Lava lamp random number generator made useful?

2008-09-19 Thread Jerry Leichter
The Lava Lamp Random Number generator (at http://www.lavarnd.org/) generates true random numbers from the images of a couple of lava lamps. Of course, as a source of randomness for cryptographic purposes, it's useless because it's visible to everyone (though I suppose it might be used for

Attacking a secure smartcard

2008-12-07 Thread Jerry Leichter
I've previously mentioned Flylogic as a company that does cool attacks on chip-level hardware protection. In http://www.flylogic.net/blog/?p=18 , they talk about attacking the ST16601 Smartcard - described by the vendor as offering Very high security features including EEPROM flash erase

Re: AES HDD encryption was XOR

2008-12-07 Thread Jerry Leichter
On Dec 7, 2008, at 4:10 AM, Alexander Klimov wrote: http://www.heise-online.co.uk/security/Encrypting-hard-disk-housing-cracked--/news/112141 : With its Digittrade Security hard disk, the German vendor Digittrade has launched another hard disk housing based on the unsafe IM7206 controller by

Re: CPRNGs are still an issue.

2008-12-16 Thread Jerry Leichter
On Dec 15, 2008, at 2:09 PM, Perry E. Metzger wrote: Bill Frantz fra...@pwpconsult.com writes: I find myself in this situation with a design I'm working on. I have an ARM chip, where each chip has two unique numbers burned into the chip for a total of 160 bits. I don't think I can really depend

Re: CPRNGs are still an issue.

2008-12-17 Thread Jerry Leichter
On Dec 16, 2008, at 12:10 PM, Simon Josefsson wrote: ...I agree with your recommendation to write an AES key to devices at manufacturing time. However it always comes with costs, including: 1) The cost of improving the manufacture process sufficiently well to make it unlikely that compromised

Re: CPRNGs are still an issue.

2008-12-17 Thread Jerry Leichter
On Dec 16, 2008, at 4:22 PM, Charles Jackson wrote: I probably should not be commenting, not being a real device guy. But, variations in temperature and time could be expected to change SSD timing. Temperature changes will probably change the power supply voltages and shift some of the

Re: CPRNGs are still an issue.

2008-12-17 Thread Jerry Leichter
On Dec 15, 2008, at 2:28 PM, Joachim Strömbergson wrote: ...One could probably do a similar comparison to the increasingly popular idea of building virtual LANs to connect your virtualized server running on the same physical host. Ethernet frame reception time variance as well as other real

Re: CPRNGs and assurance...

2008-12-18 Thread Jerry Leichter
On Dec 17, 2008, at 3:18 PM, Perry E. Metzger wrote: I'd like to expand on a point I made a little while ago about the just throw everything at it, and hope the good sources drown out the bad ones entropy collection strategy. The biggest problem in security systems isn't whether you're using

Re: Security by asking the drunk whether he's drunk

2008-12-25 Thread Jerry Leichter
Just one minor observation: On Dec 22, 2008, at 5:18 AM, Peter Gutmann wrote: This leads to a scary rule of thumb for defenders: 1. The attackers have more CPU power than any legitimate user will ever have, and it costs them nothing to apply it. Any defence based on resource

Re: Security by asking the drunk whether he's drunk

2008-12-27 Thread Jerry Leichter
On Dec 26, 2008, at 2:39 AM, Peter Gutmann wrote: d...@geer.org writes: I'm hoping this is just a single instance but it makes you remember that the browser pre-trusted certificate authorities really needs to be cleaned up. Given the more or less complete failure of commercial PKI for

Re: Security by asking the drunk whether he's drunk

2008-12-28 Thread Jerry Leichter
On Dec 27, 2008, at 10:02 AM, Ben Laurie wrote: On Fri, Dec 26, 2008 at 7:39 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Adding support for a service like Perspectives (discussed here a month or two back) would be a good start since it provides some of the assurance that a commercial

Re: very high speed hardware RNG

2008-12-30 Thread Jerry Leichter
On Dec 28, 2008, at 8:12 PM, Perry E. Metzger wrote: Semiconductor laser based RNG with rates in the gigabits per second. http://www.physorg.com/news148660964.html My take: neat, but not as important as simply including a decent hardware RNG (even a slow one) in all PC chipsets would be.

Re: Security by asking the drunk whether he's drunk

2009-01-01 Thread Jerry Leichter
On Dec 30, 2008, at 4:21 PM, Sidney Markowitz wrote: Sidney Markowitz wrote, On 31/12/08 10:08 AM: or that CA root certs that use MD5 for their hash are still in use and have now been cracked? I should remember -- morning coffee first, then post. The CA root certs themselves have not been

Re: On the topic of Asking the drunk...

2009-01-10 Thread Jerry Leichter
On Jan 9, 2009, at 6:49 AM, Peter Gutmann wrote: https://visa.com/ I get no response. None at https://www.visa.com either. On the other hand, the US-specific site, https://usa.visa.com, responds just fine - but it redirects you to http://usa.visa.com/index.html . Try that same address

What risk is being defended against here?

2009-01-11 Thread Jerry Leichter
Not cryptography, but the members of this list think in these terms, so... Just recently, my 8th-grade daughter took a school placement test. This test (the ISEE) is administered internationally. When we arrived, we learned that she would not be allowed into the test room without *one*

What EV certs are good for

2009-01-25 Thread Jerry Leichter
I just received a phishing email, allegedly from HSBC: Dear HSBC Member, Due to the high number of fraud attempts and phishing scams, it has been decided to implement EV SSL Certification on this Internet Banking website. The use of EV SSL certification works with high

Re: Obama's secure PDA

2009-01-26 Thread Jerry Leichter
On Jan 26, 2009, at 2:49 AM, Ivan Krstić wrote: [A]ny idea why the Sectéra is certified up to Top Secret for voice but only up to Secret for e-mail? (That is, what are the differing requirements?) I have no information, but a guess: Phone conversation encryption, at all levels, has been

Re: Obama's secure PDA

2009-01-27 Thread Jerry Leichter
I know next to nothing about the state of the art of secure cell devices; do list members have any (public) knowledge or informed speculation about the mechanism behind the unclassified/classified switches? Are we talking two entire separate CPUs with a mutex- shared screen/keyboard? Or

Re: Proof of Work - atmospheric carbon

2009-01-28 Thread Jerry Leichter
On Jan 27, 2009, at 2:35 PM, Hal Finney wrote: John Gilmore writes: The last thing we need is to deploy a system designed to burn all available cycles, consuming electricity and generating carbon dioxide, all over the Internet, in order to produce small amounts of bitbux to get emails or

Re: Obama's secure PDA

2009-01-28 Thread Jerry Leichter
On Jan 28, 2009, at 2:03 PM, Perry E. Metzger wrote: There's a Classified USB Cable for file transfer with Classified PC I wonder what a classified USB cable is. Perhaps it's an unclassified USB cable with the little three-prong USB logo blacked out by the censors. I would imagine it

Re: Attack of the Wireless Worms

2009-01-30 Thread Jerry Leichter
On Jan 29, 2009, at 10:07 AM, Donald Eastlake wrote: Recent research has shown that a new and disturbing form of computer infection is readily spread: the epidemic copying of malicious code among wireless routers without the participation of intervening computers. Such an epidemic could easily

Re: UCE - a simpler approach using just digital signing?

2009-01-30 Thread Jerry Leichter
On Jan 30, 2009, at 4:47 PM, Ray Dillinger wrote: I have a disgustingly simple proposal. [Basically, always include a cryptographic token when you send mail; always require it when you receive mail.] There is little effective difference between this an whitelists. If I only accept mail

Re: full-disk subversion standards released

2009-02-12 Thread Jerry Leichter
On Feb 2, 2009, at 2:29 AM, Peter Gutmann wrote: Mark Ryan presented a plausible use case that is not DRM: http://www.cs.bham.ac.uk/~mdr/research/projects/08-tpmFunc/. This use is like the joke about the dancing bear, the amazing thing isn't the quality of the dancing but the fact that the

Nato's cyber defence warriors

2009-02-12 Thread Jerry Leichter
Interesting article from the BBC on the state of play in cyber attack and defense. Not much depth - I'm sure you weren't expecting it, given the source - but worth looking at. http://news.bbc.co.uk/2/hi/europe/7851292.stm -- Jerry

Re: The password-reset paradox

2009-02-20 Thread Jerry Leichter
On Feb 19, 2009, at 8:36 AM, Peter Gutmann wrote: There are a variety of password cost-estimation surveys floating around that put the cost of password resets at $100-200 per user per year, depending on which survey you use (Gartner says so, it must be true). You can get OTP tokens as

Re: Shamir secret sharing and information theoretic security

2009-02-23 Thread Jerry Leichter
On Feb 17, 2009, at 6:03 PM, R.A. Hettinga wrote: Begin forwarded message: From: Sarad AV jtrjtrjtr2...@yahoo.com Date: February 17, 2009 9:51:09 AM EST To: cypherpu...@al-qaeda.net Subject: Shamir secret sharing and information theoretic security hi, I was going through the wikipedia

Sweden's air force 'can't send secret messages'

2009-02-23 Thread Jerry Leichter
Summary: Sweden developed its own secure encryption system for communicating with fighter jets. A new jet, which is scheduled to replace all existing fighters by 2011, uses a NATO-standard encryption system - only. There is no plan in place to upgrade the ground systems to the NATO

Re: Activation protocol for tracking devices

2009-03-02 Thread Jerry Leichter
On Feb 27, 2009, at 2:13 PM, Santiago Aguiar wrote: * Is there any standard cryptographic hash function with an output of about 64 bits? It's OK for our scenario if finding a preimage for a particular signature takes 5 days. Not if it takes 5 minutes. Not specifically, but you can simply take

Re: Activation protocol for tracking devices

2009-03-02 Thread Jerry Leichter
On Mar 2, 2009, at 12:56 PM, Santiago Aguiar wrote: Hi, Jerry Leichter wrote: Not specifically, but you can simply take the first 64 bits from a larger cryptographically secure hash function. OK, I didn't know if it was right to do just that. We were thinking to use that hash in an HMAC so

Re: Has any public CA ever had their certificate revoked?

2009-05-05 Thread Jerry Leichter
On May 5, 2009, at 1:17 PM, Paul Hoffman wrote: ...This leads to the question: if a CA in a trust anchor pile does something wrong (terribly wrong, in this case) and fixes it, should they be punished? If you say yes, you should be ready to answer who will benefit from the punishment and in

Re: Solving password problems one at a time, Re: The password-reset paradox

2009-05-09 Thread Jerry Leichter
On May 8, 2009, at 3:39 PM, Ian G wrote: The difficulty with client certs is that I need them to also work on my laptop. And my other laptop. And my phone. So, how do I get hold of them when I'm on the road? Good point. The difficulty with my passwords is that I have so many that are so

Warning! New cryptographic modes!

2009-05-11 Thread Jerry Leichter
I recently stumbled across two attempts to solve a cryptographic problem - which has lead to what look like rather unfortunate solutions. The problem has to do with using rsync to maintain backups of directories. rsync tries to transfer a minimum of data by sending only the differences

Re: Warning! New cryptographic modes!

2009-05-21 Thread Jerry Leichter
To handle smaller inserts or deletes, you need to ensure that the underlying blocks get back into sync. The gzip technique I mentioned earlier works. Keep a running cryptographically secure checksum over the last blocksize bytes. When some condition on the checksum is met - equals 0 mod

Re: Warning! New cryptographic modes!

2009-05-21 Thread Jerry Leichter
On May 11, 2009, at 7:06 PM, silky wrote: How about this. When you modify a file, the backup system attempts to see if it can summarise your modifications into a file that is, say, less then 50% of the file size. So if you modify a 10kb text file and change only the first word, it will

Re: Warning! New cryptographic modes!

2009-05-21 Thread Jerry Leichter
On May 11, 2009, at 7:08 PM, Matt Ball wrote: Practically, to make this work, you'd want to look at the solutions that support 'data deduplication' (see http://en.wikipedia.org/wiki/Data_deduplication). These techniques typically break the data into variable length 'chunks', and de-duplicate by

Re: Warning! New cryptographic modes!

2009-05-21 Thread Jerry Leichter
On May 11, 2009, at 8:27 PM, silky wrote: The local version needs access to the last committed file (to compare the changes) and the server version only keeps the 'base' file and the 'changes' subsets. a) What's a committed file. b) As in my response to Victor's message, note that you can't

Re: consulting question.... (DRM)

2009-05-27 Thread Jerry Leichter
The introduction of the acronym DRM has drawn all the hysteria it always does. The description you've posted much more closely matches license (or sometimse entitlement) management software than DRM. There are many companies active in this field. Many are small, but Microsoft sells

Neat idea

2009-05-29 Thread Jerry Leichter
Using retransmissions for steganography. http://arxiv.org/pdf/0905.0363v3 -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to

Re: consulting question.... (DRM)

2009-05-30 Thread Jerry Leichter
On May 29, 2009, at 8:48 AM, Peter Gutmann wrote: Jerry Leichter leich...@lrw.com writes: For the most part, software like this aims to keep reasonably honest people honest. Yes, they can probably hire someone to hack around the licensing software. (There's generally not much motivation

Re: password safes for mac

2009-06-30 Thread Jerry Leichter
On Jun 28, 2009, at 4:05 PM, Ivan Krstić wrote: Does anyone have a recommended encrypted password storage program for the mac? System applications and non-broken 3rd party applications on OS X store credentials in Keychain, which is a system facility for keeping secrets. Your user keychain

Very high rate true random number generation

2009-07-09 Thread Jerry Leichter
Randomness from quantum effects at Megabits per second (and they claim they can get to Gb/s). I can't say I follow all the details of what they're doing. http://spie.org/x35516.xml -- Jerry

Re: Weakness in Social Security Numbers Is Found

2009-07-12 Thread Jerry Leichter
On Jul 8, 2009, at 8:46 PM, d...@geer.org wrote: I don't honestly think that this is new, but even if it is, a 9-digit random number has a 44% chance of being a valid SSN (442 million issued to date). Different attack. What they are saying is that given date and place of birth - not normally

Re: Zooko's semi-private keys

2009-07-22 Thread Jerry Leichter
On Jul 21, 2009, at 3:11 PM, Hal Finney wrote: The first is equivalent to: knowing g^(xy) is it impossible to deduce g^x, where y = H(g^x). Define Y = g^x, then y = H(Y) and g^(xy) = Y^H(Y). The question is then: Given Y^H(Y) can we deduce Y? To make a simple observation: H matters. If

Re: New Technology to Make Digital Data Disappear, on Purpose

2009-07-23 Thread Jerry Leichter
On Jul 21, 2009, at 10:48 PM, Perry E. Metzger wrote: d...@geer.org writes: The pieces of the key, small numbers, tend to =93erode=94 over time as they gradually fall out of use. To make keys erode, or timeout, Vanish takes advantage of the structure of a peer-to-peer file system. Such

Re: cleversafe says: 3 Reasons Why Encryption is Overrated

2009-07-26 Thread Jerry Leichter
On Jul 26, 2009, at 12:11 AM, james hughes wrote: On Jul 24, 2009, at 9:33 PM, Zooko Wilcox-O'Hearn wrote: [cross-posted to tahoe-...@allmydata.org and cryptography@metzdowd.com ] Disclosure: Cleversafe is to some degree a competitor of my Tahoe- LAFS project. ... I am tempted to ignore

Re: The latest Flash vulnerability and monoculture

2009-07-26 Thread Jerry Leichter
On Jul 26, 2009, at 2:27 PM, Perry E. Metzger wrote: ...[T]here is an exploitable hole in Adobe's Flash right now, and there is no fix available yet This highlights an unfortunate instance of monoculture -- nearly everyone on the internet uses Flash for nearly all the video they watch, so

Re: The latest Flash vulnerability and monoculture

2009-07-27 Thread Jerry Leichter
On Jul 26, 2009, at 11:20 PM, Perry E. Metzger wrote: Jerry Leichter leich...@lrw.com writes: While I agree with the sentiment and the theory, I'm not sure that it really works that way. How many actual implementations of typical protocols are there? I'm aware of at least four TCP/IP

Manipulation and abuse of the consumer credit reporting agencies

2009-08-01 Thread Jerry Leichter
Found on the Telecom list (which I've subscribed to for years but almost never read any more). The paper is quite interesting. -- Jerry Date: Fri, 31 Jul 2009 22:07:03 -0400 From: Monty Solomon mo...@roscom.com To:

Re: The clouds are not random enough

2009-08-02 Thread Jerry Leichter
Why Cloud Computing Needs More Chaos: http://www.forbes.com/2009/07/30/cloud-computing-security-technology-cio-network-cloud-computing.html [Moderator's note: ... the article is about a growing problem -- the lack of good quality random numbers in VMs provided by services like EC2 and the

Vulnerable keyboards

2009-08-04 Thread Jerry Leichter
A couple of weeks ago, Apple distributed a firmware update for their keyboards - the standalone ones, not the ones built into laptops. I remarked at the time (perhaps on this list?) that given a way for Apple to update the firmware ... was there a way for others with malicious intent?

All your notebook belong to us

2009-08-09 Thread Jerry Leichter
Just about all notebooks shipped in the last 5 years or more contain a helpful bit of code in the BIOS that allows for remote tracing in case of theft. Unfortunately, it's got serious security holes, allowing it to be used for much more nefarious purposes - like rootkits that survive disk

Re: cleversafe says: 3 Reasons Why Encryption is Overrated

2009-08-09 Thread Jerry Leichter
3. Cleversafe should really tone down the Fear Uncertainty and Doubt about today's encryption being mincemeat for tomorrow's cryptanalysts. It might turn out to be true, but if so it will be due to cryptanalytic innovations more than due to Moore's Law. And it might not turn out like

Re: brute force physics Was: cleversafe...

2009-08-12 Thread Jerry Leichter
On Aug 10, 2009, at 4:42 AM, Alexander Klimov wrote: On Sun, 9 Aug 2009, Jerry Leichter wrote: Since people do keep bringing up Moore's Law in an attempt to justify larger keys our systems stronger than cryptography, it's worth keeping in mind that we are approaching fairly deep physical

Re: Ultimate limits to computation

2009-08-12 Thread Jerry Leichter
On Aug 11, 2009, at 2:47 PM, Hal Finney wrote: [Note subject line change] Jerry Leichter writes: Since people do keep bringing up Moore's Law in an attempt to justify larger keys our systems stronger than cryptography, it's worth keeping in mind that we are approaching fairly deep physical

Practical attack on WPA?

2009-08-31 Thread Jerry Leichter
http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%20on%20WPA.pdf A Practical Message Falsification Attack on WPA Toshihiro Ohigashi and Masakatu Morii Abstract. In 2008, Beck and Tews have proposed a practical attack on WPA. Their attack (called the

Defending Against Sensor-Sniffing Attacks on Mobile Phones

2009-08-31 Thread Jerry Leichter
http://conferences.sigcomm.org/sigcomm/2009/workshops/mobiheld/papers/p31.pdf ABSTRACT Modern mobile phones possess three types of capabilities: computing, communication, and sensing. While these capa- bilities enable a variety of novel applications, they also raise serious privacy concerns. We

Source for Skype Trojan released

2009-08-31 Thread Jerry Leichter
It can “...intercept all audio data coming and going to the Skype process.” Proof of concept, but polished versions will surely follow. http://www.scmagazineus.com/Skype-snooping-trojan-detected/article/147537/ -- Jerry

Re: Client Certificate UI for Chrome?

2009-09-08 Thread Jerry Leichter
On Sep 3, 2009, at 12:26 AM, Peter Gutmann wrote: This returns us to the previously-unsolved UI problem: how -- with today's users, and with something more or less like today's browsers since that's what today's users know -- can a spoof-proof password prompt be presented? Good enough to

Re: Client Certificate UI for Chrome?

2009-09-08 Thread Jerry Leichter
On Sep 7, 2009, at 8:58 AM, Jerry Leichter wrote: ...standard Mac OS GUI element to prompt for passwords ... I should expand on that a bit: This GUI element is used for all kinds of things tied to a window, not just passwords. For example, if you try to close a window that contains stuff

Re: Fed's RFIDiocy pwnd at DefCon

2009-09-09 Thread Jerry Leichter
On Sep 4, 2009, at 4:24 PM, Matt Crawford wrote: . . . federal agents at the conference got a scare on Friday when they were told they might have been caught in the sights of an RFID reader. The reader, connected to a web camera, sniffed data from RFID- enabled ID cards and other documents

Re: Detecting attempts to decrypt with incorrect secret key in OWASP ESAPI

2009-09-17 Thread Jerry Leichter
On Sep 17, 2009, at 1:20 AM, Peter Gutmann wrote: Kevin W. Wall kevin.w.w...@gmail.com writes: (Obviously some of these padding schemes such as OAEP are not suitable with symmetric ciphers. Or at least I don't think they are.) You'd be surprised at what JCE developers will implement just

Unexpected side-effects

2009-09-29 Thread Jerry Leichter
Well, here I'll expect one. :-) As there is increasing pressure to keep records of Internet use, there will be a counter-move to use VPN's which promise to keep no records. Which will lead to legal orders that records be kept, with no notification to those being tracked. Enter secure

Re: Question about Shamir secret sharing scheme

2009-10-04 Thread Jerry Leichter
On Oct 3, 2009, at 2:42 AM, Kevin W. Wall wrote: Hi list...I have a question about Shamir's secret sharing. According to the _Handbook of Applied Cryptography_ Shamir’s secret sharing (t,n) threshold scheme works as follows: SUMMARY: a trusted party distributes shares of a secret S to n

Re: Possibly questionable security decisions in DNS root management

2009-10-14 Thread Jerry Leichter
On Oct 14, 2009, at 7:54 PM, Perry E. Metzger wrote: ...We should also recognize that in cryptography, a small integer safety margin isn't good enough. If one estimates that a powerful opponent could attack a 1024 bit RSA key in, say, two years, that's not even a factor of 10 over 90 days, and

Collection of code making and breaking machines

2009-10-19 Thread Jerry Leichter
A bit too far for a quick visit (at least for me): http://news.bbc.co.uk/2/hi/uk_news/england/8241617.stm -- Jerry - The Cryptography Mailing List Unsubscribe by sending

Re: Possibly questionable security decisions in DNS root management

2009-10-20 Thread Jerry Leichter
On Oct 17, 2009, at 5:23 AM, John Gilmore wrote: Even using keys that have a round number of bits is foolish, in my opinion. If you were going to use about 2**11th bits, why not 2240 bits, or 2320 bits, instead of 2048? Your software already handles 2240 bits if it can handle 2048, and it's

Security of Mac Keychain, File Vault

2009-10-25 Thread Jerry Leichter
The article at http://www.net-security.org/article.php?id=1322 claims that both are easily broken. I haven't been able to find any public analyses of Keychain, even though the software is open-source so it's relatively easy to check. I ran across an analysis of File Vault not long ago

re: Security of Mac Keychain, Filevault

2009-11-01 Thread Jerry Leichter
A couple of days ago, I pointed to an article claiming that these were easy to break, and asked if anyone knew of security analyses of these facilities. I must say, I'm very disappointed with the responses. Almost everyone attacked the person quoted in the article. The attacks they

Re: Security of Mac Keychain, Filevault

2009-11-02 Thread Jerry Leichter
On Nov 1, 2009, at 10:32 PM, Steven Bellovin wrote: On Oct 29, 2009, at 11:25 PM, Jerry Leichter wrote: A couple of days ago, I pointed to an article claiming that these were easy to break, and asked if anyone knew of security analyses of these facilities. I must say, I'm very

Re: Security of Mac Keychain, Filevault

2009-11-02 Thread Jerry Leichter
On Nov 2, 2009, at 5:36 PM, Jeffrey I. Schiller wrote: - Jerry Leichter leich...@lrw.com wrote: for iPhone's and iPod Touches, which are regularly used to hold passwords (for mail, at the least). I would not (do not) trust the iPhone (or iPod Touch) to protect a high value password

Re: Effects of OpenID or similar standards

2009-11-09 Thread Jerry Leichter
On Nov 6, 2009, at 4:19 PM, Erwan Legrand wrote: On Tue, Nov 3, 2009 at 9:41 PM, David-Sarah Hopwood david-sa...@jacaranda.org wrote: Jerry is absolutely correct that the practical result will be that most users of OpenID will become more vulnerable to compromise of a single password. Do

Re: Crypto dongles to secure online transactions

2009-11-09 Thread Jerry Leichter
On Nov 8, 2009, at 2:07 AM, John Levine wrote: At a meeting a few weeks ago I was talking to a guy from BITS, the e-commerce part of the Financial Services Roundtable, about the way that malware infected PCs break all banks' fancy multi-password logins since no matter how complex the login

Re: hedging our bets -- in case SHA-256 turns out to be insecure

2009-11-09 Thread Jerry Leichter
On Nov 8, 2009, at 6:30 AM, Zooko Wilcox-O'Hearn wrote: I propose the following combined hash function C, built out of two hash functions H1 and H2: C(x) = H1(H1(x) || H2(x)) I'd worry about using this construction if H1's input block and output size were the same, since one might be able

Re: Crypto dongles to secure online transactions

2009-11-10 Thread Jerry Leichter
On Nov 8, 2009, at 7:45 PM, Thorsten Holz wrote: ...There are several approaches to stop (or at least make it more difficult) this attack vector. A prototype of a system that implements the techniques described in your blog posting was presented by IBM Zurich about a year ago, see

Re: Crypto dongles to secure online transactions

2009-11-16 Thread Jerry Leichter
On Nov 11, 2009, at 10:36 AM, Matt Crawford wrote: On Nov 10, 2009, at 8:44 AM, Jerry Leichter wrote: Whether or not it can, it demonstrates the hazards of freezing implementations of crypto protocols into ROM: Imagine a world in which there are a couple of hundred million ZTIC's

Re: Crypto dongles to secure online transactions

2009-11-17 Thread Jerry Leichter
On Nov 16, 2009, at 12:30 PM, Jeremy Stanley wrote: If one organization distributes the dongles, they could accept only updates signed by that organization. We have pretty good methods for keeping private keys secret at the enterprise level, so the risks should be manageable. But even then,

Re: Crypto dongles to secure online transactions

2009-11-25 Thread Jerry Leichter
On Nov 18, 2009, at 6:16 PM, Anne Lynn Wheeler wrote: ... we could moved to a person-centric paradigm ... where a person could use the same token for potentially all their interactions ... we claimed we do something like two orders magnitude reduction in fully-loaded costs by going to no

Re: Crypto dongles to secure online transactions

2009-11-25 Thread Jerry Leichter
On Nov 21, 2009, at 6:12 PM, Bill Frantz wrote: leich...@lrw.com (Jerry Leichter) on Saturday, November 21, 2009 wrote: It's no big deal to read these cards, and from many times the inch or so that the standard readers require. So surely someone has built a portable reader

Re: New Research Suggests That Governments May Fake SSL Certificates

2010-03-26 Thread Jerry Leichter
On Mar 25, 2010, at 8:05 AM, Dave Kleiman wrote: March 24th, 2010 New Research Suggests That Governments May Fake SSL Certificates Technical Analysis by Seth Schoen http://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl Today two computer security

Re: What's the state of the art in factorization?

2010-04-22 Thread Jerry Leichter
On Apr 21, 2010, at 7:29 PM, Samuel Neves wrote: EC definitely has practical merit. Unfortunately the patent issues around protocols using EC public keys are murky. Neither RSA nor EC come with complexity proofs. While EC (by that I assume you mean ECDSA) does not have a formal security

Re: Question w.r.t. AES-CBC IV

2010-07-09 Thread Jerry Leichter
On Jul 9, 2010, at 1:55 PM, Jonathan Katz wrote: CTR mode seems a better choice here. Without getting too technical, security of CTR mode holds as long as the IVs used are fresh whereas security of CBC mode requires IVs to be random. In either case, a problem with a short IV (no matter what

Re: Spy/Counterspy

2010-07-10 Thread Jerry Leichter
On Jul 9, 2010, at 1:00 PM, Pawel wrote: Hi, On Apr 27, 2010, at 5:38 AM, Peter Gutmann (alt) pgut001.reflec...@gmail.com wrote: GPS tracking units that you can fit to your car to track where your kids are taking it [T]he sorts of places that'll sell you card skimmers and RFID

Re: What is required for trust?

2010-07-10 Thread Jerry Leichter
On Jun 3, 2010, at 10:39 AM, Sandy Harris wrote: India recently forbade some Chinese companies from bidding on some cell phone infrastructure projects, citing national security concerns... The main devices to worry about are big infrastructure pieces -- telephone switches, big routers and

Re: A real case of malicious steganography in the wild?

2010-07-10 Thread Jerry Leichter
On Jun 29, 2010, at 3:33 AM, Steven Bellovin wrote: For years, there have been unverifiable statements in the press about assorted hostile parties using steganography. There may now be a real incident -- or at least, the FBI has stated in court documents that it happened. According to

Re: Spy/Counterspy

2010-07-11 Thread Jerry Leichter
On Jul 11, 2010, at 1:16 PM, Ben Laurie wrote: Beyond simple hacking - someone is quoted saying You can consider GPS a little like computers before the first virus - if I had stood here before then and cried about the risks, you would've asked 'why would anyone bother?'. - among the

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Jerry Leichter
On Jul 27, 2010, at 5:34 PM, Ben Laurie wrote: On 24/07/2010 18:55, Peter Gutmann wrote: - PKI dogma doesn't even consider availability issues but expects the straightforward execution of the condition problem - revoke cert. For a situation like this, particularly if the cert was used to

Re: deliberately crashing ancient computers (was: Re: A mighty fortress is our PKI)

2010-07-29 Thread Jerry Leichter
On Jul 28, 2010, at 11:04 AM, Jonathan Thornburg wrote: http://www.crashie.com/ - if you're feeling malicious, just include the one line JavaScript that will make IE6 crash, maybe eventually the user will figure it out. (Or maybe not). Please stop and think about the consequences before

Re: init.d/urandom : saving random-seed

2010-08-01 Thread Jerry Leichter
On Aug 1, 2010, at 10:34 AM, Henrique de Moraes Holschuh wrote: (Please keep all CCs). On Sun, 01 Aug 2010, Jerry Leichter wrote: file might be reused: Stir in the date and time and anything else that might vary - even if it's readily guessable/detectable - along Well, yes, we have several

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-02 Thread Jerry Leichter
On Aug 1, 2010, at 7:10 AM, Peter Gutmann wrote: Thanks to all the folks who pointed out uses of m-of-n threshold schemes, however all of them have been for the protection of one-off, very high-value keys under highly controlled circumstances by trained personnel, does anyone know of any

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-02 Thread Jerry Leichter
On Aug 2, 2010, at 2:30 AM, Peter Gutmann wrote: Jerry Leichter leich...@lrw.com writes: One could certainly screw up the design of a recovery system, but one would have to try. There really ought not be that much of difference between recovering from m pieces and recovering from one

Re: GSM eavesdropping

2010-08-03 Thread Jerry Leichter
On Aug 2, 2010, at 1:25 PM, Nicolas Williams wrote: On Mon, Aug 02, 2010 at 12:32:23PM -0400, Perry E. Metzger wrote: Looking forward, the there should be one mode, and it should be secure philosophy would claim that there should be no insecure mode for a protocol. Of course, virtually all

Re: GSM eavesdropping

2010-08-04 Thread Jerry Leichter
On Aug 2, 2010, at 4:19 PM, Paul Wouters wrote: ...Of course, TLS hasn't been successful in the sense that we care about most. TLS has had no impact on how users authenticate (we still send usernames and passwords) to servers, and the way TLS authenticates servers to users turns out to be

The long twilight of IE6

2010-08-05 Thread Jerry Leichter
We discussed the question of why IE6 is still out there. Well ... http://arstechnica.com/microsoft/news/2010/08/despite-petition-uk-government-to-keep-ie6.ars reports that the UK government has officially decided not to replace IE6, feeling the costs outweigh the benefits. Quoting from the

Cars hacked through wireless tire sensors

2010-08-10 Thread Jerry Leichter
Excerpted from http://arstechnica.com/security/news/2010/08/cars-hacked-through-wireless-tyre-sensors.ars -- Jerry The tire pressure monitors built into modern cars have been shown to be insecure by researchers from Rutgers University

Re: A mighty fortress is our PKI, Part II

2010-08-17 Thread Jerry Leichter
On Aug 17, 2010, at 4:20 AM, Peter Gutmann wrote: Your code-signing system should create a tamper-resistant audit trail [0] of every signature applied and what it's applied to. Peter. [0] By this I don't mean the usual cryptographic Rube-Goldbergery, just log the details to a separate

Collage

2010-08-18 Thread Jerry Leichter
Yesterday I asked about Haystack, an anti-censorship system that appears to exist mainly as newspaper articles. So today I ran across another system, which appears to be real: Collage (http://gigaom.com/2010/07/12/software-uses-twitter-flickr-to-let-dissidents-send-secret-messages/ ),

Re: questions about RNGs and FIPS 140

2010-08-26 Thread Jerry Leichter
On Aug 25, 2010, at 4:37 PM, travis+ml-cryptogra...@subspacefield.org wrote: I also wanted to double-check these answers before I included them: 1) Is Linux /dev/{u,}random FIPS 140 certified? No, because FIPS 140-2 does not allow TRNGs (what they call non- deterministic). I couldn't tell

Re: Randomness, Quantum Mechanics - and Cryptography

2010-09-08 Thread Jerry Leichter
On Sep 6, 2010, at 10:49 PM, John Denker wrote: If you think about the use of randomness in cryptography, what matters isn't really randomness - it's exactly unpredictability. Agreed. This is a very tough to pin down: What's unpredictable to me may be predictable to you, It's easy to

Re: ciphers with keys modifying control flow?

2010-09-29 Thread Jerry Leichter
On Sep 22, 2010, at 9:34 AM, Steven Bellovin wrote: Does anyone know of any ciphers where bits of keys modify the control path, rather than just data operations? Yes, I know that that's a slippery concept, since ultimately things like addition and multiplication can be implemented with

Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

2010-10-02 Thread Jerry Leichter
On Oct 1, 2010, at 11:34 PM, Richard Outerbridge wrote: Any implementation that returns distinguishable error conditions for invalid padding is vulnerable... Oh come on. This is really just a sophisticated variant of the old never say which was wrong - login ID or password - attack. In

  1   2   3   >