Re: [cryptography] can the German government read PGP and ssh traffic?

2012-06-10 Thread ianG
On 5/06/12 23:46 PM, Thierry Moreau wrote: Hi Peter, Replying on the thinking process, not on the fundamentals at this time (we seem to agree on the characteristics of PKC vs else). Peter Gutmann wrote: Thierry Moreau writes: Unless automated SSH sessions are needed (which is a different pr

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-06-10 Thread Peter Gutmann
Thierry Moreau writes: >Would you extend the association to PGP usage? Magical thinking works independently of technology, so I'm sure there's a lot of it in the PGP world as well :-). >Would you extend the association to Lotus Notes as another PKC user community >(http://en.wikipedia.org/wiki

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-06-06 Thread Jim Fenton
On 6/2/12 6:15 AM, Joe St Sauver wrote: > ianG asked: > > #Would it be possible to describe in general words what LOA-1 thru 4 entails? > > I hesitate to try to do so. The definitive answer can be found in > http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf > The latest version,

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-06-05 Thread ianG
Thanks for that, that is all that is needed to get the idea. (I was hoping for some objective standard rather than a current-technology taxonomy.) iang On 2/06/12 23:15 PM, Joe St Sauver wrote: ianG asked: #Would it be possible to describe in general words what LOA-1 thru 4 entails? I hes

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-06-05 Thread Thierry Moreau
Hi Peter, Replying on the thinking process, not on the fundamentals at this time (we seem to agree on the characteristics of PKC vs else). Peter Gutmann wrote: Thierry Moreau writes: Unless automated SSH sessions are needed (which is a different problem space), the SSH session is directly

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-06-05 Thread Von Welch
> "passwords are insecure, PKCs are secure, therefore anything > that uses PKCs is magically made secure" Well as you said, you have to look at what happens in the real world. I would argue PKCs make things obscure, which buys you a fair amount of security until some undetermined point in time

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-06-05 Thread Peter Gutmann
Thierry Moreau writes: >Unless automated SSH sessions are needed (which is a different problem >space), the SSH session is directly controlled by a user. Then, the private >key is stored encrypted on long term storage (swap space vulnerability >remaining, admittedly) and in *plaintext*form*only*m

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-06-02 Thread Joe St Sauver
ianG asked: #Would it be possible to describe in general words what LOA-1 thru 4 entails? I hesitate to try to do so. The definitive answer can be found in http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf and includes many subtle and important points, but just to focus solely

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-06-01 Thread ianG
good post. I often think in terms of low-med-high security, where low is equivalent to mailing lists (spam threat), medium is online banking through web browsers, and high is payment systems using direct cash (digicash, bitcoin, e-gold, etc because they are instantly redeemable by thieves, no

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-30 Thread Joe St Sauver
Peter commented: #That users know passwords and they "work" is a large part of the problem #with passwords: the same low entropy security token is used for multiple #systems with varying levels of sensitivity. When using passwords, both the #user and the end systems must, in general, be trusted w

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-29 Thread Peter Maxwell
On 30 May 2012 05:01, ianG wrote: > On 29/05/12 11:03 AM, Peter Maxwell wrote: > >> >> >> On 29 May 2012 01:35, Peter Gutmann > > wrote: >> >>Peter Maxwell mailto:pe...@allicient.co.uk>> >> >>writes: >> >> >Why on earth would you need to spread your p

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-29 Thread ianG
On 29/05/12 11:03 AM, Peter Maxwell wrote: On 29 May 2012 01:35, Peter Gutmann mailto:pgut...@cs.auckland.ac.nz>> wrote: Peter Maxwell mailto:pe...@allicient.co.uk>> writes: >Why on earth would you need to spread your private-key across any number of >less secure machine

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-29 Thread Florian Weimer
* Eugen Leitl: > Unrelated, IIRC Microsoft changed the architecture of supernodes to allow > for lawful interception with Skype. Skype supports transparent call forwarding, so lawful intercept is possible as well. It's just a question of how much about the interception activity leaks to the part

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-29 Thread The Doctor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/28/2012 08:45 PM, Steven Bellovin wrote: > than relying "on the kindness of strangers". I haven't seen any > stories about making lawful intercept possible -- do you have a > source? https://www.pcworld.com/article/231359/microsoft_patents_spy

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-28 Thread Peter Maxwell
On 29 May 2012 01:35, Peter Gutmann wrote: > Peter Maxwell writes: > > >Why on earth would you need to spread your private-key across any number > of > >less secure machines? > > The technical details are long and tedious (a pile of machines that need to > talk via SSH because telnet and FTP wer

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-28 Thread Steven Bellovin
On May 26, 2012, at 8:15 34AM, Eugen Leitl wrote: > On Fri, May 25, 2012 at 11:19:33AM -0700, Jon Callas wrote: > >> My money would be on a combination of traffic analysis and targeted >> malware. We know that the Germans have been pioneering using targeted malware >> against Skype. Once you've

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-28 Thread Peter Gutmann
Peter Maxwell writes: >Why on earth would you need to spread your private-key across any number of >less secure machines? The technical details are long and tedious (a pile of machines that need to talk via SSH because telnet and FTP were turned off/firewalled years ago, I won't bore you with th

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-28 Thread Florian Weimer
* Marcus Brinkmann: > As far as decryption capabilities goes, the text is very clear: The > software used to analyse the communication stream can, in principle, > decrypt and/or analyze at least some of it. Note the qualifiers: In > principle, decrypt and/or analysis, depending on type and qualit

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-28 Thread Thierry Moreau
Peter Gutmann wrote: Werner Koch writes: Which is not a surprise given that many SSH users believe that ssh automagically make their root account save and continue to use their lame passwords instead of using PK based authentication. That has its own problems with magical thinking: Provided

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-27 Thread Ralph Holz
> But this sounds to me like a very general answer which was probably > prepared ahead of time to reveal the minimal amount of information. For > this reason I don't think it should be interpreted as referring to SSH > or PGP specifically. But the phrase "depending on the type and quality > of the

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-26 Thread Marcus Brinkmann
On 05/26/2012 08:01 AM, Peter Gutmann wrote: > Marsh Ray writes: > >> Perhaps someone who knows German can better interpret it. > > The government was asked "are encrypted communications creating any > difficulties for law enforcement in terms of pursuing criminals and > terrorists?". The gover

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-26 Thread Peter Maxwell
On 26 May 2012 06:57, Peter Gutmann wrote: > Werner Koch writes: > > >Which is not a surprise given that many SSH users believe that ssh > >automagically make their root account save and continue to use their lame > >passwords instead of using PK based authentication. > > That has its own proble

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-26 Thread Eugen Leitl
On Fri, May 25, 2012 at 11:19:33AM -0700, Jon Callas wrote: > My money would be on a combination of traffic analysis and targeted > malware. We know that the Germans have been pioneering using targeted malware > against Skype. Once you've done that, you can pick apart anything else. Just > a simpl

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-25 Thread Peter Gutmann
Marsh Ray writes: >Perhaps someone who knows German can better interpret it. The government was asked "are encrypted communications creating any difficulties for law enforcement in terms of pursuing criminals and terrorists?". The government replied "no, not really, so there's no need to restri

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-25 Thread Peter Gutmann
Werner Koch writes: >Which is not a surprise given that many SSH users believe that ssh >automagically make their root account save and continue to use their lame >passwords instead of using PK based authentication. That has its own problems with magical thinking: Provided you use PK auth, you'r

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-25 Thread Ondrej Mikle
On 05/25/2012 08:19 PM, Jon Callas wrote: > My money would be on a combination of traffic analysis and targeted malware. > We know that the Germans have been pioneering using targeted malware against > Skype. Once you've done that, you can pick apart anything else. Just a simple > matter of codi

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-25 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My money would be on a combination of traffic analysis and targeted malware. We know that the Germans have been pioneering using targeted malware against Skype. Once you've done that, you can pick apart anything else. Just a simple matter of coding.

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-25 Thread Werner Koch
On Fri, 25 May 2012 17:23, ma...@extendedsubset.com said: > Perhaps someone who knows German can better interpret it. What they likely mean is traffic analysis and that for example the Subject in mails is not encrypted. For SSH my guess is that they were able to break accounts by brute force pas

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-05-25 Thread Marsh Ray
On 05/25/2012 09:50 AM, Steven Bellovin wrote: Here's Google Translate link to the article (I can't read German). My money is on a protocol or implementation flaw, or possibly just hacks to the end system. http://translate.google.com/translate?sl=de&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eot

[cryptography] can the German government read PGP and ssh traffic?

2012-05-25 Thread Steven Bellovin
Here's Google Translate link to the article (I can't read German). My money is on a protocol or implementation flaw, or possibly just hacks to the end system. http://translate.google.com/translate?sl=de&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http://www.golem.de/news/bundesregierung-