Re: IBM press release - encryption and authentication
In article <010801c064d0$b64193a0$6000a8c0@em>, Enzo Michelangeli <[EMAIL PROTECTED]> wrote: >Apart from the parallelization-friendliness, wouldn't the same result be >achieved by encrypting the concatenation of the plaintext with a MAC >implemented through a fast error detection code (say, a sufficiently long >CRC)? Due to the presence of encryption, the security properties of the >inner MAC don't appear to really matter (as they would in the "DES-CBC >first, then HMAC-MD5" scenario mentioned in the draft for comparison). I may be misunderstanding what you are suggesting, but the construction that uses an encrypted CRC as a MAC is insecure. Eg. Stubblebine & Gligor[1] show attacks on protocols which encrypt the concatenation of a packet and a CRC-32 using DES-CBC. The properties of the MAC, encrypted or not, do appear to matter. I think, though, that the "parallelization-friendliness" of the result is much more interesting than being able to encrypt and MAC at the same time. - Nikita [1] "On Message Security in Cryptographic Protocols", IEEE Symposium on Security & Privacy, Oakland 1992.
Re: UK Sunday Times: "Steal the face right off your head"
On Mon, 11 Dec 2000 15:28:23 + Ben Laurie <[EMAIL PROTECTED]> writes: > "R. A. Hettinga" wrote: > > One of the main forms of security to combat such criminals will be > > biometrics: voice recognition and the scanning of fingerprints, irises and > > face shapes to secure property. Siemens is expected to launch a fingerprint > > phone within months. > > > > In South Africa, where fingerprint security has been introduced at some > > experimental prisons, inmates recently tried to cut off the hands of their > > guards to enter protected gates. > > What did I tell ya? > > > > > Chris Charrington, a biometrics analyst at Frost & Sullivan, a market > > consultancy, said new technology would mean dead fingers would no longer be > > able to activate the technology. > > Yeah, right. I urge (again) everyone to boycott all biometrics if they > value their extremities. It's worth pointing out that there are biometrical experts who claim that fingerprinting is insecure for the following reasons: 1. people leave their fingerprints all over the place, and 2. a skilled person with the right equipment (for example a dental technician who makes fake teath) can make a fake copy of such fingerprint that will be accepted with all current devices According to these experts, any method for detecting gloves, dead fingers etc. cannot be made very reliable because the variation of the physical properties whose measurement these systems rely on is very large. Increasing the reliability would also increase the false rejection ratio, making the systems unusable. There's a paper on this in CARDIS '2000 of last September. Jaap-Henk -- Jaap-Henk Hoepman | Come sail your ships around me Dept. of Computer Science | And burn these bridges down University of Twente | Nick Cave - "Ship Song" Email: [EMAIL PROTECTED] === WWW: www.cs.utwente.nl/~hoepman Phone: +31 53 4893795 === Secr: +31 53 4893770 === Fax: +31 53 4894590 PGP ID: 0xF52E26DD Fingerprint: 1AED DDEB C7F1 DBB3 0556 4732 4217 ABEF
