Re: Crack in Computer Security Code Raises Red Flag

2005-03-20 Thread J.A. Terranson
On Tue, 15 Mar 2005, The Wall Street Journal Wrote: SHA-1 is a federal standard promulgated by the National Institute of Standards and Technology and used by the government and private sector for handling sensitive information. It is thought to be the most widely used hash function, and it

Re: NSA names ECC as the exclusive technology for key agreement and digital signature standards for the U.S. government

2005-03-20 Thread Ben Laurie
Ian G wrote: NSA names ECC as the exclusive technology for key agreement and digital signature standards for the U.S. government Certicom's ECC-based solutions enable government contractors to add security that meets NSA guidelines I should note that OpenSSL also supports ECC. --

Re: Encryption plugins for gaim

2005-03-20 Thread Adam Fields
On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote: Why not help us make Jabber/XMPP more secure, rather than overloading AIM? With AIM/MSN/Yahoo your account will always exist at the will of Unfortunately, I already have a large network of people who use AIM, and they all each

Re: Encryption plugins for gaim

2005-03-20 Thread Adam Fields
On Tue, Mar 15, 2005 at 02:47:35PM -0500, Ian Goldberg wrote: this is actually a very good solution for me. The only thing I don't like about it is that it stores the private key on your machine. I understand why that is, but it also means that if you switch machines with the same login

Re: Do You Need a Digital ID?

2005-03-20 Thread Anne Lynn Wheeler
R.A. Hettinga wrote: http://www.pcworld.com/resource/printable/article/0,aid,120008,00.asp i've been asked to flush out my merged security taxonomy and glossary http://www.garlic.com/~lynn/index.html#glosnote to highlight the distinction between identity theft and account theft. typically

Re: Encryption plugins for gaim

2005-03-20 Thread Peter Saint-Andre
On Tue, Mar 15, 2005 at 02:14:48PM -0500, Ian Goldberg wrote: OTR works over Jabber today. Granted, it's not very Jabberish (as far as I understand the term; I don't know the Jabber protocol very well): it just replaces the text of the message with ciphertext. [gaim, at least, doesn't seem

Re: PK - OTP?

2005-03-20 Thread Amir Herzberg
Matt Crawford wrote: My educated-layman's opinion is that the following is not feasible, but I'd be happy to be shown wrong ... Given a closed public-key device such as a typical smart card with its limited set of operations (chiefly sign), is it possible to implement a challenge/response

Re: Encryption plugins for gaim

2005-03-20 Thread Jim Cheesman
Ian G wrote: Adam Fields wrote: Given what may or may not be recent ToS changes to the AIM service, I've recently been looking into encryption plugins for gaim. Specifically, I note gaim-otr, authored by Ian G, who's on this list. Just a quick note of clarification, there is a collision in the

Reuters -- British Firm Breaks Ground in Surveillance Science

2005-03-20 Thread David Chessler
http://www.reuters.com/newsArticle.jhtml?type=topNewsstoryID=7892255 http://www.reuters.com/printerFriendlyPopup.jhtml?type=topNewsstoryID=7892255 British Firm Breaks Ground in Surveillance Science Mon Mar 14, 2005 08:08 AM ET By Mark Trevelyan, Security Correspondent MALVERN, England (Reuters) -

Re: $90 for high assurance _versus_ $349 for low assurance

2005-03-20 Thread Ng Pheng Siong
On Tue, Mar 15, 2005 at 11:04:59AM -0500, Victor Duchovni wrote: On Wed, Mar 16, 2005 at 02:23:49AM +1300, Peter Gutmann wrote: Certainly with UIXC it's not worth anything. What is UIXC? lemme guess: universal indiscriminate cross certification oh wait, peter did define it: implicit not

Re: $90 for high assurance _versus_ $349 for low assurance

2005-03-20 Thread Amir Herzberg
John, thanks for this fascinating report! Conclusion? `Not all CAs/certs are created equal`... therefore we should NOT automatically trust the contents of every certificate whose CA appears in the `root CA` list of the browser. Instead, browsers should allow users to select which CAs they trust

Re: Encryption plugins for gaim

2005-03-20 Thread Bill Stewart
At 10:19 PM 3/13/2005, Adam Fields wrote: Given what may or may not be recent ToS changes to the AIM service, I've recently been looking into encryption plugins for gaim. AOL says that the ToS bits are only for things like chatrooms; user-to-user AIM traffic doesn't even go through their servers.

Re: PK - OTP?

2005-03-20 Thread Matt Crawford
My educated-layman's opinion is that the following is not feasible, but I'd be happy to be shown wrong ... Given a closed public-key device such as a typical smart card with its limited set of operations (chiefly sign), is it possible to implement a challenge/response function such that * Both

Re: Security is the bits you disable before you ship

2005-03-20 Thread Russell Nelson
Steven M. Bellovin writes: That's not new, either. I believe it was Tony Hoare who likened this to sailors doing shore drills with life preservers, but leaving them home when they went to sea. I think he said that in the 1970s; he said this in his Turing Award lecture: The

how to phase in new hash algorithms?

2005-03-20 Thread Steven M. Bellovin
We all understand the need to move to better hash algorithms than SHA1. At a minimum, people should be switching to SHA256/384/512; arguably, Whirlpool is the right way to go. The problem is how to get there from here. OpenSSL 0.9.7 doesn't even include anything stronger than SHA1. As a

Westlaw agrees to restrict access to Social Security numbers

2005-03-20 Thread R.A. Hettinga
http://www.siliconvalley.com/mld/siliconvalley/news/editorial/11162869.htm?template=contentModules/printstory.jsp The San Jose Mercury News Posted on Thu, Mar. 17, 2005 Westlaw agrees to restrict access to Social Security numbers WASHINGTON (AP) - A legal research company said Thursday it

Cyber cops foil £220m Sumitomo bank raid

2005-03-20 Thread R.A. Hettinga
http://www.theregister.co.uk/2005/03/17/sumitomo_cyber-heist_foiled/print.html The Register Biting the hand that feeds IT The Register » Security » Network Security » Original URL: http://www.theregister.co.uk/2005/03/17/sumitomo_cyber-heist_foiled/ Cyber cops foil £220m Sumitomo bank raid

Re: NSA warned Bush it needed to monitor networks

2005-03-20 Thread Steven M. Bellovin
A few days ago, I posted this: WASHINGTON (AP) -- The National Security Agency warned President Bush in 2001 that monitoring U.S. adversaries would require a ``permanent presence'' on networks that also carry Americans' messages that are protected from government eavesdropping. ... ``Make no

Off-the-Record Messaging

2005-03-20 Thread R.A. Hettinga
http://www.cypherpunks.ca/otr/ Off-the-Record Messaging News - Downloads - Mailing Lists - Documentation - Frequently Asked Questions - Press Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing: Encryption No one else can read your

Non-repudiation

2005-03-20 Thread Jerrold Leichter
With all the discussion we've seen on this topic, I'm surprised no one has mentioned Non-Repudiation in Electronic Commerce, by Jianying Zhou. I haven't read this book, but Rob Slade gave it a good review in a year-old RISKS that I happened to stumble across. Any comments from list members?

Re: Encryption plugins for gaim

2005-03-20 Thread Adam Shostack
On Tue, Mar 15, 2005 at 09:33:51PM +0100, Jim Cheesman wrote: | Ian G wrote: | | Adam Fields wrote: | | Given what may or may not be recent ToS changes to the AIM service, | I've recently been looking into encryption plugins for gaim. | Specifically, I note gaim-otr, authored by Ian G, who's on

Re: NSA warned Bush it needed to monitor networks

2005-03-20 Thread James A. Donald
-- On 18 Mar 2005 at 22:52, Steven M. Bellovin wrote: That paragraph, believe it or not, was classified Secret. For what it's worth, the official definition of Secret, from Executive Order 12958 (http://www.dss.mil/seclib/eo12958.htm), is: Secret shall be applied to information, the

Re: how to phase in new hash algorithms?

2005-03-20 Thread Ian G
Steven M. Bellovin wrote: So -- what should we as a community be doing now? There's no emergency on SHA1, but we do need to start, and soon. The wider question is how to get moving on new hash algorithms. That's a bit tricky. Normally we'd look to see NIST or the NESSIE guys lead a competition.

Re: Encryption plugins for gaim

2005-03-20 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Peter Saint-Andre writes: On Tue, Mar 15, 2005 at 02:02:31PM -0500, Adam Fields wrote: On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote: Why not help us make Jabber/XMPP more secure, rather than overloading AIM? With AIM/MSN/Yahoo your account

Re: Schneier: SHA-1 has been broken - Time for a second thought about SDLH ?

2005-03-20 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Ralf Senderek w rites: And that is why I ask to give the Shamir Discrete Logarithm Hash Funktion a se cond thought. At leeast we have a proof of collision resistance under the assumptio n that factoring is infeasible for the modulus used. And that it more than we