennies has worked out great for me. I'm glad the executives got their bonuses and the stock holders got their dividends. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Client certificates, Tor-exit nodes and renegotiation
On Thu, Apr 3, 2014 at 4:41 AM, Guido Witmond gu...@witmond.nl wrote: On 04/03/14 01:31, Ryan Carboni wrote: hackers will always take the path of least resistance as rational human beings you will see more trojans in the wild as a result of this Agreed, when passive spying is impossible, spies go for active attacks. Current operating systems (Windows, Linux, MacOS) are not designed to protect against trojan horses. Android does slightly better with its permission model. However, it forces people to think like programmers to decide whether a certain permission is needed for an app or not. Adding to the problem you mention. Android is all-or-nothing perms/caps at install time. You can't selectively turn off, for example, access to the network and address book for the flashlight app. Gutmann pokes fun at the model in his Engineering Security book. Selective enable/disable of perms/cpas was recently added to Android via App Ops in 4.3. App Ops continued for a while in Android 4.4, but was removed in Android 4.4.2. See Google Removes Vital Privacy Feature From Android, Claiming Its Release Was Accidental, https://www.eff.org/deeplinks/2013/12/google-removes-vital-privacy-features-android-shortly-after-adding-them. Apple and Microsoft allow selective perms/caps at runtime. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] 2010 TAO QUANTUMINSERT trial against 300 (hard) targets
On Thu, Mar 13, 2014 at 1:57 AM, coderman coder...@gmail.com wrote: https://s3.amazonaws.com/s3.documentcloud.org/documents/1076891/there-is-more-than-one-way-to-quantum.pdf TAO implants were deployed via QUANTUMINSERT to targets that were un-exploitable by _any_ other means. And Schneier's Guardian article on the Quantum and FoxAcid systems: http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] 2010 TAO QUANTUMINSERT trial against 300 (hard) targets
On Thu, Mar 13, 2014 at 9:17 AM, Jason Iannone jason.iann...@gmail.com wrote: Are there details regarding Hammerstein? Are they actually breaking routers? Cisco makes regular appearances on Bugtraq an Full Disclosure. Pound for pound, there's probably more exploits for Cisco gear than Linux and Windows combined. Jeff On Thu, Mar 13, 2014 at 2:40 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Mar 13, 2014 at 1:57 AM, coderman coder...@gmail.com wrote: https://s3.amazonaws.com/s3.documentcloud.org/documents/1076891/there-is-more-than-one-way-to-quantum.pdf TAO implants were deployed via QUANTUMINSERT to targets that were un-exploitable by _any_ other means. And Schneier's Guardian article on the Quantum and FoxAcid systems: http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Comsec as Public Utility Beyond Illusory Privacy
Freedom of comsec, say, as a new entry in the US Bill of Rights could lead the way for it to be a fundamental element of Human Rights. The Right to Privacy by Warren and Brandeis (1890) FTW! NSA's ubiquitous spying on everybody at home and elsewhere with technology beyond accountability does raise the chances of getting agreement of all targets -- gov, com, edu, org -- to say enough is enough, national security has become a catchall for inexcusable invasion of the public realm. Privacy is a human right in some parts of the world. See, for example, European Convention on Human Rights, Article 8. I wonder if anyone will be prosecuted for their human rights violations... I say hunt them all down like Nazi war criminals. Once a few politicans and top adminstartion officials are exectued, the rest will fall into place (one thing we *can* count on is a politician is out for himself/herself). Jeff On Thu, Mar 13, 2014 at 9:59 AM, John Young j...@pipeline.com wrote: Snowden may have raised the prospect of comsec as a public utility like power, water, gas, sewage, air quality, environmental protection and telecommunications. Privacy protection has been shown to be illusory at best, deceptive at worst, due to the uncontrollable technology applied erroneously for national security. Each of the other public utilities began as private offerings before becoming commercialized and then institutionalized as necessities, many eventually near or wholly monopolies. Each also evolved into military targets for control, contamination, destruction, and in some cases excluded as too essential for civilian livelihood to target. Comsec as a right for human discourse rather than a commercial service could enforce privacy beyond easy violation for official and commercial purposes. Freedom of comsec, say, as a new entry in the US Bill of Rights could lead the way for it to be a fundamental element of Human Rights. The problem will be as ever the commercial and governmental exploiters aiming to protect their interests against that of the public. FCC and NIST, indeed, the three branches, are hardly reliable to pursue this, so beholden to the spy agencies they cannot be trusted. NSA's ubiquitous spying on everybody at home and elsewhere with technology beyond accountability does raise the chances of getting agreement of all targets -- gov, com, edu, org -- to say enough is enough, national security has become a catchall for inexcusable invasion of the public realm. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] OT: Possible Backdoor in SSL/TLS Implementation
Related to the earlier threads Design Strategies for Defending against Backdoors and Backdoors in software. https://www.imperialviolet.org/2014/02/22/applebug.html ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden Drop to Poitras and Greenwald Described
On Sat, Feb 8, 2014 at 6:28 PM, John Young j...@pipeline.com wrote: http://cryptome.org/2014/02/snowden-drop.pdf (7.6MB) That should be titled, How Greenwald nearly missed the scoop of the millennium. It appears the man did nearly everything in his power to undermine the contacts and the meetings. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NSA, FBI creep rule of law, democracy itself (Re: To Protect and Infect Slides)
(Sorry to top post - I want to cherry pick one point). What is a game changer is the relationship between the NSA and the other USA civilian agencies. The breach of the civil/military line is the one thing that has sent the fear level rocketing sky high, Information sharing among agencies such as the FBI and CIA was written into the original NSA charter back in the 1950s. In fact, some would argue the failure to abide by the charter with respect to information sharing contributed to 9/11. From the charter (http://w2.eff.org/Privacy/Key_escrow/Clipper/nsa.charter): b. The Board shall be composed of the following members: (1) The Director of Central Intelligence, who shall be the Chairman of the Board. (2) A representative of the Secretary of State. (3) A representative of the Secretary of Defense (4) A representative of the Director of the Federal Bureau of Investigation. (5) The Director of the National Security Agency. (6) A representative of the Department of the Army. (7) A representative of the Department of the Navy. (8) A representative of the Department of the Air Force. (9) A representative of the Central Intelligence Agency. Jeff On Tue, Jan 7, 2014 at 10:24 AM, Adam Back a...@cypherspace.org wrote: This is indeed an interesting and scary question: On Sun, Jan 05, 2014 at 08:31:42PM +0300, ianG wrote: What is a game changer is the relationship between the NSA and the other USA civilian agencies. The breach of the civil/military line is the one thing that has sent the fear level rocketing sky high, as there is a widespread suspicion that the civil agencies cannot be trusted to keep their fingers out of the pie. AKA systemic corruption. If allied to national sigint capabilities, we're in a world of pain. Question: Is there anything that can put some meatmetrics on how developed and advanced this relationship is, how far the poison has spread? How afraid should people in America be? maybe the most interesting and portenteous shift in power towards Orwellianism and totalitarianism in a century, as it affects the effectiveness of rule of law, and already weak separation of politics from law enforcement and justice system in the (current though slipping) super-power with unfortunate aspirations of extra-territorialism and international bullying. We're still a few decades from the cross over of financial dominance to Asia and BRICs, and most of those places are probably worse than the US by aspiration if thats possible, though less internet spying budget and capability. Unless something shapes up towards democracy in the super-power competitors we're in for a dismal century seemingly. That the NSA, and now seemingly FBI, see this I think maybe this FBI mission creep suggests the national security / law enforcement separation is slipping badly: http://news.slashdot.org/story/14/01/07/0015255/fbi-edits-mission-statement-removes-law-enforcement-as-primary-purpose | Following the 9/11 attacks, the FBI picked up scores of new | responsibilities related to terrorism and counterintelligence while | maintaining a finite amount of resources. What's not in question is that | government agencies tend to benefit in numerous ways when considered | critical to national security as opposed to law enforcement. 'If you tie | yourself to national security, you get funding and you get exemptions on | disclosure cases,' said McClanahan. 'You get all the wonderful arguments | about how if you don't get your way, buildings will blow up and the | country will be less safe.' so if even the FBI are getting their nose into the tent of unfetter access to historical data on everyone, plus informal channels and tip-offs on dirt on politically unpopular pepople - eg say effective security researchers like Applebaum, or effective journalists like Greenwald. (No foreigners dont feel very comforted, and the explict acknowledgment of tip-offs, and inforation channels to US domestic and international law enforcement, basically puts the entire planet at risk of politicaly motivated interference.) With retroactive search of your entire lifes electronic foot print including every encrypted IM, skype voip channel, contacts, emails, attorney client privileged and not, with no warrant or evidence presented to a judge for subpoena, the Orwell 2.0 system can probably fabricate or concoct trouble for 99% of the adult population of the planet. George Orwell 30 years late. We're pretty close to fucked as a civilization unless something pretty radical shifts in the political thinking and authorizations. And realistically it not even clear the NSA can politically be controlled anymore by the political system. Its very hard to influence something with that much skull-duggery built into its DNA, that many 10s of billions in outsourced defense contractor lobbying power, that much inertia and
Re: [cryptography] pie in sky suites - long lived public key pairs for persistent identity
On Sat, Jan 4, 2014 at 4:26 AM, ianG i...@iang.org wrote: On 3/01/14 22:42 PM, coderman wrote: use case is long term (decade+) identity rather than privacy or session authorization. ... Which in today's world is pointing to the phone. If we're talking the identity on the phone, we're now talking about 2 or more things, horizontally: an app by itself, or an app that integrates vertically with the telco (SIM card). We can also bifurcate vertically with Apple v. Android, and also-rans. That may be moving to a single Yubikey. See Google U2F (Gnubby): Overview for Partners, https://docs.google.com/presentation/d/16mB3Nptab1i4-IlFbn6vfkWYk-ozN6j3-fr7JL8XVyA/ (thanks AR). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] To Protect and Infect Slides
On Wed, Jan 1, 2014 at 7:22 AM, coderman coder...@gmail.com wrote: On Wed, Jan 1, 2014 at 3:56 AM, Ralph Holz h...@net.in.tum.de wrote: Hi Jake, Ian Grigg just made a point on metzdowd that I think is true: if you want to change the NSA, you need to address the [...] [... money] Because the chain goes like this: corporate money - election campaigns - representatives - NSA it should be noted that corporate money influence is currently aimed at privacy eroding efforts in myriad manner. In the US, I believe Step 1 is to recognize citizens' the Right to Privacy. Step 2 applies to the US and abroad, and its recognize a Right to be Forgotten. The US is well behind the curve for the first step considering privacy is a right in many places like Europe. That's what makes the US activities so egregious: these are human rights violations, and not merely minor transgressions. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] New Hand Cipher - The Drunken Bishop
On Thu, Dec 26, 2013 at 2:44 PM, Aaron Toponce aaron.topo...@gmail.com wrote: ... I've thought of incorporating Blum Blum Shub into the algorithm, but then the cipher is getting decidedly difficult to execute by hand. BBS is not practical in practice due to the size of the moduli required. You could probably go outside, take an atmospheric reading, and then run it through sha1 quicker. See, for example, http://crypto.stackexchange.com/questions/3454/blum-blum-shub-vs-aes-ctr-or-other-csprngs. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can we move to a forum, please?
On Thu, Dec 26, 2013 at 12:59 AM, Eric Mill e...@konklone.com wrote: ... I've been distantly watching http://www.discourse.org and I like their vision. I believe they allow, or want to allow, email-only interaction. I don't know if it does, and I don't know if Discourse is easy to set up, or appropriate for the task. From their page: Log in with … anything. I suppose that means one must share all their selected account details with the folks providing the service. Some of the more egregious require access to contacts to send personalized spam. (I don't believe I've found one yet that's happy with just being a relying party and only using the email address provider assertion). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Practical malleability attack against CBC-Encrypted LUKS partitions
[Originally sent to Full Disclosure] http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/ I. Abstract The most popular full disk encryption solution for Linux is LUKS (Linux Unified Key Setup), which provides an easy to use encryption layer for block devices. By default, newly generated LUKS devices are set up with 256-bit AES in CBC mode. Since there is no integrity protection/checksum, it is obviously possible to destroy parts of plaintext files by changing the corresponding ciphertext blocks. Nevertheless many users expect the encryption to make sure that an attacker can only change the plaintext to an unpredictable random value. The CBC mode used by default in LUKS however allows some more targeted manipulation of the plaintext file given that the attacker knows the original plaintext. This article demonstrates how this can be used to inject a full remote code execution backdoor into an encrypted installation of Ubuntu 12.04 created by the alternate installer (the default installer of Ubuntu 12.04 doesn’t allow setting up full disk encryption). ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Exclusive: Secret contract tied NSA and security industry pioneer
(Thanks to PF on another list) http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 (Reuters) - As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned. Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a back door in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products. Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show. The earlier disclosures of RSA's entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products. RSA, now a subsidiary of computer storage giant EMC Corp, urged customers to stop using the NSA formula after the Snowden disclosures revealed its weakness. RSA and EMC declined to answer questions for this story, but RSA said in a statement: RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own. The NSA declined to comment. The RSA deal shows one way the NSA carried out what Snowden's documents describe as a key strategy for enhancing surveillance: the systematic erosion of security tools. NSA documents released in recent months called for using commercial relationships to advance that goal, but did not name any security companies as collaborators. The NSA came under attack this week in a landmark report from a White House panel appointed to review U.S. surveillance policy. The panel noted that encryption is an essential basis for trust on the Internet, and called for a halt to any NSA efforts to undermine it. Most of the dozen current and former RSA employees interviewed said that the company erred in agreeing to such a contract, and many cited RSA's corporate evolution away from pure cryptography products as one of the reasons it occurred. But several said that RSA also was misled by government officials, who portrayed the formula as a secure technological advance. They did not show their true hand, one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption. STORIED HISTORY Started by MIT professors in the 1970s and led for years by ex-Marine Jim Bidzos, RSA and its core algorithm were both named for the last initials of the three founders, who revolutionized cryptography. Little known to the public, RSA's encryption tools have been licensed by most large technology companies, which in turn use them to protect computers used by hundreds of millions of people. At the core of RSA's products was a technology known as public key cryptography. Instead of using the same key for encoding and then decoding a message, there are two keys related to each other mathematically. The first, publicly available key is used to encode a message for someone, who then uses a second, private key to reveal it. From RSA's earliest days, the U.S. intelligence establishment worried it would not be able to crack well-engineered public key cryptography. Martin Hellman, a former Stanford researcher who led the team that first invented the technique, said NSA experts tried to talk him and others into believing that the keys did not have to be as large as they planned. The stakes rose when more technology companies adopted RSA's methods and Internet use began to soar. The Clinton administration embraced the Clipper Chip, envisioned as a mandatory component in phones and computers to enable officials to overcome encryption with a warrant. RSA led a fierce public campaign against the effort, distributing posters with a foundering sailing ship and the words Sink Clipper! A key argument against the chip was that overseas buyers would shun U.S. technology products if they were ready-made for spying. Some companies say that is just what has happened in the wake
[cryptography] Diffie-Hellman Params Best Practice on Web Server?
Hi All, Is there a best practice for Diffie-Hellman parameters (p, g, and q) used on a web server? The server is using ephemeral keys, but should the parameters be rotated on a regular basis ? Is it OK for the server to keep them fixed for years (in the source code)? Or should they be generated uniquely for each site? This server does not appear to be under NIST and FIPS, so I don't believe they need to be fixed for compliance. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Email is unsecurable
On Wed, Nov 27, 2013 at 3:34 PM, Nico Williams n...@cryptonector.com wrote: On Wed, Nov 27, 2013 at 08:01:19PM +, Stephen Farrell wrote: On 11/27/2013 06:58 PM, Nico Williams wrote: [...] The problem with DANE is the lack of DNSSEC. If we had both [...] When I refer to DANE, I also mean that DNSSEC must be there. We're getting there. Isn't the key distribution problem being pushed into DNS? The underlying problem still exists. Perhpas we could have higher confidence in DNS if it was not controlled by the US. A diversification strategy won't work when 10 or so of the 13 servers are required to give bad answers. That is, cross checking A (Verisign) with, for example, E, F, G, and H (ISC, GOV and DoD) won't validate anything. And getting an authentic answer from a non-US controlled server is another problem altogether. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Lavabit-DOJ dispute zeroes in on encryption key ownership
http://www.computerworld.com/s/article/9244057/Lavabit_DOJ_dispute_zeroes_in_on_encryption_key_ownership The government's insistence, in its dispute with Lavabit, that cloud service providers hand over their encryption keys when asked, has refocused attention of key ownership and management in the cloud. Security experts agree that the best way for companies to ensure that their data is safe from snooping eyes in the cloud is to encrypt all their data and to maintain total ownership of the encryption keys. However, pulling off that feat is not always easy, practical or cheap. Lavabit, a provider of secure hosted email services, shut down operations in August citing concerns that the FBI was coercing it into divulging personal information on its customers. Founder Ladar Levison claimed at the time that he would rather shut down the company than be part of what he described as crimes against the American people. His actions were prompted by government demands for his company's private Secure Sockets Layer (SSL) keys for decrypting email communications believed to belong to former NSA contract worker-turned document leaker Edward Snowden. Levison maintained that the keys would allow the government to unlock all encrypted communications belonging to Lavabit's users. He claimed the government's request was similar to someone asking for the master key to open all the rooms in a hotel, when all that was needed was access to a single room. After initially digging in his heels and getting slapped with a $10,000 fine by a federal court, Levison finally hand-delivered a disk containing the keys to the FBI in August. The U.S. Department of Justice accused Levison of compromising its investigation by shutting down the company and going public with his complaints. In a motion filed in the U.S. Court of Appeals for the Fourth Circuit this week, the DOJ maintained that Levison did not have the right to thwart the government's legitimate surveillance activities by shutting down the service altogether. The DOJ angrily dismissed Levison's parade of hypotheticals regarding the actions the government could take with the encryption keys and likened his actions to that of a business locking its front gate to thwart execution of a search warrant. The situation shows why companies that want to protect their data in the cloud need to encrypt everything and maintain full control of the encryption keys. This disclosure issue at Lavabit is one very good example of an organization's inability to maintain ownership and control of data in traditional cloud computing environments, said Elad Yoran, CEO of Vaultive, a vendor of cloud encryption technologies. If a third party can turn our data over without our knowledge or authorization, do we really own or control our data in the cloud? he said. If a company maintains its own encryption keys, the government will need to make a legal request for the keys with the company and not the cloud provider, he said. Otherwise, all they would get from the cloud provider would be encrypted useless gibberish, he said. This puts the power of ownership back into the hands of businesses. ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Password Blacklist that includes Adobe's Motherload?
Hi All, Is anyone aware of a blacklist that includes those 150 million records from Adobe's latest breach? I tried finding a list and was not successful. Bonus points if implemented as a bloom filter (I'm interested in seeing how small that list can be in practice, and I'd like to use it for its small footprint). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
On Tue, Jun 25, 2013 at 5:17 PM, Bill Scannell b...@scannell.org wrote: This Daily Beast story on Causa Snowden (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html) contains the following sentence: Last week NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to access files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator. Snowden persuaded other NSA workers to give up passwords, http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On Sat, Oct 5, 2013 at 3:13 PM, Erwann Abalea eaba...@gmail.com wrote: 2013/10/4 Paul Wouters p...@cypherpunks.ca [...] People forget the NSA has two faces. One side is good. NIST and FIPS and NSA are all related. One lesson here might be, only use FIPS when the USG requires it. That said, a lot of FIPS still makes sense. I'm surely not going to stick with md5 or sha1. We're still using HMAC-SHA1 for most TLS ciphersuites, RSA(MD5||SHA1) for TLS signatures (until TLS1.2), and RSA(SHA1) to sign (EC)DHE parameters. SHA1 is still there. There are alternatives, it doesn't hurt to get them in place. Yes, like the IETF brainpool drafts. RFC5639 standardized the curves, RFC7027 allows them to be used for TLS. They're no more drafts. Do you know if there's a standard name and OID assigned to Dr. Bernstein's gear? IETF only makes one mention of 25519 in the RFC search, and its related to TLS and marked TBD. Lack of a mailing list for NACl is crippling. (Sorry to wander a bit). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Curve25519 OID (was: Re: the spell is broken)
On Sat, Oct 5, 2013 at 7:35 PM, Patrick Pelletier c...@funwithsoftware.org wrote: On 10/5/13 2:47 PM, Jeffrey Walton wrote: Do you know if there's a standard name and OID assigned to Dr. Bernstein's gear? IETF only makes one mention of 25519 in the RFC search, and its related to TLS and marked TBD. Not yet. See this thread: http://www.ietf.org/mail-archive/web/tls/current/msg10074.html (In short, the argument was that an OID for Curve25519 is only useful if it's going to be used for signatures, and Curve25519 shouldn't directly be used for signatures; Ed25519 should be used instead.) Thanks Patrick. I tend to agree with Simon when he remarked [OID assignment for ed25519] doesn't belong in the TLS WG though. For completeness, Crypto++ has a factory-like method that serves curves. The curves are sorted by OID in the function, so Crypto++ would need an OID for ed25519. See around line of 120 and 250 at http://www.cryptopp.com/docs/ref/eccrypto_8cpp_source.html. I doubt Wei Dai will accept a patch which breaks from his design. In the meantime, folks are hacking in something (from other conversations I've had with some folks). That makes it hard to use ed25519 correctly, and possibly easy to use incorrectly. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On Thu, Oct 3, 2013 at 10:32 PM, James A. Donald jam...@echeque.com wrote: On 2013-10-04 11:41, Jeffrey Walton wrote: We could not get rid of Trustwave in the public sector (so much for economics). What is wrong with trustwave? The company operates in an industry where trust is a commodity. The company violated the trust,which essentially means they have no product. Rewarding bad behavior was the last thing that should have happened. There's no way we can get rid of the US agency responsible for crypto standards If no one pays attention to their standards, we have gotten rid of them. Well, that's going to be a tough sell for US Federal US DoD, and a number of private sector organizations, such as some in US Financial. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On Thu, Oct 3, 2013 at 9:26 PM, Jeffrey Goldberg jeff...@goldmark.org wrote: ... I would put it more strongly than that. I think that NIST needs to be punished. Even if Dual_EC_DRBG were their only lapse, any entity that has allowed themselves to be used that way should be forced to exit the business of being involved in making recommendations on cryptography. I don’t have to think that they are bad people or even that they could have prevented what happened. But I think there needs to be an unambiguous signal to every other (potential) standards body about what happens if you even think of allowing for the sabotage of crypto. We could not get rid of Trustwave in the public sector (so much for economics). There's no way we can get rid of the US agency responsible for crypto standards (government is not held responsible for the act or accountable after the act). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] What is Intel(R) Core™ vPro™ Technology Animation
On Sun, Sep 22, 2013 at 7:56 PM, d.nix d@comcast.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/22/2013 2:23 PM, Jerry Leichter wrote: On Sep 21, 2013, at 10:05 PM, d.nix wrote: Hah hah hah. Uh, reading between the lines, color me *skeptical* that this is really what it claims to be, given the current understanding of things... http://www.intel.com/content/www/us/en/enterprise-security/what-is-vpro-technology-video.html The question isn't whether it's what it claims to be. It is that. But is it's *more* than it claims to be. Yes, in my haste I neglected the only disclaimer bit; it is indeed a means by which the *rightful owner/administrator* might perform very useful tasks. The obvious crux of the biscuit is *who else* has access, and what can they do surreptitiously? Painting with a broad brush, part of the solution is a remote administration board that can''t be removed. Cf, Fujitsu LOM (Lights Out Management), HP ILO (Integrated Lights Out) HP RILO (Remote Integrated Lights Out), Compaq RIB (Remote Insight Board), and Dell DRAC (Dell Remote Access Card). As for who has access, that depends on the quality of the implementations. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4784. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Using same key for ECDSA and ECIES
On Fri, Sep 20, 2013 at 2:35 PM, Dominik Schürmann domi...@dominikschuermann.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ... After reading related literature, I came to the conclusion to use ECDSA and ECIES (Both with Koblitz curves, as I am sceptical about the random curves ;), Bernstein's curve25519 would be too difficult to integrate, as I didn't found a library, which is present in current linux distros and handles both EC sign and encryption schemes. Crypto++ has the schemes and Dr. Bernstein's curve. The library is available on all major Linux and BSD platforms. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] It's time for a Whistleblowing / Leaking Initiative for Cryptographer ?
On Mon, Sep 16, 2013 at 5:17 PM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: http://threatpost.com/uk-cryptographers-call-for-outing-of-deliberately-weakened-protocols-products/102301 Right now, whistle blowers are vilified in the US. Just ask Jesselyn Radack, Thomas Drake, William Binney, Bradley Manning, et al. The irony is the US recognized the usefulness of whistle blowing hundreds of years ago during colonial times: https://en.wikipedia.org/wiki/Qui_tam. (Thanks CB). I'm all for monetization of whistle blowing to encourage the behavior. But that would take a proverbial 'paradigm shift', because the sneaky assholes who need to be uncovered are the same assholes who hold the power and control popular thinking. From the article: ... that calls on authorities in that country and the United States to conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries’ intelligence services. I think MQV and Dual_EC_DRBG events are kind of rare, and I'm not sure about this. Does an intelligence agency need to backdoor code when: (1) architectural and design defects are incumbent; and (2) shitty code is regularly checked-in? I think the agency's best course of action is to do nothing and wait for the defects to become widely available through normal channels. Given the above, an agency probably benefitted by doing nothing with, for example, MQV and Dual_EC_DRBG. In this case, would the panel of scientists be asking to investigate lack of agency action? I think that's going to be pretty tenuous. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] motivation, research ethics organizational criminality (Re: Forward Secrecy Extensions for OpenPGP: Is this still a good proposal?)
On Sat, Sep 14, 2013 at 7:08 PM, Jeffrey Goldberg jeff...@goldmark.org wrote: On 2013-09-13, at 9:28 AM, David D da...@7tele.com wrote: ... Obviously, we should insist on due process for the NSA stooges. If they confess their activities and name their co-conspirators, we may allow them some limited role, but those who don’t cooperate will need to be dealt with more firmly, for the good of their souls and for our community. Ship them off to Guantanamo Bay. They are more dangerous to the democracy, the country and its citizens than Bin Laden and friends. Or, put a bullet in their heads like they did Bin Laden. It makes no difference to me as long as we are rid of them. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] What is Security World architecture?
I was reading on a HSM, and the marketing literature stated, ... because it utilizes the Security World architecture, XXX provides an ideal combination of high assurance and operational ease. What is Security World architecture? What are the criteria used for high assurance and operational ease? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What is Security World architecture?
On Wed, Sep 11, 2013 at 12:41 AM, Ben Laurie b...@links.org wrote: On 11 September 2013 01:17, Jeffrey Walton noloa...@gmail.com wrote: I was reading on a HSM, and the marketing literature stated, ... because it utilizes the Security World architecture, XXX provides an ideal combination of high assurance and operational ease. What is Security World architecture? http://lmgtfy.com/?q=security+world+architecturel=1 Thanks Ben. I got that one hit also. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Random number generation influenced, HW RNG
On Sat, Sep 7, 2013 at 1:48 PM, David Johnston d...@deadhat.com wrote: On 9/6/2013 2:03 PM, grarpamp wrote: ... However, I claim that the fear is well founded and should be taken into account by all threat models. It interesting to consider the possibilities of corruption and deception that may exist in product design. It's a lot more alarming when it's your own design that is being accused of having been backdoored. Claiming the NSA colluded with intel to backdoor RdRand is also to accuse me personally of having colluded with the NSA in producing a subverted design. I did not. I don't think it was a personal attack. A quick googling revealed many such instances of statements to this effect, strewn across the internet, based on inferences from the Snowden leaks and resulting Guardian and NYT articles. Its our job to be paranoid. As long as our adversaries enjoy secrecy (and no responsibility or accountability), we have to speculate on capabilities. I personally know it not to be true and from my perspective, the effort we went to improve computer security by making secure random numbers available and ubiquitous in a low attack-surface model is now being undermined by speculation that would lead people to use less available, less secure RNGs. This I expect would serve the needs of the NSA well. Well, because you did not know or participate does not mean it did not occur. In [1], Caspar Bowden, who was the former Chief Privacy Officer at Microsoft, speculated a handful of top Microsoft managers were involved with the backdooring of Microsoft products. Even Bowden was not privileged to the full depth and breadth of corporate cooperation. If you asked David LeBlanc, Michael Howard, and a number of other senior security guys, they likely had no knowledge either. Jeff [1] https://www.youtube.com/watch?v=-Cx_vumGbXM. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Compositing Ciphers?
On Fri, Sep 6, 2013 at 8:53 PM, Natanael natanae...@gmail.com wrote: http://blog.cryptographyengineering.com/2012/02/multiple-encryption.html Apparently it's called cascade encryption or cascade encipherment, and the implementations are apparently called robust combiners. And by the way, Truecrypt already lets you pick your chosen combo of AES and two other ciphers. Ah, right. I knew that was called cascading. I'm not sure why I called it compositing (it sucks getting old). I did not know Truecrypt provided it. I think you should worry about your PRNG and it's seed before you focus on AES. Your key should both have enough entropy and be secret. Is your PRNG backdoored already? And I'm guessing the cipher mode probably matters a bit more than the exact choice of algorithm. I believe the PRNG is good. The PRNG fetches from the OS, fetches from device sensors (accelerometers, gyroscopes, magnetometers), and practices hedging. I'm more worried about key exchange or agreement. Jeff On Sat, Sep 7, 2013 at 2:27 AM, Jeffrey Walton noloa...@gmail.com wrote: Hi All, With all the talk of the NSA poisoning NIST, would it be wise to composite ciphers? (NY Times, Guardian, Dr. Green's blog, et seq). I've been thinking about running a fast inner stream cipher (Salsa20 without a MAC) and wrapping it in AES with an authenticated encryption mode (or CBC mode with {HMAC|CMAC}). I'm aware of, for example, NSA's Fishbowl running IPSec at the network layer (the outer encryption) and then SRTP and the application level (the inner encryption). But I'd like to focus on hardening one cipherstream at one level, and not cross OSI boundaries. I'm also aware of the NSA's lightweight block ciphers (http://eprint.iacr.org/2013/404). I may have been born at night, but it was not last night Has anyone studied the configuration and security properties of a inner stream cipher with an outer block cipher? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Android SecureRandom poor entropy
On Sun, Aug 25, 2013 at 4:45 PM, Marco Pozzato mpodr...@gmail.com wrote: ... Recently, android SecureRandom PRNG proved to be seriously flawed (http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html) because, by default, it is not properly initialized with good entropy. The weakness is very critical, because initial state is practically affected only by process ID: when an application starts with the same PID, it generates the very same sequence of pseudo-random numbers. I think its even worse than that - even the system entropy pool needs help. Take a look at addDeviceSpecificEntropy() in EntropyService.java. For the most part, AOSP repeatably adds the same data from the device. The only differentiating data is System.currentTimeMillis() and System.nanoTime(). There's even some developer humor in their: out = new PrintWriter(new FileOutputStream(randomDevice)); out.println(Copyright (C) 2009 The Android Open Source Project); out.println(All Your Randomness Are Belong To Us); See https://code.google.com/p/android-source-browsing/source/browse/services/java/com/android/server/EntropyService.java?repo=platform--frameworks--basename=b8cba95fr=6907891b1f2d706fa2bd6c40b986f73e5666e00e. In the past, Hedging was suggested to improve the pool state, but I'm not aware of any interest in the improvements. See https://groups.google.com/d/msg/android-security-discuss/BM4t_DhbCeQ/70SsSouaqZ4J. Many bitcoin applications suffered this issue and some bucks has been lost. Are you aware of some lists of flawed applications, not only related to bitcoin, but also in other cryptography and security domain? Not quite the answer you are looking for, but it may help with determining the breadth of the issue. Symantec performed an analysis, and over 360,000 applications were using SecureRandom. Of those, 320,000 could be affected. Unfortunately, the categories were Productivity, Fun and Games, and similar; and not Cryptography or Security. http://www.symantec.com/connect/blogs/android-cryptographic-issue-may-affect-hundreds-thousands-apps. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Reflection Attacks in Challenge/Response Protocols
Hi All, When a symmetric key based challenge response is used, an attacker can perform a reflection attack by starting a second instance of a protocol and having the server answer its own questions. To guard against the attack, is it sufficient to ensure all challenges sent from server to client are equal to 1 mod 2; and all client to server challenges are equal to 0 mod 2? Is it enough to break the symmetry? Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] urandom vs random
On Mon, Aug 19, 2013 at 9:20 AM, Aaron Toponce aaron.topo...@gmail.com wrote: ... It's a shame http://entropykey.co.uk is no longer in business. I was able to procure 5 entropy keys just before they folded, and they're awesome. Yeah, I really liked EntropyKey. I tried to place an order last year (or early this year). It was never fulfilled and no one responded. I knew the were having some troubles, but I could not determine the cause. Why did they fold? Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] urandom vs random
Hi Aaron, Here is the last I saw of them (besides the website being up): http://lists.simtec.co.uk/pipermail/entropykey-users/2013-July/thread.html. They claim to still be around (from the last in the thread): We've gone through a major crisis, but are still here... just. To say any more in public at this stage might be unwise from a legal standpoint. We currently have no manufacturing capability for ekeys but are working towards getting things up and running again. There's no timescale on that yet, I'm afraid. Jeff On Mon, Aug 19, 2013 at 11:21 AM, Aaron Toponce aaron.topo...@gmail.com wrote: On Mon, Aug 19, 2013 at 09:41:20AM -0400, Jeffrey Walton wrote: Yeah, I really liked EntropyKey. I tried to place an order last year (or early this year). It was never fulfilled and no one responded. I knew the were having some troubles, but I could not determine the cause. Why did they fold? I don't know why they folded. I'm guessing lack of demand didn't justify their costs. Possibly understaffed as well. When I placed my order, it took them 8 weeks to ship it, and I was emailing anyone and everyone I could to get a status update or anything. It's too bad. They had the best product. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] urandom vs random
On Sat, Aug 17, 2013 at 7:46 AM, Ben Laurie b...@links.org wrote: ... Also, if there are other sources, why are they not being fed in to the system PRNG? Linux 3.x kernels decided to stop using IRQ interrupts (removal of the IRQF_SAMPLE_RANDOM flag, without an alternative to gather entropy). [PATCH 17/17] random: final removal of IRQF_SAMPLE_RANDOM, http://lkml.indiana.edu/hypermail/linux/kernel/1207.2/01043.html. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Reply to Zooko (in Markdown)
On Sat, Aug 17, 2013 at 3:49 AM, Bryan Bishop kanz...@gmail.com wrote: On Sat, Aug 17, 2013 at 1:04 AM, Jon Callas j...@callas.org wrote: It's very hard, even with controlled releases, to get an exact byte-for-byte recompile of an app. Some compilers make this impossible because they randomize the branch prediction and other parts of code generation. Even when the compiler isn't making it literally impossible, without an exact copy of the exact tool chain with the same linkers, libraries, and system, the code won't be byte-for-byte the same. Worst of all, smart development shops use the *oldest* possible tool chain, not the newest one because tool sets are designed for forwards-compatibility (apps built with old tools run on the newest OS) rather than backwards-compatibility (apps built with the new tools run on older OSes). Code reliability almost requires using tool chains that are trailing-edge. Would providing (signed) build vm images solve the problem of distributing your toolchain? You might try Fully Countering Trusting Trust through Diverse Double-Compiling, http://www.dwheeler.com/trusting-trust/ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Expired/Revoked certificates + private keys
On Fri, Aug 16, 2013 at 11:03 AM, Dominik Schürmann domi...@dominikschuermann.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 For a research project on OCSP, we are searching for expired and revoked X.509 certificates with their corresponding private keys. Any help or pointers to find leaked keys are much appreciated. littleblackbox (http://code.google.com/p/littleblackbox/) is a database of well known private keys from a number of devices and appliances. As far as I know, most have never been revoked (or the device/appliance updated) even though they are well known. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Paypal phish using EV certificate
On Tue, Aug 13, 2013 at 5:10 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: I recently got a another of the standard phishing emails for Paypal, directing me to https://email-edg.paypal.com, which redirects to https://view.paypal-communication.com, which has a PayPal EV certificate from Verisign. According to this post http://www.onelogin.com/a-paypal-phishing-attack/ it may or may not be a phishing attack (no-one's really sure), and this post http://www.linuxevolution.net/?p=12 says it is a phishing attack and the site will be shut down by Paypal... back in May 2011. Can anyone explain this? It's either a really clever phish (or the CAs are following their historically lax levels of checking), or Paypal has joined the ranks of US banks in training their users to become phishing victims. If that's true, I think the more interesting fact is: it appears email-edg.paypal.com is controlled by the attacker. Why else would Paypal redirect from a host in their domain to a host not in their domain controlled by the adversary? (Its a bit different than standard phishing training where both hosts/domains are controlled by Paypal). Has Paypal fess'ed up to any break-ins or breaches? Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NSA Today on Missions, Authorities, Oversight, Partnershps
On Fri, Aug 9, 2013 at 4:14 PM, John Young j...@pipeline.com wrote: NSA statement today on Missions, Authorties, Oversight, Partnerships: http://cryptome.org/2013/08/nsa-13-0809.pdf This was probably one of the more amusing statements. Perhaps William Binney would have a different opinion: In addition to the NSA's compliance safeguards, NSA personnel are obligated to report when they believe NSA is not, or may not be, acting consistently with law, policy, or procedure. This self-reporting is part of the culture and fabric of NSA. If NSA is not acting in accordance with law, policy, or procedure, NSA will report through its internal and external intelligence oversight channels, conduct reviews to understand the root cause, and make appropriate adjustments to constantly improve. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Updated Certificate Transparency site
On Thu, Aug 1, 2013 at 5:04 PM, Nico Williams n...@cryptonector.com wrote: On Thu, Aug 1, 2013 at 12:57 PM, wasa bee wasabe...@gmail.com wrote: ... If everyone does their part CT causes the risk of dishonest CA behavior discovery to become to great for CAs to engage in such behavior. Sorry to drift a bit, but how so? The best I can tell, there is little to no risk because browsers (and others in similar positions) often refuse to take action. As Trustwave and Mozilla, Microsoft, et al recently demonstrated, its just a dog and pony show. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Must have seemed like a good idea at the time
On Tue, Jul 23, 2013 at 4:54 AM, ianG i...@iang.org wrote: ... Banks will say that international wires are irreversible, but it isn't true. If the banks cooperate they can do a return of funds. It all depends... This was kind of interesting: According to Li, the larger problem [of Chinese car theft fraud] is the Chinese financial system, which requires every bank-to-bank transaction to be routed through the central government’s banking authority. As a result, anti-fraud measures are usually slower than criminals. Stopping a payment could take as long as three days, by which time the money is usually unrecoverable. http://www.theverge.com/2013/7/24/4549124/how-google-uncovered-a-chinese-ring-of-car-thieves. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
On Tue, Jun 25, 2013 at 5:17 PM, Bill Scannell b...@scannell.org wrote: This Daily Beast story on Causa Snowden (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html) contains the following sentence: Last week NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to access files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator. General Keith Alexander admitted just last week that the NSA is using MS SharePoint to share security information with other state agencies. These tools are favored because they tend to support the ad-hoc ebb and flow of natural human collaboration across blurry corporate boundaries http://www.wired.com/insights/2013/07/snowdens-impact-on-the-enterprise-how-mobile-security-is-evolving-post-nsa-leak/. I really question who is fabricating what. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [liberationtech] Random number generator, failure in Rasperri Pis?
On Sat, Jul 20, 2013 at 2:57 AM, Peter Bowen pzbo...@gmail.com wrote: On Fri, Jul 19, 2013 at 10:35 PM, Yaron Sheffer yar...@porticor.com wrote: A few months ago I posted a query to the Amazon Web Services (the largest public cloud, running on Xen) forum on whether they're using libvirt for this purpose, and it was never answered. Does anybody around here have a clue? Amazon EC2 does not support virtio-rng today. Finding good sources of entropy in a virtual machine is always hard, so solutions like virtio-rng and Intel's RDRAND instruction can be very useful. Also see: When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography, http://pages.cs.wisc.edu/~rist/papers/sslhedge.pdf When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments, https://www.usenix.org/legacy/event/hotos05/final_papers/full_papers/garfinkel/garfinkel.pdf Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [liberationtech] Heml.is - The Beautiful Secure Messenger
On Tue, Jul 16, 2013 at 5:04 AM, coderman coder...@gmail.com wrote: ... in short: rather than considering just one or another type of attack, these agencies should be assumed to be using all of them with the exploit method tailored to the particular access needs and target difficulty of every tasking. From In his own words: Confessions of a cyber warrior (http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-66), page 3: QUOTES Grimes [Interviewer]: How many exploits does your unit have access to? Cyber warrior: Literally tens of thousands -- it's more than that. We have tens of thousands of ready-to-use bugs in single applications, single operating systems. Grimes [Interviewer]: Is most of it zero-days? Cyber warrior: It's all zero-days. Literally, if you can name the software or the controller, we have ways to exploit it. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface. /QUOTE ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On Thu, May 16, 2013 at 3:52 PM, Adam Back a...@cypherspace.org wrote: So when I saw this article http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html I was disappointed the rumoured skype backdoor is claimed to be real, and that they have evidence. The method by which they confirmed is kind of odd - not only is skype eavesdropping but its doing head requests on SSL sites that have urls pasted in the skype chat! Sorry to dig up an old thread According to [1], Skype provided the backdoor before Microsoft purchased the service (but interception increased after M$'s purchase): The NSA also praised the collaboration with the FBI in the case of messaging and VoIP service Skype. According to the documents, Skype joined PRISM in early 2011, before it was acquired by Microsoft. That takeover is alleged to have resulted in a redoubling of efforts to enable PRISM to access Skype communications. According to the NSA, in July 2012, the volume of intercepted Skype data tripled following the introduction of new surveillance capability. There have been repeated rumours of backdoors in Skype intended to enable encrypted communications to be intercepted by the security services. Skype has always denied these reports. [1] http://www.h-online.com/security/news/item/Microsoft-gave-NSA-s-PRISM-access-to-Skype-Outlook-com-and-SkyDrive-1916730.html ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [liberationtech] Heml.is - The Beautiful Secure Messenger
On Mon, Jul 15, 2013 at 7:27 AM, Eugen Leitl eu...@leitl.org wrote: On Fri, Jul 12, 2013 at 10:29:49PM +0300, ianG wrote: Not to mention, Intel have been in bed with the NSA for the longest time. Secret areas on the chip, pop instructions, microcode and all that ... A more interesting question is whether the non-USA competitors are also similarly friendly. It seems there's a good niche for open hardware, either run in FPGAs (which are backdoorable, of course), or designs which can be verified optically, preferably using relatively large, obsolete structures. An Open Source Cryptographic Coprocessor, http://www.cypherpunks.to/~peter/usenix00.pdf (obfuscated version at https://www.usenix.org/conference/9th-usenix-security-symposium/open-source-cryptographic-coprocessor). ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
On Mon, Jul 1, 2013 at 6:47 PM, Nico Williams n...@cryptonector.com wrote: On Mon, Jul 1, 2013 at 4:57 PM, grarpamp grarp...@gmail.com wrote: And when LEA get caught doing this nothing terribly bad happens to LEA (no officers go to prison, for example). It is often in the interest/whim of the executive to decline to prosecute its own, even if only to save embarassment, so many of these cases will never see a jury. That's why you need citizen prosecutors who can bring cases before both grand and final jury. For example, how many times have you seen a LE vehicle failing to signal, speeding/reckless, with broken running lights, etc... now try to criminally (not administratively) prosecute that just as you might be prosecuted for same. I'd love to see proposals for how to criminal prosecutions by the public would work. Sparta, one of the first democracies, would put the public officials on trial at the end of their term. It was part of the process. I imagine their Spartan was sufficiently different so that folks like Ted Kennedy (liar, cheat, murderer) would not have been able to serve the class. Sorry for the OT chatter. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
On Mon, Jul 1, 2013 at 8:33 PM, mtm marctmil...@gmail.com wrote: as a spartan of sorts, and one thats shared laphroig with both a plank member of the nsa and the creator of fbi's hrt, id like to say these fellas are decent men and not petty. Then they would have nothing to fear if put on trial for potential crimes they've committed. (At least, that's what they tell us - if you don't do anything wrong, then you don't have anything to worry about). On Jul 2, 2013 12:55 AM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Jul 1, 2013 at 6:47 PM, Nico Williams n...@cryptonector.com wrote: On Mon, Jul 1, 2013 at 4:57 PM, grarpamp grarp...@gmail.com wrote: And when LEA get caught doing this nothing terribly bad happens to LEA (no officers go to prison, for example). It is often in the interest/whim of the executive to decline to prosecute its own, even if only to save embarassment, so many of these cases will never see a jury. That's why you need citizen prosecutors who can bring cases before both grand and final jury. For example, how many times have you seen a LE vehicle failing to signal, speeding/reckless, with broken running lights, etc... now try to criminally (not administratively) prosecute that just as you might be prosecuted for same. I'd love to see proposals for how to criminal prosecutions by the public would work. Sparta, one of the first democracies, would put the public officials on trial at the end of their term. It was part of the process. I imagine their Spartan was sufficiently different so that folks like Ted Kennedy (liar, cheat, murderer) would not have been able to serve the class. Sorry for the OT chatter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
On Tue, Jun 25, 2013 at 5:47 PM, Mark Seiden m...@seiden.com wrote: maybe he just used other people's ssh keys that were protected by a weak (or no) passphrase? fabricate is a pretty strong word, but under the least untruthful standard that James Clapper says he's applied to congressional testimony, there are numerous interpretive possibilities. What's more likely is there were little/no/improper access controls (Bradley Manning FTW!), and the the government is fabricating the claim. Jeff On Jun 25, 2013, at 2:32 PM, Natanael natanae...@gmail.com wrote: That depends on the system. Consider how HDCP encryption was broken; https://en.wikipedia.org/wiki/High-bandwidth_Digital_Content_Protection It used a scheme where access to enough keys allowed you to calculate the master key, breaking the entire scheme. 2013/6/25 Bill Scannell b...@scannell.org This Daily Beast story on Causa Snowden (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html) contains the following sentence: Last week NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to access files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator. How would one fabricate a digital key? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On Wed, May 22, 2013 at 10:07 AM, Mark Seiden m...@seiden.com wrote: On May 22, 2013, at 5:59 AM, Jacob Appelbaum ja...@appelbaum.net wrote: James A. Donald: http://www.scmagazine.com/finfisher-command-and-control-hubs-turn-up-in-11-new-countries/article/291252/ That governments attempt to spy on people is not evidence that they any good at it. Of course. They are quite good at it. Their successes are well documented: https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/ https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global-proliferation-2/ also the very colorful http://epic.org/crypto/scarfo.html (this is all from memory, but… a keylogger was installed in a black bag job with a magistrate warrant (on nicky scarfo jr, the son of an imprisoned mobster nicky scarfo sr) accused of loan sharking and racketeering (as i recall). in a previous search they had found a pgp encrypted spreadsheet and wanted the passphrase. the keylogger supposedly satisfied the minimization requirements (suppressing logging when he used aol on a dialup…) (i really want to know how that worked…) http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf: The Pen/Trap statute authorizes a government attorney to apply to a court for an order authorizing the installation of a pen register and/or trap and trace device if “the information likely to be obtained is relevant to an ongoing criminal investigation.” and The government must also use “technology reasonably available to it” to avoid recording or decoding the contents of any wire or electronic communications. 18 U.S.C. § 3121(c). When there is no way to avoid the inadvertent collection of content through the use of reasonably available technology, DOJ policy requires that the government may not use any inadvertently collected content in its investigation. However, a few courts have gone beyond the statute’s requirement that the government use technology reasonable available to it to avoid collecting content. Citing the exclusion of contents from the definitions of pen register and trap and trace device, these courts have stated or implied that the government cannot use pen/trap devices that might collect any content at all. ... they didn't get the passphrase during the first term of the first warrant (couple months, as i recall.) not much of a loanshark, doesn't update his books in a couple months, hm… then they renewed the warrant… and finally got him typing the passphrase…. which was his father's federal prison number. duh. http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf: A pen/trap order may authorize the installation and use of a pen/trap device for up to sixty days and may be extended for additional sixty-day periods. See 18 U.S.C. § 3123(c). and At least one court has adopted the severe position that suppression is appropriate when the government fails to comply with court-imposed limits on the time period for reviewing seized computers. In United States v. Brunette, 76 F. Supp. 2d 30 (D. Me. 1999), a magistrate judge permitted agents to seize the computers of a child pornography suspect on the condition that the agents searched through the computers for evidence “within 30 days.” The agents executed the search five days later and seized several computers. A few days before the thirty-day period elapsed, the government applied for and obtained a thirty-day extension of the time for review. The agents then reviewed all but one of the seized computers within the thirty-day extension period, and found hundreds of images of child pornography. However, the agents did not begin reviewing the last of the computers until two days after the extension period had elapsed. The defendant moved for suppression of the child pornography images found in the last computer, on the ground that the search outside of the sixty-day period violated the terms of the warrant and subsequent extension order. The court agreed, stating that “because the Government failed to adhere to the requirements of the search warrant and subsequent order, any evidence gathered from the . . . computer is suppressed.” Id.at 42. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On Sat, May 18, 2013 at 3:15 PM, Adam Back a...@cypherspace.org wrote: Actually I think that was the point, as far as anyone knew and from the last published semi-independent review (some years ago on the crypto list as I recall) it indeed was end2end secure. Many IM systems are not end2end so for skype to benefit from the impression that they still are end2end secure while actually not being is the focus of this thread. The original Skype homepage (circa 2003/2004) claims the service is secure: Skype calls have excellent sound quality and are highly secure with end-to-end encryption. (http://web.archive.org/web/20040701004241/http://skype.com/). The new web page does not even use the word (web.archive.org/web/20130426221613/http://www.skype.com/). (Sorry to rewind so far back in the thread). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On Mon, May 20, 2013 at 1:30 PM, Nico Williams n...@cryptonector.com wrote: On Mon, May 20, 2013 at 12:22 PM, Jeffrey Walton noloa...@gmail.com wrote: The original Skype homepage (circa 2003/2004) claims the service is secure: Skype calls have excellent sound quality and are highly secure with end-to-end encryption. (http://web.archive.org/web/20040701004241/http://skype.com/). Secure in what way though? Probably: relative to passive eavesdroppers. As for LEA, forget it. (Nothing is secure w.r.t. LEA that have jurisdiction, as ultimately there's the rubber hose.) Well, I take 'secure' to mean confidentiality and authenticity, including an authenticated key agreement. If we don't know who we are talking to, or someone else can listen in, or someone else can tamper, then its surely not secure by any reasonable definition. For a typical user, they would probably take 'secure' to mean that only both users (the endpoints) can read the message, hear, the conversation, see the video, etc. I'm not sure how they would react to 'highly secure', other than its 'secure' plus some other good stuff they can't even imagine. The new web page does not even use the word (web.archive.org/web/20130426221613/http://www.skype.com/). So their advertising/terms changed. It appears so. In the US, I believe that's a Material Adverse Change and usually requires explicit notification (credit card issuers were especially bad about changing terms). Do any Skype users recall being informed the terms changed dramatically? There was a time the FTC would do something about it. In the end, does it matter since it appears there are only carrots and no sticks? Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On Mon, May 20, 2013 at 8:55 PM, Jacob Appelbaum ja...@appelbaum.net wrote: James A. Donald: ... Zombie computers are seldom of high value. Some malware is designed to keep people communicating, under heavy watch; it is not always designed to abuse a system the traditional manner befitting script kiddie botnets. In Skype's case, it appears there is no need for the malware to coerce communications since the service is always on (http://www.sec.gov/Archives/edgar/data/1498209/000119312510182561/ds1.htm): The number of connected users is subject to uncertainties and in some ways may overstate the number of users actively using our products during a given period. For example, for a number of our users, once a user has downloaded our software onto their device, the software will automatically be logged in to when the device is turned on, even if the customer takes no steps to affirmatively engage our software client after initial registration. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Question on Handling of Authenticated Plaintext Data
Hi All, I'm having trouble finding a reference to the way additional data is authenticated. In the past, I simply used the following (under an independent key): tag = HMAC(AAD, Ciphertext) Recently, I came across a post by Dr. Bernstein [1] that states I find it quite strange to see a call for minimalism from people who keep writing definitions that treat associated data separately from plaintext. It's clearly more minimal for the cryptographer to allow just plaintext, and to tell the user to put a hash of the associated data into the plaintext. I think that means is: tag = HMAC(HASH(AAD) , Ciphertext) That raises a few questions for me: what problem does HASH(AAD) solve? How does the handling change if I want to use a digital signature rather than an HMAC/CMAC? In both cases (HMAC/CMAC or digital signature), is leaking timing information during the hash comparison a concern? (I feel like it should be because the adversary might not know the hash in advance under some use cases). Or is the concern over leaking timing information limited to the secret data, such as the HMAC/CMAC key or the private exponent? Jeff [1] https://groups.google.com/forum/#!msg/crypto-competitions/n5ECGwYr6Vk/St1FEZoQ-E8J ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On Sat, May 18, 2013 at 9:49 AM, Adam Back a...@cypherspace.org wrote: On Fri, May 17, 2013 at 04:52:07AM -0400, bpmcontrol wrote: On 05/17/2013 04:19 AM, Eugen Leitl wrote: It is unreasonable for an closed source product by a commercial vendor to go any other way [putting backdoors in security products] Makes perfect sense. as its sometimes required by law, other times required to keep the users safe or companies away from legal harm. Well that seems like a bold and controversial claim to me, maybe with its own liability and legal implications! Would you expect microsoft IIS web server to contain an SSL backdoor? Or microsoft VPN client? Or cisco? A lot of businesses and individuals are relying on these things to do what is advertised. Not doing what is advertised can itself get companies in trouble, in many jurisdictions. Skype has/had as a differentiator that it was end2end encrypted, it is my impression that a number of people used it for that purpose. Correct. It does not match a user's mental model; nor does it meet a user's expectations (to borrow from Dr. Gutmann). Cisco is kind of an odd case since it advertises its backdoors. http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography