Re: complexity classes and crypto algorithms

2006-06-21 Thread Leichter, Jerry
| First off you have a basic problem in definition: You have to specify | *one* hash with *one* output size, but NP-completeness has to do with | asymptotic behavior. For any hash producing a fixed-size output string, | there is a deterministic machine that runs in time O(1) that computes a

Re: Use of TPM chip for RNG?

2006-07-03 Thread Leichter, Jerry
| A few weeks ago I asked for information on using the increasingly | prevalent built-in TPM chips in computers (especially laptops) as a | random number source. I got some good advice and want to summarize the | information for the benefit of others. | | Thanks for the useful summary! For

Re: Crypto to defend chip IP: snake oil or good idea?

2006-07-26 Thread Leichter, Jerry
| EE Times is carrying [a] story ... about attempts to use cryptography | to protect chip designs from untrustworthy fabrication facilities, | including a technology from Certicom. | | Unlike ordinary DRM, which I think can largely work in so far as it | merely provides a (low) barrier to stop

Re: CRCs and passphrase hashing

2006-09-03 Thread Leichter, Jerry
Look up the paper Fingerprinting by random polynomials by Michael Rabin. -- Jerry On Fri, 25 Aug 2006, Travis H. wrote: | Date: Fri, 25 Aug 2006 20:12:30 -0500 | From: Travis H. [EMAIL PROTECTED] | To: Cryptography

Re: skype not so anonymous...

2006-09-03 Thread Leichter, Jerry
| Fugitive executive is tracked down by tracing his Skype calls... | | http://arstechnica.com/news.ars/post/20060824-7582.html ...maybe. This article gets many fundamental details wrong. For one thing, Alexander wasn't nabbed - the very article they linked that word to simply says he was found.

Re: Debunking the PGP backdoor myth for good. [was RE: Hypothesis: PGP backdoor (was: A security bug in PGP products?)]

2006-09-04 Thread Leichter, Jerry
| On 8/28/06, Ondrej Mikle [EMAIL PROTECTED] wrote: | Take as an example group of Z_p* with p prime (in another words: DLP). | The triplet (Z, p, generator g) is a compression of a string of p-1 | numbers, each number about log2(p) bits. | | Pardon my mathematical ignorance, but isn't Z just a

Re: Raw RSA

2006-09-08 Thread Leichter, Jerry
| Hi. | | If an attacker is given access to a raw RSA decryption oracle (the | oracle calculates c^d mod n for any c) is it possible to extract the | key (d)? If I hand you my public key, I have in effect handed you an oracle that will compute c^d mod n for any c. What you are asking is whether

Re: Raw RSA

2006-09-08 Thread Leichter, Jerry
| | If an attacker is given access to a raw RSA decryption oracle (the | | oracle calculates c^d mod n for any c) is it possible to extract the | | key (d)? | If I hand you my public key, I have in effect handed you an oracle that | will compute c^d mod n for any c. What you are asking is

Re: Raw RSA

2006-09-10 Thread Leichter, Jerry
| | It is known, that given such an oracle, the attacker can ask for | | decryption of all primes less than B, and then he will be able to | | sign PKCS-1 encoded messages if the representative number is B-smooth, | | but is there any way to actually recover d itself? | | RSA is

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-14 Thread Leichter, Jerry
| The problem is that _because there is an interface to poll the token for | a code across the USB bus_, malicious software can *repeatedly* steal new | token codes *any time it wants to*. This means that it can steal codes | when the user is not even attempting to authenticate I think this

Re: Did Hezbollah use SIGINT against Israel?

2006-09-21 Thread Leichter, Jerry
| http://www.newsday.com/news/printedition/stories/ny-wocode184896831sep18,0,7091966,print.story | | That isn't supposed to be possible these days... (I regard it as more | likely that they were doing traffic analysis and direction-finding than | actually cracking the ciphers.) Newspaper

RE: Exponent 3 damage spreads...

2006-09-22 Thread Leichter, Jerry
| |10.2.3 Data decoding | |The data D shall be BER-decoded to give an ASN.1 value of |type DigestInfo, which shall be separated into a message |digest MD and a message-digest algorithm identifier. The |message-digest algorithm identifier shall determine

RE: Exponent 3 damage spreads...

2006-09-23 Thread Leichter, Jerry
| | I don't think it's a problem, you just take the ASN.1 DigestInfo | | value, since the trailing garbage isn't part of the DigestInfo, you | | ignore it. Specifically, the ASN.1 object is entirely | | self-contained, so you can tell exactly where it ends and what it | | contains. Anything

Re: Exponent 3 damage spreads...

2006-09-23 Thread Leichter, Jerry
| Granted, one or more implementations got this wrong. (Has anyone | looked to see if all the incorrect code all descends from a common | root, way back when?) | | We have at least three independent widely used implementations that | got things wrong: OpenSSL, Mozilla NSS, and GnuTLS. | |

Re: A note on vendor reaction speed to the e=3 problem

2006-09-28 Thread Leichter, Jerry
| *That* is the Right Way To Do It. If there are variable parts (like | hash OID, perhaps), parse them out, then regenerate the signature data | and compare it byte-for-byte with the decrypted signature. | | You know, this sort of reminds me of a problem with signatures on | tar.gz files.

Re: Circle Bank plays with two-factor authentication

2006-09-28 Thread Leichter, Jerry
| Circle Bank is using a coordinate matrix to let | users pick three letters according to a grid, to be | entered together with their username and password. | | The matrix is sent by email, with the user's account | sign on ID in plaintext. | | Worse, the matrix is pretty useless for the

Re: handling weak keys using random selection and CSPRNGs

2006-10-13 Thread Leichter, Jerry
| Given how rare weak keys are in modern ciphers, I assert that code to cope | with them occurring by chance will never be adequately tested, and will be | more likely to have security bugs. In short, why bother? Beyond that: Are weak keys even detectable using a ciphertext-only attack (beyond

Re: handling weak keys using random selection and CSPRNGs

2006-10-13 Thread Leichter, Jerry
| This suggests that, | rather than looking for weak keys as such, it might be worth it to | do continuous online testing: Compute the entropy of the generated | ciphertext, and its correlation with the plaintext, and sound an | alarm if what you're getting looks wrong. This might be a |

Re: Can you keep a secret? This encrypted drive can...

2006-11-06 Thread Leichter, Jerry
| ...Compusec is great for home / personal use. It is cheap i.e. $0.00 | (Free), and does not slow down the computer as much as the other | products. But that is because it only support 128 bit AES, which is a | major drawback as most enterprise settings require at least 256 bit | AES Just

Re: Can you keep a secret? This encrypted drive can...

2006-11-07 Thread Leichter, Jerry
| | ...Compusec is great for home / personal use. It is cheap i.e. $0.00 | | (Free), and does not slow down the computer as much as the other | | products. But that is because it only support 128 bit AES, which is a | | major drawback as most enterprise settings require at least 256 bit | |

Re: Can you keep a secret? This encrypted drive can...

2006-11-08 Thread Leichter, Jerry
| | Just wondering about this little piece. How did we get to 256-bit | | AES as a requirement? Just what threat out there justifies it? ... | | I can see it as useful if some bits of the key got leaked somehow. | For example, if you're using a HWRNG to generate keys, and it's | bits are

Re: Can you keep a secret? This encrypted drive can...

2006-11-08 Thread Leichter, Jerry
| On Wed, Nov 08, 2006 at 05:58:41PM -0500, Leichter, Jerry wrote: | Sorry, that doesn't make any sense. If your HWRNG leaks 64 bits, | you might as well assume it leaks 256. When it comes to leaks of | this sort, the only interesting numbers are 0 and all. | | Nonsense. I can cite numerous

Re: How important is FIPS 140-2 Level 1 cert?

2006-12-24 Thread Leichter, Jerry
| From: [Name Withheld] | To: cryptography@metzdowd.com | Subject: Re: How important is FIPS 140-2 Level 1 cert? | | Paul Hoffman [EMAIL PROTECTED] wrote: | | At 11:25 AM -0500 12/21/06, Saqib Ali wrote: | If two products have exactly same feature set, but one is FIPS 140-2 | Level 1

Re: Startup to launch new random number generator from space

2006-12-25 Thread Leichter, Jerry
| http://news.zdnet.com/2100-1009_22-6142935.html | | British start-up Yuzoz has announced that it will be launching its | beta service in the next two weeks--an online random-number generator | driven by astronomical events. | | Heh heh. Pretty amusing. I guess the founders haven't really

Re: Security Implications of Using the Data Encryption Standard (DES)

2006-12-25 Thread Leichter, Jerry
| note that there have been (at least) two countermeasures to DES brute-force | attacks ... one is 3DES ... and the other ... mandated for some ATM networks, | has been DUKPT. while DUKPT doesn't change the difficulty of brute-force | attack on single key ... it creates a derived unique key per

Re: Private Key Generation from Passwords/phrases

2007-01-22 Thread Leichter, Jerry
| ...One sometimes sees claims that increasing the salt size is important. | That's very far from clear to me. A collision in the salt between | two entries in the password file lets you try each guess against two | users' entries. Since calculating the guess is the hard part, | that's a savings

Re: Intuitive cryptography that's also practical and secure.

2007-02-03 Thread Leichter, Jerry
| ...I agree with you about intuitive cryptography. What you're | complaining about is, in effect, Why Johnny Can't Hash. There was | another instance of that in today's NY Times. In one of the court | cases stemming from the warrantless wiretapping, the Justice | Department is, in the holy

Re: Intuitive cryptography that's also practical and secure.

2007-02-03 Thread Leichter, Jerry
| | | | ...There's an obvious cryptographic solution, of course: publish the | | hash of any such documents. Practically speaking, it's useless. | | Apart from having to explain hash functions to lawyers, judges, | | members of Congress, editorial page writers, bloggers, and talk | | show

Re: data under one key, was Re: analysis and implementation of LRW

2007-02-05 Thread Leichter, Jerry
| Currently I'm dealing | with very large - though not as large as 4 gig - x-ray, MRI, and | similar files that have to be protected for the lifespan of the | person, which could be 70+ years after the medical record is | created. Think of the MRI of a kid to scan for some condition |

Re: deriving multiple keys from one passphrase

2007-02-05 Thread Leichter, Jerry
| Hey, quick question. | | If one wants to have multiple keys, but for ease-of-use considerations | want to only have the user enter one, is there a preferred way to | derive multiple keys that, while not independent, are computationally | independent? | | I was thinking of hashing the

Re: man in the middle, SSL

2007-02-07 Thread Leichter, Jerry
| somewhat related | Study Finds Bank of America SiteKey is Flawed | http://it.slashdot.org/it/07/02/05/1323243.shtml Recall how SiteKey works: When you register, you pick an image (from a large collection) and a phrase. Whenever you connect, the bank will play back the image and phrase. You

Re: Failure of PKI in messaging

2007-02-15 Thread Leichter, Jerry
On Tue, 13 Feb 2007, Anne Lynn Wheeler wrote: | ...part of the problem was that the PKI financial model is out of | kilter with standard business practices. nominally a relying party has | some sort of relationship with the certification authority (i.e. what | they are relying on) and there is

Re: Failure of PKI in messaging

2007-02-15 Thread Leichter, Jerry
| Banks [use] a web interface, after the user logs in to their account. | | So, what's missing in the email PKI model is two-sidedness. | Fairness. | | Not really. What's missing is, if you'll pardon the phrase, a central | point of failure. | | If you can persuade everyone to use a single

Re: New Credit Cards May Leak Personal Information

2007-02-16 Thread Leichter, Jerry
| New Credit Cards May Leak Personal Information | http://news.yahoo.com/s/pcworld/20070216/tc_pcworld/129096;_ylt=A0WTUeOD9tVFrwkA7SwjtBAF | | from above: | | You may be carrying a new type of credit card that can transmit your personal | information to anyone who gets close to you with a

Re: More info in my AES128-CBC question

2007-04-24 Thread Leichter, Jerry
Some of the messages in this stream have demonstrated why it can be difficult to get non-crypto people to listen to advice from crypto experts: Cryptography research is, by its nature, a pretty absolute thing. We find attacks, we try to eliminate them. There's a strong tendency to view *any*

RE: More info in my AES128-CBC question

2007-04-25 Thread Leichter, Jerry
| Suppose we use AES128-CBC with a fixed IV. It's clear that the only | vulnerability of concern occurs when a key is reused. OK, where do | | No, remember that if the IV is in the clear, an attacker can | make some controlled bit changes in the first plaintext block. | (There has been no

Re: More info in my AES128-CBC question

2007-04-27 Thread Leichter, Jerry
| What problem does this (chaining IV from message to message) introduce | in our case? | | See RFC4251: | | |Additionally, another CBC mode attack may be mitigated through the |insertion of packets containing SSH_MSG_IGNORE. Without this |technique, a specific attack may be

Re: More info in my AES128-CBC question

2007-04-27 Thread Leichter, Jerry
| What the RFC seems to be suggesting is that the first block of every | message be SSH_MSG_IGNORE. Since the first block in any message is now | fixed, there's no way for the attacker to choose it. Since the attacker | | SSH_MSG_IGNORE messages carry [random] data. | | Effectively what the

Re: 128 bit number T-shirt?

2007-05-01 Thread Leichter, Jerry
| It would be amusing if the HD-DVD encryption key that has been the | subject of the recent pseudo-takedown notices were to show up in a | T-shirt for sale. | | Now that services like Cafe Press exist, someone could start selling | such shirts almost as fast as they could put together a nice

Re: More info in my AES128-CBC question

2007-05-09 Thread Leichter, Jerry
| Frankly, for SSH this isn't a very plausible attack, since it's not | clear how you could force chosen plaintext into an SSH session between | messages. A later paper suggested that SSL is more vulnerable: | A browser plugin can insert data into an SSL protected session, so | might be

Re: More info in my AES128-CBC question

2007-05-09 Thread Leichter, Jerry
| Frankly, for SSH this isn't a very plausible attack, since it's not | clear how you could force chosen plaintext into an SSH session between | messages. A later paper suggested that SSL is more vulnerable: | A browser plugin can insert data into an SSL protected session, so | might be able

Re: More info in my AES128-CBC question

2007-05-12 Thread Leichter, Jerry
| | Frankly, for SSH this isn't a very plausible attack, since | | it's not clear how you could force chosen plaintext into an | | SSH session between messages. A later paper suggested that | | SSL is more vulnerable: A browser plugin can insert data into | | an SSL protected

Re: More info in my AES128-CBC question

2007-05-14 Thread Leichter, Jerry
| Just being able to generate traffic over the link isn't enough to | carry out this attack. | | Well, it depends on if you key per-flow or just once for the link. If | the latter, and you have the ability to create traffic over the link, | and there's a 1-for-1 correspondence between

Re: Why self describing data formats:

2007-06-21 Thread Leichter, Jerry
| Many protocols use some form of self describing data format, for | example ASN.1, XML, S expressions, and bencoding. | | Why? | | Presumably both ends of the conversation have negotiated what protocol | version they are using (and if they have not, you have big problems) | and when they

Inadvertent Disclosure

2007-06-21 Thread Leichter, Jerry
Interesting-looking article on how users of P2P networks end up sharing much more than they expected: http://weis2007.econinfosec.org/papers/43.pdf -- Jerry - The

Re: Inadvertent Disclosure

2007-06-21 Thread Leichter, Jerry
| Interesting-looking article on how users of P2P networks end up sharing | much more than they expected: http://weis2007.econinfosec.org/papers/43.pdf Earlier analysis by the USPTO: http://www.uspto.gov/web/offices/dcom/olia/copyright/oir_report_on_inadvertent_sharing_v1012.pdf

Re: Quantum Cryptography

2007-06-22 Thread Leichter, Jerry
| - Quantum Cryptography is fiction (strictly claims that it solves |an applied problem are fiction, indisputably interesting Physics). | | Well that is a broad (and maybe unfair) statement. | | Quantum Key Distribution (QKD) solves an applied problem of secure key |

RE: Free Rootkit with Every New Intel Machine

2007-06-25 Thread Leichter, Jerry
| ...Apple is one vendor who I gather does include a TPM chip on their | systems, I gather, but that wasn't useful for me. Apple included TPM chips on their first round of Intel-based Macs. Back in 2005, there were all sorts of stories floating around the net about how Apple would use TPM to

TPM, part 2

2007-06-27 Thread Leichter, Jerry
All your data belong to us. From Computerworld. -- Jerry Trusted Computing Group turns attention to storage Chris Mellor June 24, 2007 (TechWorld.com) The Trusted Computing Group has announced a draft specification aimed at helping

The bank fraud blame game

2007-06-27 Thread Leichter, Jerry
As always, banks look for ways to shift the risk of fraud to someone - anyone - else. The New Zealand banks have come up with some interesting wrinkles oh this process. From Computerworld. -- Jerry NZ banks demand a peek at customer PCs

Re: anti-RF window film

2007-06-27 Thread Leichter, Jerry
| http://www.sciam.com/article.cfm?articleid=6670BF9B-E7F2-99DF-3EAC1C6DC382972F | | A company is selling a window film that blocks most RF signals. The | obvious application is TEMPEST-shielding. I'm skeptical that it will | be very popular -- most sites won't want to give up Blackberry and |

Re: The bank fraud blame game

2007-06-27 Thread Leichter, Jerry
| Leichter, Jerry writes: | -+--- | | As always, banks look for ways to shift the risk of | | fraud to someone - anyone - else. The New Zealand | | banks have come up with some interesting wrinkles on | | this process. | | | | This is *not* a power play by banks

Re: The bank fraud blame game

2007-07-02 Thread Leichter, Jerry
| | Given that all you need for this is a glorified pocket | | calculator, you could (in large enough quantities) probably get | | it made for $10, provided you shot anyone who tried to | | introduce product-deployment DoS mechanisms like smart cards and | | EMV into the picture. Now

What Banks Tell Online Customers About Their Security

2007-07-06 Thread Leichter, Jerry
From CIO magazine. For the record, I, like the author, am a Bank of America customer, but unlike her I've started using their on-line services. What got me to do it was descriptions of the increasing vulnerability of traditional paper-based mechanisms: If I pay a credit card by mail, I leave

Re: How the Greek cellphone network was tapped.

2007-07-16 Thread Leichter, Jerry
| Crypto has been an IP minefield for some years. With the expiry of | certain patents, and the availability of other unencumbered crypto | primitives (eg. AES), we may see this change. But John's other | points are well made, and still valid. Downloadable MP3 ring tones | are a selling

Historical one-way hash functions

2007-07-16 Thread Leichter, Jerry
So, you want to be able to prove in the future that you have some piece of information today - without revealing that piece of information. We all know how to do that: Widely publish today the one-way hash of the information. Well ... it turns out this idea is old. Very old. In the 17th

Re: How the Greek cellphone network was tapped.

2007-07-19 Thread Leichter, Jerry
| Between encrypted VOIP over WIFI and eventually over broadband cell - | keeping people from running voice over their broadband connections is | a battle the telco's can't win in the long run - and just plain | encrypted cell phone calls, I think in a couple of years anyone who | wants secure

Re: Another Snake Oil Candidate

2007-09-11 Thread Leichter, Jerry
| The world's most secure USB Flash Drive: https://www.ironkey.com/demo. What makes you call it snake oil? At least the URL you point to says very reasonable things: It uses AES, not some home-brew encryption; the keys are stored internally; the case is physically protected, and has some kind of

OK, shall we savage another security solution?

2007-09-18 Thread Leichter, Jerry
Anyone know anything about the Yoggie Pico (www.yoggie.com)? It claims to do much more than the Ironkey, though the language is a bit less marketing-speak. On the other hand, once I got through the marketing stuff to the technical discussions at Ironkey, I ended up with much more in the way of

Re: OK, shall we savage another security solution?

2007-09-19 Thread Leichter, Jerry
| Anyone know anything about the Yoggie Pico (www.yoggie.com)? It | claims to do much more than the Ironkey, though the language is a bit | less marketing-speak. On the other hand, once I got through the | marketing stuff to the technical discussions at Ironkey, I ended up | with much more in

Re: OK, shall we savage another security solution?

2007-09-20 Thread Leichter, Jerry
| If you think about this in general terms, we're at the point where we | can avoid having to trust the CPU, memory, disks, programs, OS, etc., | in the borrowed box, except to the degree that they give us access to | the screen and keyboard. (The problem of securing connections that | go

Goodby analogue hole, hello digital hole

2007-09-24 Thread Leichter, Jerry
The movie studios live in fear of people stealing their product as it all goes digital. There's, of course, always the analogue hole, the point where the data goes to the display. The industry defined an all-digital, all-licensed-hardware path through HDMI which blocks this path. As we know,

Re: Linus: Security is people wanking around with their opinions

2007-10-03 Thread Leichter, Jerry
| I often say, Rub a pair of cryptographers together, and you'll | get three opinions. Ask three, you'll get six opinions. :-) | | However, he's talking about security, which often isn't quantifiable! From what I see in the arguments, it's more complicated than that. On one side, we have

Retailers try to push data responsibilities back to banks

2007-10-05 Thread Leichter, Jerry
Retail group takes a swipe at PCI, puts card companies 'on notice' Jaikumar Vijayan October 04, 2007 (Computerworld) Simmering discontent within the retail industry over the payment card industry (PCI) data security standards erupted into the open this week with the National Retail Federation

RE: Trillian Secure IM

2007-10-08 Thread Leichter, Jerry
| But, opportunistic cryptography is even more fun. It is | very encouraging to see projects implement cryptography in | limited forms. A system that uses a primitive form of | encryption is many orders of magnitude more secure than a | system that implements none. | | Primitive form -

Re: Full Disk Encryption solutions selected for US Government use

2007-10-10 Thread Leichter, Jerry
| A slightly off-topic question: if we accept that current processes | (FIPS-140, CC, etc) are inadequate indicators of quality for OSS | products, is there something that can be done about it? Is there a | reasonable criteria / process that can be built that is more suitable? Well, if you

Quantum Crytography to be used for Swiss elections

2007-10-12 Thread Leichter, Jerry
No comment from me on the appropriateness. From Computerworld. -- Jerry Quantum cryptography to secure ballots in Swiss election Ellen Messmer October 11, 2007 (Network World) Swiss officials are using quantum cryptography technology

Re: Quantum Crytography to be used for Swiss elections

2007-10-18 Thread Leichter, Jerry
| Date: Sat, 13 Oct 2007 03:20:48 -0400 | From: Victor Duchovni [EMAIL PROTECTED] | To: cryptography@metzdowd.com | Subject: Re: Quantum Crytography to be used for Swiss elections | | On Fri, Oct 12, 2007 at 11:04:15AM -0400, Leichter, Jerry wrote: | | No comment from me on the appropriateness

Re: Password hashing

2007-10-18 Thread Leichter, Jerry
| ... What's wrong with starting | with input SALT || PASSWORD and iterating N times, | | Shouldn't it be USERID || SALT || PASSWORD to guarantee that if | two users choose the same password they get different hashes? | It looks to me like this wold make dictionary attacks harder too. As

Re: Intelligent Redaction

2007-10-22 Thread Leichter, Jerry
| Xerox Unveils Technology That Blocks Access to Sensitive Data in | Documents to Prevent Security Leaks | http://www.parc.com/about/pressroom/news/2007-10-15-redaction.html | | The Innovation: The technology includes a detection software tool that | uses content analysis and an intelligent user

People side-effects of increased security for on-line banking

2007-11-13 Thread Leichter, Jerry
Sometimes the side-effects are as significant as the direct effects -- Jerry Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/7091206.stm Fears over online banking checks By Mark Ward Technology Correspondent,

Government Smart Card Initiative

2007-11-15 Thread Leichter, Jerry
Little progress on government-wide smart card initiative, and little surprise November 14, 2007 (Computerworld) More than three years after a presidential directive requiring federal government agencies to issue new smart-card identity credentials to all employees and contractors, progress on

State of the art in hardware reverse-engineering

2007-11-21 Thread Leichter, Jerry
Flylogic Engineering does some very interesting tampering with tamper- resistant parts. Most of those secure USB sticks you see around won't last more than a couple of minutes with these guys. See http://www.flylogic.net/blog -- Jerry

Re: Intercepting Microsoft wireless keyboard communications

2007-12-11 Thread Leichter, Jerry
| Exactly what makes this problem so difficult eludes me, although one | suspects that the savage profit margins on consumables like | keyboards and mice might have something to do with it. | | It's moderately complex if you're trying to conserve bandwidth (which | translates to power) and

Re: More on in-memory zeroisation

2007-12-11 Thread Leichter, Jerry
| There was a discussion on this list a year or two back about | problems in using memset() to zeroise in-memory data, specifically | the fact that optimising compilers would remove a memset() on | (apparently) dead data in the belief that it wasn't serving any | purpose. | | Then,

Re: Flaws in OpenSSL FIPS Object Module

2007-12-11 Thread Leichter, Jerry
| What does it say about the integrity of the FIPS program, and its CMTL | evaluation process, when it is left to competitors to point out | non-compliance of evaluated products -- proprietary or open source -- | to basic architectural requirements of the standard? I was going to ask the same

Re: PlayStation 3 predicts next US president

2007-12-13 Thread Leichter, Jerry
| The whole point of a notary is to bind a document to a person. That | the person submitted two or more different documents at different | times is readily observable. After all, the notary has the | document(s)! | | No, the notary does not have the documents *after* they are notarized, |

Re: Flaws in OpenSSL FIPS Object Module

2007-12-13 Thread Leichter, Jerry
| It is, of course, the height of irony that the bug was introduced in | the very process, and for the very purpose, of attaining FIPS | compliance! | | But also to be expected, because the feature in question is | unnatural: the software needs a testable PRNG to pass the compliance | tests,

RE: More on in-memory zeroisation

2007-12-13 Thread Leichter, Jerry
| Then the compiler can look at the implementation and prove that a | memset() to a dead variable can be elided | | One alternative is to create zero-ing functions that wrap memset() | calls with extra instructions that examine some of the memory, log a | message and exit the application if

Re: More on in-memory zeroisation

2007-12-13 Thread Leichter, Jerry
| However, that doesn't say anything about whether f is actually | invoked at run time. That comes under the acts as if rule: If | the compiler can prove that the state of the C (notional) virtual | machine is the same whether f is actually invoked or not, it can | elide the call. Nothing

Re: More on in-memory zeroisation

2007-12-13 Thread Leichter, Jerry
| If the function is defined as I suggested - as a static or inline - | you can, indeed, takes its address. (In the case of an inline, this | forces the compiler to materialize a copy somewhere that it might | not otherwise have produced, but not to actually *use* that copy, | except when

Re: More on in-memory zeroisation

2007-12-13 Thread Leichter, Jerry
On Wed, 12 Dec 2007, Thierry Moreau wrote: | Date: Wed, 12 Dec 2007 16:24:43 -0500 | From: Thierry Moreau [EMAIL PROTECTED] | To: Leichter, Jerry [EMAIL PROTECTED] | Cc: Peter Gutmann [EMAIL PROTECTED], cryptography@metzdowd.com | Subject: Re: More on in-memory zeroisation

RE: More on in-memory zeroisation

2007-12-14 Thread Leichter, Jerry
| I've been through the code. As far as I can see, there's nothing in | expand_builtin_memset_args that treats any value differently, so there | can't be anything special about memset(x, 0, y). Also as far as I can | tell, gcc doesn't optimise out calls to memset, not even thoroughly | dead

Re: crypto class design

2007-12-19 Thread Leichter, Jerry
| So... supposing I was going to design a crypto library for use within | a financial organization, which mostly deals with credit card numbers | and bank accounts, and wanted to create an API for use by developers, | does anyone have any advice on it? | | It doesn't have to be terribly complete,

Re: Death of antivirus software imminent

2008-01-02 Thread Leichter, Jerry
Virtualization has become the magic pixie dust of the decade. When IBM originally developed VMM technology, security was not a primary goal. People expected the OS to provide security, and at the time it was believed that OS's would be able to solve the security problems. As far as I know, the

RE: Death of antivirus software imminent

2008-01-02 Thread Leichter, Jerry
| One virtualization approach that I have not see mentioned on this | thread is to run the virtual machine on a more secure OS than is used | by the applications of interest. | | For example, one could run VMware on SELinux and use VMware to host | Windows/Vista. Thus, even if a virus subverts

Re: DRM for batteries

2008-01-04 Thread Leichter, Jerry
| Date: Fri, 04 Jan 2008 16:38:07 +1300 | From: Peter Gutmann [EMAIL PROTECTED] | To: cryptography@metzdowd.com | Subject: DRM for batteries | | http://www.intersil.com/cda/deviceinfo/0,1477,ISL6296,0.html | | At $1.40 each (at least in sub-1K quantities) you wonder whether it's | costing them

Re: patent of the day

2008-01-23 Thread Leichter, Jerry
| http://www.google.com/patents?vid=USPAT6993661 | | Gee, the inventor is Simson Garfinkel, who's written a bunch of books | including Database Nation, published in 2000 by O'Reilly, about all | the way the public and private actors are spying on us. | | I wonder whether this was research to see

VaultID

2008-01-24 Thread Leichter, Jerry
Anyone know anything about these guys? (www.vaultid.com). They are trying to implement one-time credit card numbers on devices you take with you - initially cell phones and PDA's, eventually in a credit card form factor. The general idea seems good, but their heavy reliance on fingerprint

Re: Gutmann Soundwave Therapy

2008-02-06 Thread Leichter, Jerry
Commenting on just one portion: | 2. VoIP over DTLS | As Perry indicated in another message, you can certainly run VoIP | over DTLS, which removes the buffering and retransmit issues | James is alluding to. Similarly, you could run VoIP over IPsec | (AH/ESP). However, for performance reasons,

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Leichter, Jerry
| - Truncate the MAC to, say, 4 bytes. Yes, a simple brute | force attack lets one forge so short a MAC - but | is such an attack practically mountable in real | time by attackers who concern you? | | In fact, 32-bit authentication tags are a feature

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Leichter, Jerry
| So, this issue has been addressed in the broadcast signature context | where you do a two-stage hash-and-sign reduction (cf. [PG01]), but | when this only really works because hashes are a lot more efficient | than signatures. I don't see why it helps with MACs. Thanks for the reference. |

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Leichter, Jerry
| All of this ignores a significant issue: Are keying and encryption | (and authentication) mechanisms really independent of each other? I'm | not aware of much work in this direction. | | Is there much work to be done here? If you view the keyex mechanism | as a producer of an authenticated

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

2008-02-10 Thread Leichter, Jerry
| By the way, it seems like one thing that might help with client certs | is if they were treated a bit like cookies. Today, a website can set | a cookie in your browser, and that cookie will be returned every time | you later visit that website. This all happens automatically. Imagine | if a

Dilbert on security

2008-02-13 Thread Leichter, Jerry
Today's Dilbert - http://www.unitedmedia.com/comics/dilbert/archive/images/dilbert23667240080211.gif is right on point -- Jerry - The Cryptography Mailing List

RE: Toshiba shows 2Mbps hardware RNG

2008-02-14 Thread Leichter, Jerry
|SAN FRANCISCO -- Toshiba Corp. has claimed a major breakthrough in |the field of security technology: It has devised the world's |highest-performance physical random-number generator (RNG) |circuit. | |The device generates random numbers at a data rate of 2.0 megabits |a

Re: cold boot attacks on disk encryption

2008-02-22 Thread Leichter, Jerry
| ...I imagine this will eventually have a big impact on the way organizations | respond to stolen mobile device incidents. With the current technology, if a | laptop or mobile device is on when it's stolen, companies will need to assume | that the data is gone, regardless of whether or not

Re: cold boot attacks on disk encryption

2008-02-22 Thread Leichter, Jerry
| Their key recovery technique gets a lot of mileage from using the | computed key schedule for each round of AES or DES to provide | redundant copies of the bits of the key. If the computer cleared | the key schedule storage, while keeping the key itself when the | system is in sleep mode, or

Re: RNG for Padding

2008-03-15 Thread Leichter, Jerry
| Hi, | | This may be out of the remit of the list, if so a pointer to a more | appropriate forum would be welcome. | | In Applied Crypto, the use of padding for CBC encryption is suggested | to be met by ending the data block with a 1 and then all 0s to the end | of the block size. | | Is this

Re: delegating SSL certificates

2008-03-17 Thread Leichter, Jerry
| So at the company I work for, most of the internal systems have | expired SSL certs, or self-signed certs. Obviously this is bad. | | You only think this is bad because you believe CAs add some value. | | Presumably the value they add is that they keep browsers from popping | up scary

  1   2   >