Re: Stefan Brands' secret-key certificates

[Anonymous]

Anonymous writes:

> A secret key certificate appears to be conceptually similar to a blind
> signature (aka blind certificate).  It seems possible that the distinction
> is motivated by patent issues as much as by technological ones.

This is not quite right, although the concepts are related.

A secret key certificate is a cryptographic signature on a public key
which can only be verified by the use of the corresponding secret key
(it also requires the use of the signer's public key, of course).

Alice certifies Bob's public key using a secret key certificate.  The
resulting CERT value can only be verified with Bob's cooperation.
Bob has to use his secret key, and then a third party can verify that
CERT was in fact issued by Alice.

This is unlike public key certificates, where a third party can verify
the certification using only the public key value.

By themselves, secret key certificates offer only modest benefits over
public key certificates, the main one being that they are existentially
forgeable, that is, that given a public key anyone can construct a CERT
which is indistinguishable from a valid one.  Hence knowing a list of
public keys and corresponding CERT values gives no advantages in trying
to break the underlying cryptosystem.

Where they really shine is when you deal with blind issuing of secret key
certificates.  Brands develops efficient cash and credential systems using
restrictive blinding of secret key certificates.  The signer does not know
the secret or public keys that he is signing, but he can be assured that
certain predicates are true relating to them.

The patent issue comes into play because a secret-key certificate,
whether issued blindly or not, is arguably not a digital signature.
The reason is that there is no verification relation that can be run
by a third party.  Only if the signature holder cooperates can the CERT
be verified.  This is unlike regular digital signatures, and hence secret
key certificates can be distinguished from digital signatures.

If secret key certs are not digital signatures, then a blind issuing
algorithm is not a blind signature algorithm.  Hence systems built on
this technology do not use blind signatures as defined in Chaum's patent
#4947430 on the subject.

Re: 56 Bits?????

[Robert Hettinga]

--- begin forwarded text


Subject: Re: 56 Bits?
Date: Thu, 28 Oct 1999 21:13:31 -0700
From: Mark Talbot <[EMAIL PROTECTED]>
To: "Thomas Weyer" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
Sender: <[EMAIL PROTECTED]>

[EMAIL PROTECTED] wrote:

>At 4:47 PM -0700 10/28/99, Mark Talbot wrote:
>>
>>My problem with this statement is that it's misleading and this seems to
>>be Apple's official policy as well. On the Apple website they have some
>>pages extolling the virtues of their wondrous new OS. The page describing
>>the new encryption feature 
>>contains the sentence "So even if someone manages to slip into your
>>office physically (when you're on a coffee break, say) and steals
>>sensitive files that you've encrypted, they can't read what's in them."
>>This is essentially bullshit. If someone gains physical access to "your
>>mother's iMac" with the purpose of stealing sensitive files they're going
>>to ignore the "industrial-strength" encrypted file and simply use
>>Norton's UnErase to recover the unencrypted original which is not
>>securely deleted.
>
>Actually I have ALWAYS said if you don't have physical security then
>you really have no security.  If I can get to you machine I can
>replace your PGP libs with ones of my own the I compiled that leak
>key data.  I can also install a hack to do key recording, the list
>continues.  I did not write the Marketing piece however we ALL know a
>marketing piece when we see one, and that's what that is.  I agree
>that it could provide a false sense of security to a very naive user
>and should have been worded better, however I feel the statement
>should be physical security is where security STARTS.   Then we
>add all what we have done this to it...

I agree that if physical access can be gained to a machine by an
adversary there is a bunch of things that can be done to compromise it.
It seems to me though that when Apple adds an encryption feature to the
OS it should take more than a twelve-year-old with a copy of Norton's
Utilities to recover and read the original file.

I know that this was a marketing piece & never thought you had anything
to do with it.

I bet if you took a poll of iMac users you'd find that the great majority
of them think that once they've encrypted a file with
"industrial-strength" encryption from the File menu it's encrypted and
only the password (or NSA supercomputers) will restore it. This should
hardly be considered unreasonable (or even particularly naive) on their
part.

Apple could have avoided this problem by securely deleting the original
file (it should at least be an option & turned on by default). That this
wasn't done is a severe design flaw in my opinion.

>>As to users having a path to eventually get to strong crypto "if allowed
>>by law": I live in the US and can use crypto of whatever strength I wish.
>>A company may provide to me crypto of whatever strength they wish. It
>>would seem to follow that if Apple is only providing weak crypto in the
>>products it is offering to sell me (AirPort, OS9) then this is a choice
>>that *Apple* has made. It would seem to be a relatively simple matter for
>>Apple to offer strong crypto domestically & weak crypto everywhere else;
>>Netscape and Microsoft already do this with their browsers.
>>
>
>I just 2 days ago asked to have the status of the strong crypto
>version looked into.  We had been building 2 versions of every build
>(one exportable the other domestic) however we never seem to have
>built a domestic GM.  The first step is the get a final copy/GM
>built, then worry about how to distribute where allowed by law.
>Apple has in numerous forms (Myself, Mike, Peter Lowe, etc),
>committed to shipping this where allowed, just realize that it takes
>a big company longer to churn this out of it's process then it would
>a small company.  I expect as we have a concrete plan this list will
>be one of the first groups to know.

AirPort - weak crypto. Mac OS 9 - weak crypto. I know it's early but this
is starting to look distressingly like a corporate policy.

MST

--- end forwarded text


-
Robert A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: DEA says drug smugglers used crypto & Net but cops got around

[Bjørn Remseth]

it
Reply-To:
In-Reply-To: <[EMAIL PROTECTED]>; from John Gilmore on Fri, Oct
29, 199
Organization: Yes Interactive AS

> Years of work in standards committees and years of technical work can
> all go for naught, when those responsible for operating the service are
> untrustworthy.  End-to-end encryption is your friend; it needs to get
> designed into some cellphones.

The Norwegian defense forces has designed a GSM phone with end-to-end
encryption.  It uses the proprietary NSK chip and the secret NSK algorithm,
and will not be available for the general public, only for the generals and
their friends :)  

The design looks sound enough though, and the phone also looks nice (the
producer is the Swedish company "Sectra": http://www.sectra.se/).

(Rmz)

Re: 56 Bits?????

[mgraffam]

On Fri, 29 Oct 1999, Dan Geer wrote:

> Me, I'll use/buy the bloody best I
> can, but I will rest vastly easier when even middling
> encryption is a pervasive reality, i.e., when everybody's
> mother is using 56 bits my 128 bit super-encryption will
> be just as secure but much less likely to garner unwanted
> attention from people I can never out spend.

If, by the time everybody's mother is using crypto, we are
still hitting a 56-bit barrier then not only will the "dark
side" have won, they'll be in the process of making us
look damn stupid. 

Our goal: 256-bit crypto, worldwide, NOW!
Their goal: 256-bit PK crypto, worldwide, yesterday!

Unfortunately, grandma is going to have a hard time telling
which of these actually help her. Of course, she doesn't
have to worry: her Uncle Sammy has taken care of her
SO WELL thus far. 

Michael J. Graffam ([EMAIL PROTECTED])
Be a munitions trafficker: http://www.dcs.ex.ac.uk/~aba/rsa/rsa-keygen.html

#!/bin/perl -sp0777i

Re: DEA says drug smugglers used crypto & Net but cops got around it

[John Gilmore]

> In the US, the different cellphone standards support different crypto,
> and some cell companies or cell sites don't use it.

So far I have *never* found a US TDMA cellphone site that supports
encryption.  I have it enabled in my Nokia phone, and every time I make a
call, it beeps at me to tell me "voice privacy not available".

I use an AT&T Digital One phone.  Matt Blaze spent a year finding the
right guy inside AT&T who's responsible for this utter abomination.
He was unable to get him to change it, and eventually gave up.  I
think we c'punks should try.

Note well the danger of having "optional" encryption in a major
protocol.  I don't just mean protocols that let the user turn it on or
off.  I mean protocols where there's a maintenance mode that turns it
off "briefly, for the duration".  Telcos are so used to being under
NSA's and FCC's thumb that they will turn off customer privacy
permanently, without even being told to.

Years of work in standards committees and years of technical work can
all go for naught, when those responsible for operating the service are
untrustworthy.  End-to-end encryption is your friend; it needs to get
designed into some cellphones.

John

Re: 56 Bits?????

[Dan Geer]

[a] >A 56-bit key of any algorithm, on any modern production machine
>is, as far as I can tell, absolutely unconscionable.

[b] >.. It would seem to be a relatively simple
>matter for Apple to offer strong crypto domestically & weak
>crypto everywhere else; Netscape and Microsoft already do this
>with their browsers.

Well, folks, on any other day the more hypergraphic
cross-posters to/on/at these lists would be vigorously
damning the regulatory necessity of American versions
different from non-American versions as proof of the dark
side's impending triumph.  It is so ironic to contemplate
damning a vendor for making you a citizen of the world.

As much as I am myself a devout believer in crypto privacy
verging on crypto anarchy, I suggest that "we" are
seriously in danger of making the best the enemy of the
good when we delude ourselves that first rate crypto can
trivially appear in any mass market consumer gizmo
commoditized to a faretheewell.  Speaking with all the
wisdom I can distill from my own security career in the
real world of competing demands and distracted management
chains, keeping honest people honest is a palpably high
goal, perhaps the highest goal for which you can build a
mass market product.  Me, I'll use/buy the bloody best I
can, but I will rest vastly easier when even middling
encryption is a pervasive reality, i.e., when everybody's
mother is using 56 bits my 128 bit super-encryption will
be just as secure but much less likely to garner unwanted
attention from people I can never out spend.

In the meantime, buy-side companies driven by "prudent
man" risk management are not now nor will they ever be as
paranoid as we here are, and per the iron whim of the
market it is their dollars that rule.

--dan

-
Learn to be invisible

Re: 56 Bits?????

[Robert Hettinga]

--- begin forwarded text


Subject: Re: 56 Bits?
Date: Thu, 28 Oct 1999 16:47:13 -0700
From: Mark Talbot <[EMAIL PROTECTED]>
To: "Thomas Weyer" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
Sender: <[EMAIL PROTECTED]>

[EMAIL PROTECTED] wrote:

[SNIP]

>Now a statement on Apple Data Security.  I take my Apple badge off
>for a moment.  Personal opinions follow.  Feel free to attack
>PERSONALY if you need but what follows is only MY opinion, NOT a
>statement from Apple.
>
>When one tries to do EVERYTHING one tends to accomplish little.
>While the current implementation of Apple Data Security does not
>deliver EVERYTHING that EVERYONE wants, it as I have told MANY people
>accomplishes my primary goal. It make your mother's iMac more secure.
>It is NOT intended to REPLACE PGP.  I don't think it's what many of
>the "propeller-heads" on this list will use, however WE ARE a
>minority.  What it focuses on is making things more secure without
>adding much in the way of complexity for 80% of our users, MOST of
>which used NOTHING before.  If it moves the bar up for them, provides
>a way to add additional functionality, and can easily move to strong
>crypto if allowed by law how could anyone call it less than a success.

[SNIP]

My problem with this statement is that it's misleading and this seems to
be Apple's official policy as well. On the Apple website they have some
pages extolling the virtues of their wondrous new OS. The page describing
the new encryption feature 
contains the sentence "So even if someone manages to slip into your
office physically (when you're on a coffee break, say) and steals
sensitive files that you've encrypted, they can't read what's in them."
This is essentially bullshit. If someone gains physical access to "your
mother's iMac" with the purpose of stealing sensitive files they're going
to ignore the "industrial-strength" encrypted file and simply use
Norton's UnErase to recover the unencrypted original which is not
securely deleted. Apple has created a feature whose implementation that
is worse than merely clueless. It's actually *dangerous* in that a lot of
people who don't know any better are going to use this to encrypt
sensitive information and never realize (unless they find out the hard
way) that the data is still there on the drive.

As to users having a path to eventually get to strong crypto "if allowed
by law": I live in the US and can use crypto of whatever strength I wish.
A company may provide to me crypto of whatever strength they wish. It
would seem to follow that if Apple is only providing weak crypto in the
products it is offering to sell me (AirPort, OS9) then this is a choice
that *Apple* has made. It would seem to be a relatively simple matter for
Apple to offer strong crypto domestically & weak crypto everywhere else;
Netscape and Microsoft already do this with their browsers.

MST

--- end forwarded text


-
Robert A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'