Re: The future of security

2004-07-30 Thread Ed Gerck
Email end-to-end: PGP, PGP/MIME, S/MIME. Not tunnel SSL or SSL
at the end points.
Lars Eilebrecht wrote:
According to Ed Gerck:

But encryption and authentication are a hassle today, with less
than 2% of all email encrypted (sorry, can't cite the source I know).

Are these 2% 'only' S/MIME and PGP-encrypted email messages or
is SSL-encrypted email communication included?
ciao...
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-07-28 Thread Lars Eilebrecht
According to Ed Gerck:

 But encryption and authentication are a hassle today, with less
 than 2% of all email encrypted (sorry, can't cite the source I know).

Are these 2% 'only' S/MIME and PGP-encrypted email messages or
is SSL-encrypted email communication included?

ciao...
-- 
Lars Eilebrecht
[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-06-02 Thread Ben Laurie
Peter Gutmann wrote:
No they won't.  All the ones I've seen are some variant on the build a big
wall around the Internet and only let the good guys in, which will never work
because the Internet doesn't contain any definable inside and outside, only
800 million Manchurian candidates waiting to activate.  For example
MessageLabs recently reported that *two thirds* of all the spam it blocks is
from infected PCs, with much of it coming from ADSL/cable modem IP pools.
Given that these spammers are legitimate users, no amount of crypto will
solve the problem.  I did a talk on this recently where I claimed that various
protocols designed to enforce this (Designated Mailers Protocol, Reverse Mail
Exchanger, Sender Permitted From, etc etc) will buy at most 6-12 months, and
the only dissent was from an anti-virus researcher who said it'd buy weeks and
not months.
SPF will buy me one thing forever: I won't get email telling me I sent 
people spam and viruses.

The alternative proof-of-resource-consumption is little better,
since it's not the spammers' resources that are being consumed.
Nevertheless these resources are limited, and better security would make 
them more limited.

There is one technological solution which would help things a bit, which is
Microsoft implementing virus throttling in the Windows TCP stack.  Like a
firebreak, you can never prevent fires, but you can at least limit the damage
when they do occur.  Unfortunately I don't see this happening too soon, both
because MS aren't exactly at the forefront of implementing security features
(it took them how many years to add the most basic popup-blocking?), and
because of liability issues - adding virus throttling would be an admission
that Windows is a petri dish.
Duh. So viruses would fix the stack.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-06-02 Thread Bill Stewart
At 05:15 AM 6/2/2004, Ben Laurie wrote:
SPF will buy me one thing forever: I won't get email telling me I sent 
people spam and viruses.
Unfortunately, that won't work for me.
My email address is at pobox.com, the mail forwarding service
where the main proponent of SPF works,
but my SMTP service is whichever ISP I'm currently connected through
(DSL, dial, work, whatever) - which isn't under pobox's control.
So my incoming mail can recognize SPFs and block forgeries,
but my outgoing mail can't use them,
unless pobox changes their business model to provide outgoing SMTP relay
for their customers, doubling their bandwidth needs.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-06-01 Thread Eugen Leitl
On Mon, May 31, 2004 at 08:27:49PM -0700, bear wrote:

 The point of an automated web of trust is that the machine is doing the
 accounting for you.
 
 Does it?  If there were meaningful reputation accounting

You got fooled by the present tense. If there was such an architecture, I
wouldn't have written that message. The distributed tamper-proof
cryptographic p2p store should have been a dead giveaway.

 happening, we'd be getting feedback and value judgements
 from the system on the people we were corresponding with.
 Have you ever seen any?

No, of course. See above.
 
 Has there been *ANY* instance of negative consequences
 accruing to someone who signed the key of an entity which
 later defected?  Machine-moderated or not, the web of
 trust fails.

The web of trust sure fails, dunno about machine-moderated. 
There's no such animal yet.
 
 Have you seen any web-of-trust implementation that even
 *considers* the trustworthiness of the key servers?  Have
 you seen any web-of-trust implementation that works to
 cut out defectors, but couldn't be autospammed to cut
 out anyone you didn't like?

If you don't have their key, you can't pretend to sign the spambots'. If you
sign the spambots', you burn whatever little prestige you have happened to
start out with, and drained the mana of whatever hapless warm body signed
your keys.
 
 Sorry; but the fact is no web-of-trust implementation to
 date works, or even comes close to working.

Web of trust is useless, if Johnny User is supposed to do 
the checking.

-- 
Eugen* Leitl a href=http://leitl.org;leitl/a
__
ICBM: 48.07078, 11.61144http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net


pgpPzt821GHi8.pgp
Description: PGP signature


Re: The future of security

2004-05-31 Thread Eugen Leitl
On Sun, May 30, 2004 at 12:36:53PM -0700, bear wrote:

   If I'm a node in a web of trust (FOAF is a human), prestige will
   percolate through it completely. That way I can color a whole
   domain with a nonboolean trust hue, while a domain of fakers will
   have only very few connections (through compromises, or human
   mistakes), which will rapidly sealed, once actually used to do
   something to lower their prestige (I signed the key of a spammer,
   please kill me now).
 
 The trouble is that it requires human action, which is expensive and
 becoming more expensive.

Sending mail originating with a person always requires human action.
If one cannot be bothered to mark friends in his addressbook as humans (in
fact, the very act of adding someone to an addressbook is sufficient, that
information just needs to be processed).

Do spammers have many friends? They certainly network.
 
 The bigger problem is that webs of trust don't work.
 They're a fine idea, but the fact is that nobody keeps
 track of the individual trust relationships or who signed

The point of an automated web of trust is that the machine is doing the
accounting for you.

 a key;  few people even bother to find out whether there's
 a path of signers that leads from them to another person,
 or whether the path has some reasonably small distance.

Human network connectivity have such properties. The entire graph is
connected, and each person is reachable via a few hops. Given that there are
only a few billion people on this planet, such a database should be quite
easy to store and to query in a P2P fashion. It only becomes nontrivial when
it has to distributed, and immune to content forgery and DoS.
 
 I have not yet seen an example of reputation favoring
 one person over another in a web of trust model; it looks
 like people can't be bothered to keep track of the trust
 relationships or reputations within the web.

The real issue is whether people can volunteer information stored in their
addressbook. Not everybody is an Orkut/Friendster/FOAF exhibitionist.

-- 
Eugen* Leitl a href=http://leitl.org;leitl/a
__
ICBM: 48.07078, 11.61144http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net


pgpWOhjdsjGGI.pgp
Description: PGP signature


Re: The future of security

2004-05-30 Thread bear


On Sat, 29 May 2004, Russell Nelson wrote:

Eugen Leitl writes:
  If I'm a node in a web of trust (FOAF is a human), prestige will
  percolate through it completely. That way I can color a whole
  domain with a nonboolean trust hue, while a domain of fakers will
  have only very few connections (through compromises, or human
  mistakes), which will rapidly sealed, once actually used to do
  something to lower their prestige (I signed the key of a spammer,
  please kill me now).

http://www.web-o-trust.org/

The trouble is that it requires human action, which is expensive and
becoming more expensive.

The bigger problem is that webs of trust don't work.
They're a fine idea, but the fact is that nobody keeps
track of the individual trust relationships or who signed
a key;  few people even bother to find out whether there's
a path of signers that leads from them to another person,
or whether the path has some reasonably small distance.

I have not yet seen an example of reputation favoring
one person over another in a web of trust model; it looks
like people can't be bothered to keep track of the trust
relationships or reputations within the web.

Bear

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-28 Thread Peter Gutmann
Anton Stiglic [EMAIL PROTECTED] writes:

I think cryptography techniques can provide a partial solution to spam.

No they won't.  All the ones I've seen are some variant on the build a big
wall around the Internet and only let the good guys in, which will never work
because the Internet doesn't contain any definable inside and outside, only
800 million Manchurian candidates waiting to activate.  For example
MessageLabs recently reported that *two thirds* of all the spam it blocks is
from infected PCs, with much of it coming from ADSL/cable modem IP pools.
Given that these spammers are legitimate users, no amount of crypto will
solve the problem.  I did a talk on this recently where I claimed that various
protocols designed to enforce this (Designated Mailers Protocol, Reverse Mail
Exchanger, Sender Permitted From, etc etc) will buy at most 6-12 months, and
the only dissent was from an anti-virus researcher who said it'd buy weeks and
not months.  The alternative proof-of-resource-consumption is little better,
since it's not the spammers' resources that are being consumed.

There is one technological solution which would help things a bit, which is
Microsoft implementing virus throttling in the Windows TCP stack.  Like a
firebreak, you can never prevent fires, but you can at least limit the damage
when they do occur.  Unfortunately I don't see this happening too soon, both
because MS aren't exactly at the forefront of implementing security features
(it took them how many years to add the most basic popup-blocking?), and
because of liability issues - adding virus throttling would be an admission
that Windows is a petri dish.

The problem we're facing is social, not technological, so no there's no
technological fix.  The problem is that neither users nor vendors have any
natural incentive to fix things.  In the long run, only legislation will help:
penalise vendors for selling spam-enabling software (MS Outlook, via
viruses/worms), and penalise users for running software in a spam-enabling
manner (open relays).  This is equivalent to standard corporate-governance
legislation that sets auditing/environmental/due diligence/etc requirements.
Unfortunately this is unlikely to pass in the US (where it matters most) due
to software industry lobbying, it'd require an Enron-style debacle to pass
over there, perhaps a virus-induced reactor meltdown or something similar.

(Much of the above was lifted from Why isn't the Internet secure yet,
 dammit?, http://www.cs.auckland.ac.nz/~pgut001/pubs/dammit.pdf, with the
 section on spam starting at page 5.  Apologies for the PDF link, but there
 are some diagrams in there that don't translate well to text).

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-28 Thread Anne Lynn Wheeler
At 09:27 AM 5/28/2004, Peter Gutmann wrote:
No they won't.  All the ones I've seen are some variant on the build a big
wall around the Internet and only let the good guys in, which will never work
because the Internet doesn't contain any definable inside and outside, only
800 million Manchurian candidates waiting to activate.  For example
MessageLabs recently reported that *two thirds* of all the spam it blocks is
from infected PCs, with much of it coming from ADSL/cable modem IP pools.
Given that these spammers are legitimate users, no amount of crypto will
solve the problem.  I did a talk on this recently where I claimed that various
protocols designed to enforce this (Designated Mailers Protocol, Reverse Mail
Exchanger, Sender Permitted From, etc etc) will buy at most 6-12 months, and
the only dissent was from an anti-virus researcher who said it'd buy weeks and
not months.  The alternative proof-of-resource-consumption is little better,
since it's not the spammers' resources that are being consumed.
the caveat to that is many of the infected machines were originally 
infected by spam with spoofed origin ... somehow convincing users to click 
on something. authentication would help somewhat with that ... and, in 
fact, some of the spam being sent out by the infected machines, in turn 
uses spoofed origin. authentication might also help address the 
identity-theft oriented spam ... claiming to be your bank and needing 
personal information.

it doesn't help with ... click on this to get the latest, greatest game ... 
where there isn't any attention at all paid to the origin ... just looking 
for instant gratification.

the 60s/70s time-sharing systems nominally had some assurance applied to 
the introduction of executables into the environment. this is my comment 
about the desktop systems having diametrically opposing requirements ... 
the original design point of totally unconnected, stand alone environment 
where an introduced executable could take over the whole machine ... and at 
the same time fully wired to an increasingly hostile environment needing 
signficant safeguards and processes associated with assurance of introduced 
executables. the intermediate step was that some of these stand-alone 
machines acquired interconnect capability for a local, safe, isolated 
departmental/office network. This had hardly any restricted execution and 
access capability ... again not worrying about protection against a hostile 
and unsafe operation.

the shared environment analogy is highway traffic and rules about operating 
an unsafe vehicle could result in both having your license revoked and the 
vehicle confiscated (it doesn't require the driver to be a highly trained 
car mechanic ... it just holds the driver responsible).

connecting systems that were designed for fundamentally safe and isolated 
environment to wide-open anarchy hostile operation exposes all sorts of 
problems. somewhat analogous to not actually needing a helmet for riding a 
motorcycle ... or seat belts and airbags to drive a car.

--
Anne  Lynn Wheelerhttp://www.garlic.com/~lynn/ 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-28 Thread Eugen Leitl
On Fri, May 28, 2004 at 09:46:03AM -0700, bear wrote:

 Spam won't stop until spam costs the spammers money.

If I'm a node in a web of trust (FOAF is a human), prestige will 
percolate through it completely. That way I can color a whole domain with a
nonboolean trust hue, while a domain of fakers will have only very few
connections (through compromises, or human mistakes), which will rapidly sealed,
once actually used to do something to lower their prestige (I signed the key
of a spammer, please kill me now). 

Of course, tracking prestige globally, robustly in a p2p fashion is
difficult, and will require agoric load levelling elements (to prevent bad
nodes from DoSing the global store) which also requires prestige tracking.

-- 
Eugen* Leitl a href=http://leitl.org;leitl/a
__
ICBM: 48.07078, 11.61144http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net


pgpnR1gxzugWi.pgp
Description: PGP signature


Re: The future of security

2004-05-28 Thread bear


On Fri, 28 May 2004, Anne  Lynn Wheeler wrote:

connecting systems that were designed for fundamentally safe and isolated
environment to wide-open anarchy hostile operation exposes all sorts of
problems. somewhat analogous to not actually needing a helmet for riding a
motorcycle ... or seat belts and airbags to drive a car.

Perspective on things...

Where I grew up, safety equipment inside your car (or on your head on
a motorcycle) was limited to that which prevented you from becoming
more of a hazard to *OTHER* drivers.  Motorcyclists didn't need
helmets, because helmets don't prevent crashes or change the
consequences of crashes for anyone who's not wearing them.  But they
did need eye protection, because eye protection reduced the
probability of crashes that could be dangerous to others.

I thought this was actually a well-considered system.  The law
required us to take whatever reasonable precautions we needed to
protect others from our actions, but it was entirely up to us whether
we attempted to protect ourselves from our own actions.

Now, in most states, law doesn't work this way any more -- protecting
people from each other has gotten fuzzed into the idea of protecting
the people (monolithic unit) from themselves (monolithic unit).

But I think there is some wisdom here that may apply to the spam
situation. Have partial solutions been getting rejected because we're
seeing that we can't protect users against their *own* stupidity?
What we actually need is systems to protect *other* users from their
stupidity.

Bear

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-27 Thread Ed Gerck

Ian Grigg wrote:
...  fundamentally, as Steve suggests,
we expect email from anyone, and it's free.
We have to change one of those basic features
to stop spam.  Either make it non-free, or
make it non-authorised.  Hashcash doesn't
achieve either of those, although a similar
system such as a payment based system might
achieve it.
Mind you, I would claim that if we change either
of the two fundamental characteristics of email,
then it is no longer email.  For this reason,
I predict that email will die out (ever so
slowly and painfully) to be replaced by better
and more appropriate forms of chat/IM.
Indeed, email is not so good anymore. When lack of message
security in email becomes clearer to the users, as clear as
spam is today, the value of email will approach zero.
Practically anyone can read the email you send and receive,
your ISP included. What's the fuss with google's gmail? Gmail's
differential is that they do not hide they will search through
your mailbox. Users are realizing that an email is like a postcard,
open for anyone to read and write on it. But encryption and
authentication are a hassle today, with less than 2% of all email
encrypted (sorry, can't cite the source I know).
The problem with current schemes has been that they only work
when both sender AND recipient already use the feature, which
probability is zero in the beginning of adoption. It's a chicken-
and-egg proposition. It is also a change to email. Even though the
existing ideas are sound in principle (e.g., PGP/MIME, S/MIME,
email gateways, etc.) they are all a replacement product with
many barriers for adoption.
Instead of a replacement, I believe that what we need is a
complement to solve the lack of message security in email
(including sender spoofing). Email is just the transport.  The
solution should be able to start from a single end user, should
require no change to records/software that end users do not
control, and should require no cooperation from email providers
and ISPs.
Comments?
Cheers--/Ed Gerck
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-26 Thread Anne Lynn Wheeler
At 09:36 AM 5/11/2004, Steven M. Bellovin wrote:
In message [EMAIL PROTECTED], Ian Grigg writes:
 Security architects
will continue to do most of their work with
little or no crypto.
And rightly so, since most security problems have nothing to do with
the absence of crypto.

j.  a cryptographic solution for spam and
viruses won't be found.
This ties into the same thing:  spam is *unwanted* email, but it's not
*unauthorized*.  Crypto can help with the latter, but only if you can
define who is in the authorized set of senders.  That's not feasible
for most people.
one of the issues has been that many crypto security solutions have been 
oriented towards hiding information. that may work with outsiders ... but 
traditionally, 90percent of fraud has been insiders ... and recent news 
last friday about study to be published was that interviewing something 
like 1000 people involved in identity theft cases ... it was determined 
that at least 70percent had some sort of employee involvement.

in that sense ... the internet and introduction of the possibility of 
outsider related fraud ... has distracted/obfuscating focus from the real, 
long standing issues.

my repeated observation that current generation of desktop systems were 
originally introduced to operate in a standalone environment where 
applications could be introduced that freely took over the whole machine. 
attempting to continue to satisfy the standalone ... total take-over 
requirements at the same time using the same platform for generalized 
interconnect to an increasingly hostile environment creates some 
diametrically opposing objectives.

there have been some number of time-sharing systems from the 60s  70s that 
were designed from the ground up to handle multiple, concurrent users that 
potentially had conflicting, competitive, and/or opposing objectives (say 
multiple users from competing corporations and industrial secrets might be 
involved). these systems with designed in security from the ground-up have 
shown to be immune to many of the current day vulnerabilities and exploits. 
to some extent, there could be valid claims about attempts to use 
cryptography as bandaids to address fundamentally flawed infrastructures 
(or at least infrastructures that were specifically designed to not handle 
many of the existing situations that they have been used for) ... aka lets 
use bandaids to treat strep infections.


--
Anne  Lynn Wheelerhttp://www.garlic.com/~lynn/ 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-26 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Anton Stiglic writes:

- Original Message - 
From: Steven M. Bellovin [EMAIL PROTECTED]

 
 j.  a cryptographic solution for spam and
 viruses won't be found.
 
 This ties into the same thing:  spam is *unwanted* email, but it's not 
 *unauthorized*.  Crypto can help with the latter, but only if you can 
 define who is in the authorized set of senders.  That's not feasible 
 for most people.


Something like hashcash / client puzzles / Penny Black define a set
of authorized email (emails that come with a proof-of-work), and then
provide a cryptographic solution.   This is not a full-proof solution (as
described in the paper Proof-of-Work Proves Not to Work), 
but a good partial solution that is probably best used in combination
with other techniques such as white-lists, Bayesian spam filters , etc...

I think cryptography techniques can provide a partial solution to spam.

The spammers are playing with other people's money, cycles, etc.  They 
don't care.

--Steve Bellovin, http://www.research.att.com/~smb


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-26 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Ben Laurie writes:
Steven M. Bellovin wrote:
 In message [EMAIL PROTECTED], Anton Stiglic write
s:
 
- Original Message - 
From: Steven M. Bellovin [EMAIL PROTECTED]

j.  a cryptographic solution for spam and
viruses won't be found.

This ties into the same thing:  spam is *unwanted* email, but it's not 
*unauthorized*.  Crypto can help with the latter, but only if you can 
define who is in the authorized set of senders.  That's not feasible 
for most people.


Something like hashcash / client puzzles / Penny Black define a set
of authorized email (emails that come with a proof-of-work), and then
provide a cryptographic solution.   This is not a full-proof solution (as
described in the paper Proof-of-Work Proves Not to Work), 
but a good partial solution that is probably best used in combination
with other techniques such as white-lists, Bayesian spam filters , etc...

I think cryptography techniques can provide a partial solution to spam.

 
 The spammers are playing with other people's money, cycles, etc.  They 
 don't care.

We took that into account in the paper. Perhaps you should read it?

http://www.dtc.umn.edu/weis2004/clayton.pdf


We're saying something different.  If I understood your paper 
correctly, it says, more or less, that setting the cost high enough to 
reduce spam will make the cost too high for legitimate users.  My point 
is that even if you do raise the cost high enough, they'll become more 
aggressive at 0wning machine so that they can throw more (stolen) 
cylces or (stolen) zorkmids at the problem.  The economic question, 
then, is what is the cost of compromising enough new machines.  Given 
the code base and the user behavior that we see in the field, my answer 
is pretty low.  The consequence, in your metric, would be an increase 
in C, which would further inconvenience legitimate users, thus creating 
a feedback loop.

--Steve Bellovin, http://www.research.att.com/~smb


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-26 Thread Ian Grigg
Ben Laurie wrote:
Steven M. Bellovin wrote:

The spammers are playing with other people's money, cycles, etc.  They 
don't care.

We took that into account in the paper. Perhaps you should read it?
http://www.dtc.umn.edu/weis2004/clayton.pdf

(Most of the people on this list are far too
professional and busy to fall for that.  If
the argument has merit, please summarise it.
If it really has merit, the summary might
tease people into reading the full paper.)
I for one don't see it.  I like hashcash as
an idea, but fundamentally, as Steve suggests,
we expect email from anyone, and it's free.
We have to change one of those basic features
to stop spam.  Either make it non-free, or
make it non-authorised.  Hashcash doesn't
achieve either of those, although a similar
system such as a payment based system might
achieve it.
Mind you, I would claim that if we change either
of the two fundamental characteristics of email,
then it is no longer email.  For this reason,
I predict that email will die out (ever so
slowly and painfully) to be replaced by better
and more appropriate forms of chat/IM.
iang
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security (bulk reply, long)

2004-05-25 Thread Joseph Ashwood
I've moved this to the top because I feel it is the most important statement
that can be made
Hadmut said :
 Security doesn't
 necessarily mean cryptography.

- Original Message - 
From: Hadmut Danisch [EMAIL PROTECTED]
Subject: Re: The future of security


 On Mon, Apr 26, 2004 at 08:21:43PM +0100, Graeme Burnett wrote:
 
  Would anyone there have any good predictions on how
  cryptography is going to unfold in the next few years
  or so?  I have my own ideas, but I would love
  to see what others see in the crystal ball.

 - I don't expect that there will be much progress in
   maths and theory of cryptography. Very few inventions
   will make it out of the ivory tower, if any at all.

I actually expect quite the opposite, we seem to be reaching an age in
cryptanalysis where we are developing techniques faster than they can be
functionally applied, and the speed of development is only increasing here.
We've now gone from a time when we were seeing a new functional attack about
every five years (differential to linear), to now just during the AES
selection proces we had a number of potential new avenues opened up. I
expect this trend to continue for a while, and the news taht this generates
should bring greater light, and more active people to studying cryptography.
I expect this trend to continue for approximately 1 human generation (about
20 years), but that human nature being what it is, that the second human
generation in this timeframe will have substantially fewer cryptanalytic
advances.

   Key lenghts will increase. We'll play RSA with
   4096 or 8192 bit.

Actually I'm seeing an increasing trend in moving away from RSA and DH
because the keys are becoming too big. The required key length to match the
strength of AES-256 is simply too large to offer functional speed, instead
we're going to have to switch over to the assymptotically superior
encryption/decryption/signing/verifying algorithm, because of this we should
see a major increase in the research moneys applied towards public key
techniques, this compounded with my expected increase in the number of
cryptanalysts should result in some very interesting times.

 They will find that Quantum Computers
   may be fast, but still bound to computation complexity.

I agree.

 - SSL/TLS will become even more of a de facto standard in
   open source software and (new?) protocols. It will make
   it's way into the standard libraries of programming languages
   (e.g. as it did for Ruby).

Again I have to disagree with you, we're already seeing some backlash
against SSL/TLS, where many people are beginning to see the value in
protecting the data not the link. This methodology fairly well eliminates
the usability of SSL/TLS, the added complexity of the new PK algorithms will
almost certainly spell doom for the current protocols in use.

 - I don't expect that we'll ever have a common PKI for
   common people with a significant distribution. It's like
   with today's HTTPS: The big ones have commercial certificates,
   plain people use passwords and simple authentication mechanisms
   (like receiving a URL with a random number by e-mail).

Again I have to disagree, I can only speak for what Trust Laboratories is
doing, but we are at this moment working on projects that will lower the
necessary threshhold for PKI implementations (through client proliferation).
This combined with the already solidly known presence of NGSCB in the
majority of future PCs should have the added effect that, while
Verisign-like PKI may remain unusual, the availability of what can be
treated as a smartcard in every computer will certainly increase the
availability of PKI to the common man.

 - I guess the most important crypto applications will be:

 - HTTPS of course

For the short term yes, but longer term I actually think that HTTPS will
diminish, in fact some measurements are already showing a trend where per
capita web usage is already decreasing, so HTTP may soon be decreasing, lead
ing to an obvious decrease in the usage of HTTPS. This combined with the
protect the data not the link movement should have substantial further
impact.

 - portable storage equipped with symmetric ciphers
   such as USB-Sticks and portable hard disks.

Agreed, but I also think we'll start seeing distributed file system, I know
we are working on them, and have already had some interest form companies.
These distributed file systems will make use of smart cards (although the
form factor WILL be different). With the proliferation of high speed data
connections (US cell phones are already available at 150 Kbps, and 3G can
bring speeds of up to 1Mbps, in the next few years WiMax, and great future
cell potential e.g. Flarion) I suspect that removable storage will actually
decrease, that leaves moving those USB/removable drives over to distributed
file systems or even in some cases p2p networks (more on this from Trust
Laboratories in the future) which will massively reduce cost. I'm

Re: The future of security

2004-05-25 Thread Arnold G. Reinhold
At 8:21 PM +0100 4/26/04, Graeme Burnett wrote:
Hello folks,
I am doing a presentation on the future of security,
which of course includes a component on cryptography.
That will be given at this conference on payments
systems and security: http://www.enhyper.com/paysec/
Would anyone there have any good predictions on how
cryptography is going to unfold in the next few years
or so?  I have my own ideas, but I would love
to see what others see in the crystal ball.
Here are my thoughts on the future of cryptography:
A major use of crypto will be in efforts to restrict the 
dissemination of information to the public (corporate security, 
digital rights management, state censorship)

Human factors will be regarded as equal in importance with algorithms 
and protocols.

Servers and workstations will incorporate video and other sensors to 
provide self protection against physical intrusions.

As cellphones and PDAs merge there will be a new generation of 
privacy applications for text messaging and/or  voice that use light 
weight protocols and, perhaps symmetric keys.

Cellphone cameras will be used for stenographic communication.
Cellphones and PDAs will be used as security tokens for 
desktop/laptop access, perhaps using Bluetoth

Self-booting, open source CDs will become available that turn any PC 
into a secure messaging system with private keys and messages stored 
on an encrypted disk image on a memory stick.

4096-bit RSA keys will become the standard (RSA is already 
recommending 1024-bit keys be phased out by 2010.)

Key stretching techniques will be enhanced and standardized to allow 
password-based security to remain viable.

Password entry will be done using mouse and display screen, rather 
than keyboards because of all the risks keyboards represent (software 
and hardware loggers, video cameras, acoustic analysis, etc.)

Desktop systems with no hard drive and no I/O ports will become 
required for processing confidential information.

One or more secure networks will emerge that parallel the existing 
Internet. They will use IPv6 and have mandatory encryption and 
authentication.

Cameras and audio recorders will be equipped with GPS, digital 
signing and secure time stamping technologies to restore confidence 
in  recorded evidence.

Stored value smart-cards will finally become popular in the U.S. 
through use in public transportation systems.

Hashcash will be used to bring spam under control and to protect 
networks against zombie attacks.

Anti-spam white listing will be the killer app that finally creates a 
universal public key infrastructure.

Patent concerns will be a major barrier to progress.
Arnold Reinhold
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-25 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Ian Grigg writes:
 Security architects
will continue to do most of their work with
little or no crypto.

And rightly so, since most security problems have nothing to do with 
the absence of crypto.

j.  a cryptographic solution for spam and
viruses won't be found.

This ties into the same thing:  spam is *unwanted* email, but it's not 
*unauthorized*.  Crypto can help with the latter, but only if you can 
define who is in the authorized set of senders.  That's not feasible 
for most people.

--Steve Bellovin, http://www.research.att.com/~smb


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-25 Thread l . crypto
[EMAIL PROTECTED] wrote:
 Would anyone there have any good predictions on how
 cryptography is going to unfold in the next few years
 or so?  I have my own ideas, but I would love
 to see what others see in the crystal ball.
 
I'd like to think we would see a new flowering of cryptography
delivering new functionality to end users rather than be used
only to secure existing boring stuff.

For example, suppose SDSI or Dan's idea of delegation certificates
were carried through - you could talk about handing someone the
keys to your house to look after, and the USB fob would hold
delegation certs that let your friend control your thermostats or your
replayTV.  

-Larry


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-08 Thread Hadmut Danisch
On Mon, Apr 26, 2004 at 08:21:43PM +0100, Graeme Burnett wrote:
 
 Would anyone there have any good predictions on how
 cryptography is going to unfold in the next few years
 or so?  I have my own ideas, but I would love
 to see what others see in the crystal ball.



My guess is that it is unpredictable. 
As so many other things, it depends on so many coincidences, 
marketing, politics.

But what I do expect:

- I don't expect that there will be much progress in 
  maths and theory of cryptography. Very few inventions
  will make it out of the ivory tower, if any at all.

  Key lenghts will increase. We'll play RSA with 
  4096 or 8192 bit. They will find that Quantum Computers
  may be fast, but still bound to computation complexity.


- SSL/TLS will become even more of a de facto standard in 
  open source software and (new?) protocols. It will make 
  it's way into the standard libraries of programming languages
  (e.g. as it did for Ruby).

- I don't expect that we'll ever have a common PKI for 
  common people with a significant distribution. It's like 
  with today's HTTPS: The big ones have commercial certificates, 
  plain people use passwords and simple authentication mechanisms
  (like receiving a URL with a random number by e-mail).


- I guess the most important crypto applications will be:

- HTTPS of course

- portable storage equipped with symmetric ciphers 
  such as USB-Sticks and portable hard disks. 

- VPN routers

- Voice over IP

- DRM

- maybe in digital passports and credit cards

- simple auth tokens like RSA SecurID, Aladdin eToken
  will become more commonly used.  



- As a consequence, I guess that politicians will reopen the
  1997's discussion of prohibiting strong encryption. They already
  do. 


- Maybe we'll have less crypto security in future than we have
  today. 

  5-10 years ago I knew much more people using PGP than today. 

  Most modern mail user agents are capable of S/MIME, but it's hard
  to find someone making use of it. I'm a consultant for many
  companies, but not a single one of them uses it. Most modern 
  MTAs support TLS, but to my knowledge less than 3% of messages 
  are actually TLS encrypted in SMTP.

  It's strange, but law will become more important than cryptograpy. 




As a summary, I don't expect any innovations. Not more than within
the last 10 years.

But I'm pretty sure that security will be more and more important
and that's were I expect innovations and progress. Security doesn't
necessarily mean cryptography.


regards
Hadmut



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-08 Thread geer

Would anyone there have any good predictions on how
cryptography is going to unfold in the next few years
or so?  I have my own ideas, but I would love
to see what others see in the crystal ball.


prediction: 

just as in the 1990s the commercial world caught up to
the mil world in uses of crypto, so, too, will it catch
up this decade in traffic analysis

--dan

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-08 Thread Graeme Burnett
Many thanks to the list members who have contributed ideas to the above -
I'll share the results by previewing the paper in the next few weeks if I
may.

Having been a devotee of the financial crypto community for many years, a
thought has just occurred to me about the possible use of Systemics
Ricardian Contract idea as a practical implementation of a distributed
access control mechanism.

I came across Akanti http://www-itg.lbl.gov/Akenti/ - augmented x509 certs
used as access control tokens in a distributed environment. It seems that
this problem space is similar to the fincrypto domain.

Proprietary non-human readable binary/ascii formats have arguably lost
ground to human readable name/value pair formats (i.e. XML and before that
IATA), so it would seem a logical progression to extend Herr Grigg's
Ricardian ontology to include a DAC contract?

Cheers

G

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-08 Thread Ian Grigg
Graeme Burnett wrote:
Hello folks,
I am doing a presentation on the future of security,
which of course includes a component on cryptography.
That will be given at this conference on payments
systems and security: http://www.enhyper.com/paysec/
Would anyone there have any good predictions on how
cryptography is going to unfold in the next few years
or so?  I have my own ideas, but I would love
to see what others see in the crystal ball.

I would see these things, in no particular
order, and no huge thought process applied.
a.  a hype cycle in QC that will peak in a year
or two, then disappear as purchasers realise that
the boxes aren't any different to ones that are
half the price.
b.  much more use of opportunistic cryptography,
whereby crypto systems align their costs against
the risks being faced.  E.g., self-signed certs
and cert caching in SSL systems, caching and
application integration in other systems.
c.  much less emphasis on deductive no-risk
systems (PKIs like x.509 with SSL) due to the
poor security and market results of the CA
model.
d.  more systems being built with basic, simple
home-grown techniques, including ones that are
only mildly secure.  These would be built by
programmers, not cryptoplumbers.  They would
require refits of proper crypto as/if they migrate
into successful user bases.  In project terms,
this is the same as b. above - more use of
opportunistic tactics to secure stuff basically
and quickly.
e.  greater and more costs to browser users
from phishing [1] will eventually result in
mods to security model to protect users.  In
the meantime, lots of snakeoil security solutions
will be sold to banks.  The day Microsoft decides
to fix the browser security model, phishing will
reduce to a just another risk.
f.  arisal of mass crypto in the chat field,
and slow painful demise of email.  This is
because the chat protocols can be updated
within the power of small teams, including
adding simple crypto.  Email will continue to
defy the mass employment of crypto, although
if someone were to add a create self-signed
cert now button, things might improve.
g.  much interest in simple crypto in the p2p
field, especially file sharing, as the need
for protection and privacy increases due to
IP attacks.  All of the techniques will flow
across to other applications that need it less.
h.  almost all press will be in areas where
crypto is sure to make a difference.  Voting,
QC, startups with sexy crypto algorithms, etc.
i.  Cryptographers will continue to be pressed
into service as security architects, because it
sounds like the same thing.  Security architects
will continue to do most of their work with
little or no crypto.
j.  a cryptographic solution for spam and
viruses won't be found.  Nor for DRM.
iang
[1] one phisher took $75,000 from 400 victims:
http://www.financialcryptography.com/mt/archives/000129.html
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-08 Thread Graeme Burnett
Ian Grigg wrote:
Graeme Burnett wrote:
Hello folks,
I am doing a presentation on the future of security,
which of course includes a component on cryptography.
That will be given at this conference on payments
systems and security: http://www.enhyper.com/paysec/
Would anyone there have any good predictions on how
cryptography is going to unfold in the next few years
or so?  I have my own ideas, but I would love
to see what others see in the crystal ball.


i.  Cryptographers will continue to be pressed
into service as security architects, because it
sounds like the same thing.  Security architects
will continue to do most of their work with
little or no crypto.
Hmmm
I'm afraid I concur - my personal experience of being a security 
architect for
a major merchant bank was one of meeting regulatory requirement by post 
development due
diligence, or as my wife calls it nagging, making the role 
effectively that of  grumpy rubber stampers

G
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The future of security

2004-05-08 Thread Anne Lynn Wheeler
On Thu, 2004-05-06 at 17:52, Ian Grigg wrote:
 c.  much less emphasis on deductive no-risk
 systems (PKIs like x.509 with SSL) due to the
 poor security and market results of the CA
 model.
 

at the nist pki rd workship (mentioned elsewhere in some other post
in this mailing list) there was discussion of 

1) using private key signing for things like signature (like in human
signature) agreement/authorization as opposed to straight
authentication. one of the issues is that if you ever use a private key
to digitally some random challenge/response data in a authentication
paradigm ... you might be at risk ever using the same private key for
signature purposes ... since it might be possible that some of the
random data you may have signed might not have been truely random after
all

2) naked public keys ... aka w/o certificates at all

3) and in some of the breaks the certificate use in payment
transactions. sort of two issues in payment transactions were/are a)
privacy and b) size bloat. in the mid-90s, the traditional x.509
identity certificate from the early 90s was drastically cut back to
relying-party-only, account number certificate because of privacy
issues with identity information. The work on certificate-based
financial transaction started with taking a 60-80 byte payment
transaction, instead of ISO8583, using ASN.1 encoding to blow it up to
200-300 bytes; added a 128-byte RSA signature (then adding in the ASN.1
encoding) and a relying-party-only certificate that typically ran 4k-12k
bytes; having starting from a 60byte normal transaction, the
certificate-based stuff would blow it up by factor of one hundred times
to 6k to 12k bytes. The certificate was totally redundant and
superfluous since the financial institution was the relying party and
already had all the information. In the X9.59 work it was observed that
it was possible to encode an ECDSA signature in an ISO8583 transaction
in 42 bytes ... so absolute minimum for authenticated payment
transaction would go from 60 bytes to a little over 100 bytes ... w/o
throwing in a bunch of extraneous, duplicated and/or superfluous data
that provided absolutely no added value (the payment transaction still
contained the same data, digital signature authentication was added ...
and all the payload carried in a certificate was totally redundant and
superfluous since the relying-party had a superset). It isn't exactly
that payment security requirements have to be proportional to the cost
of certificate security ... it was that certificate security increased
the payload costs by a factor of one hundred times and provided NO added
value.

some of my further observations about mixing authentication signing and
signature signing ... as well as nature of naked public keys ...
recently posted to thread in sci.crypt:
http://www.garlic.com/~lynn/2004e.html#20 Soft signatures

and the future of security ... somewhat orthogonal to cryptography ...
there was recently a letter from NSF to some former multician that was
posted to the alt.os.multics n.g. that started a thread on (not
necessarily crypto) system security (and multics never having been
broken). a couple posts in the thread
http://www.garlic.com/~lynn/2004e.html#27 NSF itnerest in Multics
security
http://www.garlic.com/~lynn/2004e.html#36 NSF itnerest in Multics
security


-- 
Anne  Lynn Wheeler | http://www.garlic.com/~lynn/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]