Re: Uncrackable beams of light
At toorcon this year there will be a talk on quantum cryptography along with a demonstration of some experimental quantum crypto hardware on loan from a company in switzerland. Also, there's going to be a really good keynote talk by Bruce Schneier of Counterpane and quite a few others that look pretty promising (Robert X. Cringely, Cory Doctorow, Seth Hardy, etc..). Check out http://www.toorcon.org for more details ;-). -h1kari On Tuesday, Sep 9, 2003, at 19:09 US/Pacific, R. A. Hettinga wrote: http://www.economist.com/science/tq/ PrinterFriendly.cfm?Story_ID=2020013 The Economist MONITOR Uncrackable beams of light Sep 4th 2003 From The Economist print edition Quantum cryptographyhailed by theoreticians as the ultimate of uncrackable codesis finally going commercial IN THE 1992 film 14Sneakers12, the ostensible research topic of one of the main characters was something called 14setec astronomy12. This was an anagram of the words 14too many secrets12. The research was supposed to be about developing a method for decoding all existing encryption codes. Well, if that were ever the case, it certainly isn't any morethanks to a start-up in Somerville, Massachusetts, called Magi Q. Magi Qis in the final stages of testing a system for quantum cryptography, which it plans to release commercially within the next few months. Encryption engineers have long waxed lyrical about quantum cryptography, but this is among the very first commercial implementations. The advantage of quantum cryptography schemes is that the code they generate are simply noteven in theorybreakable. The scheme devised by Magi Q, called Navajo, does not use quantum effects to transmit the secret data. Instead, it is the keys used to encrypt the data that rely on quantum theory. If these keys are changed frequently (up to 1,000 times a second in Navajo's case), the risk that an eavesdropper without the key would be able to decrypt the data can be proved mathematically to be zero. Of course, given the key, the task would become a trivial one. Navajo transmits the changing key sequence over a secure fibre-optic link as a stream of polarised photons (indivisible particles of light). Because the polarisation reflects the amount of electro-magnetic radiation allowed to radiate at an angle to a light beam's direction, it can be considered to be a measure of the angular dependence of the light. Should an eavesdropper tap into the secure fibre-optic line, he would disrupt this stream of polarised photons by the very act of observing themand the tampering could be instantly detected. By changing the key frequently, Navajo could turn an off-the-shelf encryption scheme such as AES (Advanced Encryption System) into something that was essentially uncrackable. As in all good encryption schemes, Navajo employs an element of redundancy. The sender has two random-number generators. The first is used to generate a random stream of zeros and onespart of which will form the key. The second random-number generator chooses which 14polarisation basis12 the sender will use to transmit a given bit of the key. The sender uses two different polarisation bases, which are at right-angles to one another. Only by measuring in the correct polarisation basis can a receiver see which bit was sentotherwise the result is meaningless. For each bit, the receiver arbitrarily chooses which polarisation basis to use. The sender and receiver then talk over an open channel and find out which bits they measured using the same basis. These bits (about half of the total) then constitute the key. If someone has been eavesdropping, some of these bits will have been disrupted. In that case the receiver will be unable to decode the message, and will thus conclude that someone is listening in. This much is standard quantum cryptography. What is harder is building the hardware that can do it quickly and cheaply enough to be commercially viable. Magi Qis in a race with a Swiss company called ID Quantique to be the first to do so, and currently appears to be in the lead. Of course, if the quantum signal could be transmitted wirelessly, it would liberate users from the cost and constraints of a fibre-optic line. Bob Gelfond, Magi Q's founder and chief executive, is coy about the possibility. He admits that his firm is working on the idea, but is not saying anything at the moment. For the time being, Navajo requires a dedicated fibre-optic link, which only large corporations or governments are likely to have. And it currently works only at distances of up to 50 kilometres. Any longer than that and random interference degrades the stream of photons and makes them unusable. But within these constraints, Navajo is fairly cheap. Magi Qplans to sell it for $50,000 a set. Given the glut of unused optical fibre buried beneath the streets of the world, Magi Qis optimistic about Navajo's prospects. Andrew
Re: Code breakers crack GSM cellphone encryption/GNU Radio
Actually, patenting the method isn't nearly as silly as it sounds. Produced in quantity, a device to break GSM using this attack is not going to cost much more than a cellphone (without subsidies). Patenting the attack prevents the production of the radio shack (tm) gsm scanner, so that it at least requires serious attackers, not idle retirees or jealous teenagers. Not if they can type GNURadio into Google. Eric Blossom of GNU Radio visited Europe one month ago. Some radio enthusiasts in the Netherlands where interested in the GNU radio project. So I asked Eric if it was ok to make a video for them. The resulting two video clips are online (in MPG / VCD quality). GNU-radio_intro.mpg and GNU-radio _Q_and_A.mpg A zip containing these two video files can be found on : http://diorella.boppelans.net/gnu-radio.zip (108 Mb) Enjoy, and feel free to mirror / distribute them ... With regards, Barry Wels. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: fyi: bear/enforcer open-source TCPA project
You propose to put a key into a physical device and give it to the public, and expect that they will never recover the key from it? Seems unwise. You think the public can crack FIPS devices? This is mass-market, not govt-level attackers. Second, if the key's in hardware you *know* it's been stolen. You don't know that for software. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: fyi: bear/enforcer open-source TCPA project
Rich Salz [EMAIL PROTECTED] writes: Second, if the key's in hardware you *know* it's been stolen. You don't know that for software. Only for some definitions of stolen. A key held in a smart card that does absolutely everything the untrusted PC it's connected to tells it to is only marginally more secure than a key held in software on said PC, even though you can only steal one of the two without physical access. To put it another way, a lot of the time you don't need to actually steal a key to cause damage - it doesn't matter whether a fraudulent withdrawal is signed on my PC with a stolen key or on your PC with a smart card controlled by a trojan horse, all that matters is that the transaction is signed somewhere. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: fyi: bear/enforcer open-source TCPA project
There are roughly 1B GSM/3GPP/3GPP2 SIMs in daily use and the number of keys extracted from them is diminishingly small. -Original Message- From: bear [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 3:43 AM To: Sean Smith Cc: [EMAIL PROTECTED] Subject: Re: fyi: bear/enforcer open-source TCPA project On Wed, 10 Sep 2003, Sean Smith wrote: So this doesn't work unless you put a speed limit on CPU's, and that's ridiculous. Go read about the 4758. CPU speed won't help unless you can crack 2048-bit RSA, or figure out a way around the physical security, or find a flaw in the application. You propose to put a key into a physical device and give it to the public, and expect that they will never recover the key from it? Seems unwise. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: fyi: bear/enforcer open-source TCPA project
Thus spake Rich Salz ([EMAIL PROTECTED]) [11/09/03 08:51]: You propose to put a key into a physical device and give it to the public, and expect that they will never recover the key from it? Seems unwise. You think the public can crack FIPS devices? This is mass-market, not govt-level attackers. And 'the public' doesn't include people like government level attackers? People like cryptography experts? People who like to play with things like this? 'The public' only includes the sheeple, and nobody else? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
is secure hardware worth it? (Was: Re: fyi: bear/enforcer open-source TCPA project)
Just to clarify... I'm NOT saying that any particular piece of secure hardware can never be broken. Steve Weingart (the hw security guy for the 4758) used to insist that there was no such thing as tamper-proof. On the HW level, all you can do is talk about what defenses you tried, what attacks you anticipated, and what tests you tried. What I am saying is that using secure coprocessors---defined loosely, to encompass this entire family of tokens---can be a useful tool. Whether one should use this tool in any given context depends on the context. Are there better alternatives that don't require the assumption of physical security? How much flexibility and efficiency do you sacrifice if you go with one of these alternatives? How dedicated is the adversary? What happens if a few boxes get opened? How much money do you want pay for a device? Some cases in point: it's not too hard to find folks who've chosen a fairly weak point on the physical security/cost tradeoff, but still somehow manage to make a profit. Of course his all still leaves unaddressed the fun research questions of how to build effective coprocessors, and how to design and build applications that successfully exploit this security foundation. (Which is some of what I've been looking into the last few years.) --Sean -- Sean W. Smith, Ph.D. [EMAIL PROTECTED] http://www.cs.dartmouth.edu/~sws/ (has ssl link to pgp key) Department of Computer Science, Dartmouth College, Hanover NH USA - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
A precis of the new attacks against GSM encryption
http://lists.netsys.com/pipermail/full-disclosure/2003-September/009856.html [Full-Disclosure] A precis of the new attacks against GSM encryption (fwd) Lukasz Luzar [EMAIL PROTECTED] Thu, 11 Sep 2003 10:21:33 +0200 (CEST) Previous message: [Full-Disclosure] PTms03039.zip Next message: [Full-Disclosure] [SECURITY] [DSA 379-1] New sane-backends packages fix several vulnerabilities Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] An interesting summary about recent attacks against GSM. -- Lukasz Luzar http://Developers.of.PL/ Crede quod habes, et habes [[ http://galeria.luzar.pl/ ]] /* paran01a 1s a v1rtu3 */ -- Forwarded message -- Date: Thu, 11 Sep 2003 09:13:02 +1000 From: Greg Rose [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: A precis of the new attacks against GSM encryption I wrote up a longer version of this for Qualcomm's internal use, but thought this summary might be helpful to others. regards, Greg. A precis of the new attacks on GSM encryption = Greg Rose, QUALCOMM Australia, 2003-09-10. There's very little information in the various press releases about these attacks, but at the same time probably too much information in the actual paper. So I'm writing this to attempt a readable explanation of the attacks. First, the paper itself: by Elad Barkan, Eli Biham and Nathan Keller of Technion in Haifa, Israel, Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communications appeared at Crypto 2003 in Santa Barbara about three weeks ago. It was another week or two before the press noticed it. The paper finally became available on the Web yesterday (2003-09-09) at http://cryptome.org/gsm-crack-bbk.pdf . Barkan is the principal author. Background about GSM encryption --- The GSM voice calls are encrypted using a family of algorithms collectively called A5. A5/0 is no encryption. A5/1 is the standard encryption algorithm, while A5/2 is the export (weakened) algorithm. A5/3 is a new algorithm based on the UMTS/WCDMA algorithm Kasumi. While one of the attacks below manages to walk around A5/3, there is no attack against it directly. GPRS encryption is done with a different family of algorithms: GEA0 (none), GEA1 (export), GEA2 (normal strength) and GEA3 (new, and effectively the same as A5/3). Note that the GEA1 and GEA2 algorithms do not have any relationship to the A5/1 and A5/2 algorithms, and they are not publicly known. There are no problems with any of these in the open literature. All of these algorithms use a 64-bit key derived from a common mechanism: the mobile receives a random challenge, then the SIM card (a smartcard used to keep the subscriber's master key secret) calculates an authentication signature and an encryption key. The key calculated does *not* depend on what algorithm it is destined to be used with. The encryption is done using a stream cipher, that is, the encryption algorithm takes the secret key and a frame number, and generates a pseudo-random stream of bits (keystream) that are XORed with the input to encrypt it, or are XORed with the received bits to decrypt them. Thus, the bits are effectively encrypted independently of one another. The encryption is done *after* coding for error correction. The coding introduces known linear relationships between the bits to be encrypted; so even though the attacker might not know the values of particular input bits, they know that certain groups of them XOR to 0. So, taking the same groups of encrypted bits and XORing them reveals the corresponding XOR of the keystream bits. This is the fundamental problem that allows the attacks to work without any knowledge at all of what is being encrypted, which is what they mean by ciphertext only. This is a very new result. The attacks: There are effectively three different attacks discussed in the paper. The fundamental attack is against A5/2. By doing a one-time precomputation and storing the results on a decent-sized disk, you can now intercept 4 frames of A5/2 encrypted voice, which yields enough known linear relationships in the keystream to look up the key. The attack is almost instantaneous, and requires only milliseconds of encrypted voice. This is a passive attack, requiring only eavesdropping, and no-one can tell that it has been done. Once the key has been recovered, it can be used to decrypt the actual frames in both directions. The second attack uses the fact that the first attack is so fast to interfere with the GSM protocol. This is an active attack, meaning the attacker has to be able to interfere with the communication. (More detail about the active attacks below.) In practice, this means they would need something pretending to be a base station, but such attacks have happened in the past. Commercially available test equipment can do it, and really it's not much more than two cellphones back-to-back. Basically, even though the
[Lucrative-L] ponderance of the day
--- begin forwarded text Status: U From: Patrick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Lucrative-L] ponderance of the day Date: Thu, 11 Sep 2003 20:22:17 -0600 Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Question: What kind of filter do you use in your Java pot? Answer: A Bloom filter. Lucrative is in SourceForge, awaiting use by anyone clever enough to seize it. In the meantime, I am putting a lot of effort into finding permanent employment, so updates are coming quite slowly. Anyone who wants quicker action on Lucrative--the source is out there. Lucratively, Patrick The Lucrative Project: http://lucrative.thirdhost.com .. To subscribe or unsubscribe from this discussion list, write to [EMAIL PROTECTED] with just the word unsubscribe in the message body (or, of course, subscribe) --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]