Re: copy protection

2000-12-24 Thread Eugene . Leitl

Lenny Foner wrote:
 
 But the world is -different- now.
 
 The DMCA exists, and its anticircumvention language will be used as
 a bludgeon to sue and perhaps even lock up people who do anything to
 bypass the crypto in the disk.  Thus, a purely technical solution

This assumes I own the disk. Why should I be so stupid as to pay
for my own bondage tools, not even being kinky? As long as there are 
alternatives? Don't tell me I can't find a crypto-free mass storage 
vendor. Especially, since they have to pay *royalties* for putting it 
in. IBM does make fine drives, I'll be sad to buy Maxtor's. My heart
is bleeding, honestly. Can't say anything about Intel, never bought 
their silicon. Toshiba, either. The fourth one in the quartumvirate 
I forgot, so it can't be all that important. Dust in the wind.

 can't be deployed in any way that really helps a large number of
 people---it can't be put into Linux, for example, if the CSS cases

Why? Anything The Man can do about Freenet, or MojoNation? Especially,
if the successors of it are indistinguishable from an SSL browser
session? No one can pull the plug on the Net now, and we're faster
than the countermeasures.

 are won by the DVDCCA, and no commercial vendor will risk it, either.

The worse for the commercial vendors. I can get my Debian off the
net just fine, thanks.

 Remember also that in the case of DeCSS, the original creator wasn't
 even in a region that is subject to US law!  At least, in theory...

Right, in theory. Unenforcible laws are not worth the dead tree they're 
printed on. In fact, any unenforcible laws make immature me violate 
them as frequently as possible, just because I can, and not supposed to, 
and no one can do anything about it. Kinda makes one look stupid for
concocting the law in the first place.
 
 So -if-, by some happenstance, commercial vendors somehow manage to
 convince themselves and their customers that this is somehow a better
 world, and their customers fail to vote with their feet (perhaps

Don't kid yourself. No one is that kind of stupid. If they indeed 
are, then it's not worth fighting for, anyway. Looks clearly win/win 
to me.

 because they are given no choice? there aren't -that- many hard disk
 vendors these days), technical workarounds will be litigation targets.

The more pressing the need for open hardware, and putting the means
of production on people's desks. Less than a decade to wait, I'm 
betting.

-- 
__
 icbmto:N 48 10'07'' E 011 33'53''http://www.lrz.de/~ui22204 
ED 90 04 33 EB 74 E4 A9 53 7F CF F5 86 E7 62 9B 57 F9 CF D3




Re: /. Yahoo delivers encrypted email

2000-12-05 Thread Eugene . Leitl

Bram Cohen writes:

  To be fair, Yahoo handles so much mail that the CPU power necessary to
  start SSL sessions for all of them gets pretty expensive. They'll probably
  start doing end-to-end encryption when the prices of that drop lower,
  Moore's law and all that.

Of course, this assumes that secure mail will be a major hit amongst
Yahoo users. Somehow, I doubt it.




Lots of random numbers

2000-11-16 Thread Eugene . Leitl

Rich Salz writes:
  I'm putting together a system that might need to generate thousands of RSA
  keypairs per day, using OpenSSL on a "handful" of Linux machines.  What do
  folks think of the following: take one machine and dedicate it as an entropy
  source. After 'n' seconds turn the network card into promiscuous mode, scoop

Why don't you stick a sound card (the noisier, the better) into each
node, and dump /dev/dsp (LSB) input at max amplification into the
randomness pool?




And so it begins

2000-08-10 Thread Eugene Leitl


Only laptops, eh? Encrypted media are not mentioned, obviously. And
clearly every modern OS (IPsec, ssh, even Winders' weak encryption)
has "encryption capability".

Spytool Netscape, who would have thought.

Matt Crawford writes:
  This came third-hand, Sandia - DOE - me
  
"Per the Office of Diplomatic Security, Department of State,
Egypt, France and Russia have instituted the following:  Laptop computers
with encryption capability are considered "SPY TOOLS" and will be seized
or denied entry into the country."
   
 We understand that Kazakhstan has a similar position.
  
  "With encryption capability" sounds a little vague, but that's par
  for the course.
  
  There's also an old note on this subject wrt. Russia at
  http://travel.state.gov/gps.html.




Re: A proposal for secure videoconferencing and video messaging over the Internet

2000-07-26 Thread Eugene Leitl

James A. Donald writes:

  In real life situations where one wishes a conversation to be secure, are 
  people most commonly authenticated by true name, or by face.
 
We're mixing several unrelated items in one pot here. One thing is
authentication, the other is securety. Authentication is when Alice
can prove with a very high probability that the current transaction is
being conducted with Bob, while in the past Alice or a party Alice
trusts has already had dealings with Bob. This creates a machinery for
maintaining a private (but publicable) list of identities which can
build trust, which is clearly useful to distinguish defectors from the
good guys. To best of my knowledge, authentication can be currently
only conducted with one-time pads (too inconvenient for large groups
of people) or public key cryptography (where in principle you could
put meddling black boxes downstream of public key servers, and perform
transparent key substitutions on the fly, or just spoof the IP address
of the keyserver(s), or just hack the key server, or remotely
compromise the local machine you're using).

Above does not say anything about whether this transaction is in
cypher or clear.

Of course you would typically want to conduct the session via a block
cypher channel, exchanging session keys either via one time pad or a
public key protocol. 

Clearly, you can maintain a secure connection to an anonymous
party. Authentication and securety only touch shoulders when you're
trusting the public key server (and the local machine, and the network
in between) to give you the right public keys which match advertised
identity. It would be obviously a good idea to generate a small set of
public/private key pair for every key server (putting them in the
keyring of well known privacy packages as default), and authenticate
each session with the key server. Another good idea is to conduct
random consistency checks against a pair of keyservers each residing
in different countries by yourself (of course this would make both the
privacy packages and the packets travelling between you and the world
more opaque), or someone who is widely trusted.
 
Anyone knows whether this is being done?

  Think of every secure conversation you have had.  Did the participants know 
  your true name?




airport searches

2000-07-24 Thread Eugene Leitl

SteveC writes:
  At the risk of going against the tide, I would rather be in a country
  where they did search some percentage of the incoming passport holders
  belongings than one where they didn't.
 
They can search for things which can harm other people on the
flight. This involves plastique, weapons, hot isotopes, nerve agents
et al. I can hardly blow a hole in the hull with a DAT tape, can I?
 
  A combination of intelligence and criminalality does not happen that
  often, so criminals encrypting all their secret stuff is not of import to

Great, then why screening the file systems at entry, then? Moreover,
what precludes me from putting the encrypted stuff online on
http://www.netdrive.com/  Co., crossing the boundary empty-handed,
and then accessing the warez by ssh or SSL session, Echelon being none
the wiser? So why this hard drive searching farce, then? 

  me. What I do worry about is paying my taxes so people can walk in the
  country and claim benefit.
 
I was unaware that U.S. (judging from the traceroute on your domain)
grants financial support to steenkin furriners illegally entering
their borders. I was under the impression that even (and perhaps
especially) illegal immigrants had to work hard to keep their and
their families' bellies full.

As late FM2030 has so succintly put it, there are no illegal
immigrants, only irrelevant boundaries.

  Not that I am in favour of the RiP bill, it is terrible but in order to
  have some kind of democracy you have to protect it from other forms of
  government, terrorism and criminals. The best thing for us to do is

I have yet to see terrorists and criminals in an industrialized
country threatening to overthrow its democratic structure. If
anything, the resident goverments are the ones chipping away at it
(see U.K., Echelon and Carnivore for a few recent examples).

  promote tools like pgp or hushmail, so those who really do need free
  speech can get it.

PGP and hushmail do not grant free speech if you can track and filter
all Internet traffic at IP level. 

(Moreover, as a good German, you should have nothing to hide,
anyway. The thought police has been notified).




Re: UK searching traveler's disk drives for pornography (fwd)

2000-07-22 Thread Eugene Leitl

David Honig writes:

  Again, if they have the 'right' (as border agents) then the technical
  difficulty translates into a battle of wills.  A non-citizen would
  lose.  A citizen *might* have a case but might also spend a few 
  weeks in a Customs' hotel...

Essentially, this means a storage medium not immediately readable by
the customs (naked hard drives would certainly qualify) can be legally
confiscated, at least in theory (somehow, I think they'll have to be
pretty selective about it, as the screening alone will take too much
time).

I, also, would like to know how frequently this is being enforced in
practice.




RE: NSA back doors in encryption products

2000-05-25 Thread Eugene Leitl


From: "Minow, Martin" [EMAIL PROTECTED]

Jim Choate writes:

  Bull, the hardware companies aren't any more trustworthy.

I've been recommending the Dallas Semiconductor "iButton"
http://www.ibutton.com for secure storage. The Java version
also lets you implement your own on-chip algorithms so you
can implement time- and usage-limited encryption. The chip
has an on-board 1024 bit RSA engine and other useful features.

Also, the Dallas folk put a lot of effort into making the
iButton secure against a variety of physical attacks, including
power analysis, probing, and physical dissassembly (all code
is on battery backed-up SRAM). The iButton is FIPS-140 certified.

On the other hand, there is no way for a customer without
access to "national resources" to determine whether there is an
undocumented way around their protection mechanisms (such as
a hard-wired master password).  About all you can say is that,
if a back-door was discovered, the company would lose all
credibilty.

Is this good enough for all but the most paranoid?

Martin Minow
[EMAIL PROTECTED]




Re: GPS and cell phones

2000-05-11 Thread Eugene Leitl

Bill Stewart writes:
  That doesn't mean that the author isn't mixing up two concepts -
  GPS vs cell phone location by the phone system's signalling.
  GPS burns too much power to be used in typical cellphones -

I'd like to point out an emerging technology (based on digital pulse
radio, implementable in SiGe processes) which could create a very
low-power high-accuracy (cm range) realtime (multiple fixes/s) global
or local positioning system, using the cellphone handsets themselves,
and the base stations.

http://www.aetherwire.com/Aether_Wire/aether.html





Re: GPS integrity

2000-05-08 Thread Eugene Leitl


I presume the paper in question is 
http://www.cs.georgetown.edu/~denning/infosec/Grounding.txt

Ian BROWN writes:
  Dorothy Denning wrote an interesting paper on authenticating location using 
  GPS signals... I think it's reachable from her home page as well as the 
  following citation:
  
  D. E. Denning and P. F. MacDoran, "Location-Based Authentication: Grounding 
  Cyberspace for Better Security," Computer Fraud and Security, Feb. 1996
  
  Ian :)
  




Re: New York teen-ager win $100,000 with encryptionresearch(3/14/2000)

2000-03-16 Thread Eugene Leitl

Arnold G. Reinhold writes:

  I am not sure I understand the difference between "random" and 
  "pseudorandom" as you are using it here. In any case, I expect more 

There is no difference from an attacker's point of view. He can't tell
random from pseudorandom without extra knowledge. But he sure can tell
a high-entropy sequence from a segment encoding, say, a vanilla
transmembrane protein. Check out the genome of a real critter, a
standard model nematode C. elegans
http://elegans.swmed.edu/genome.shtml

Doesn't look exactly random, does it?

It would be interesting to analyse the genome from a cryptoanalyst's
point of view. Any takers?

  sensitive cryptoanalytic tools for DNA can be developed if the need 
  (and funding) arise.  For example,  has anyone done an n-tuple 
  frequency analysis on natural DNA? Probes targeting n-tuples that are 
  significantly less likely to occur in nature could be used to find 
  human generated DNA strings without total sequencing.  It might even 

Indeed. There are short subsequences which never or almost never occur
in biology. This is the reason why you need to camouflage/steganograph
as a biological sequence. Which, of course, dramatically reduces your
payload, if you want to stay below individual/species variability
threshold.

  The problem seems to be error rates. Here is what one DNA synthesis 
  company has to say:  http://www.alphadna.com/special.html#long 

Error-correction/redundant encoding.

  A mer (as in polymer) is a DNA base pair.  There are four 
  possibilities, so a mer encodes two bits. A 200-mer chain holds 400 
  bits. That's long enough to start thinking about packet technology. 
  You could use ECC to deal with the base errors, or just assume you 
  will have enough copies of each packet to do majority voting.
  
  Anyway, I expect Moore's law will apply here as it does in 
  electronics. Price per base might be a good number to chart over 

Sure, designer enzymes and palmtop sequencers will be the vogue. 

  time. I don't think that Moore's time constant is due to the peculiar 
  nature of semiconductors, but rather it is results from the 
  so-far-unlimited richness of the technology. DNA technology is just 
  as rich in possibilities as semiconductors. I think Moore's 18 months 

DNA is just a particular instance of molecular nanotechnology. There
is a very rich set of opportunities there, whether
solvated/biologically inspired or dry/machine phase. Even a partial
closure would make pretty useful things.

  is the limit as resources go to infinity of the time needed for 
  humans to understand the limitations of the last innovation and come 
  up with an approach to overcome them.

One of the bottlenecks of molecular manufacturing is a decent fully
interactive realtime molecular dynamics simulator, and another which
has enought quantum clue do reliably predict chemistry. We do have the 
hardware power for that already (at least in form of clusters), it is
really the question of writing the codes.
 
  You are right, of course, about density, but I'd be reluctant to rely 
  on DNA's destructibility. On the contrary, I am told that PCR can 
  reliably detect ten molecules and has a good chance of detecting a 
  single molecule. If you are synthesizing 160 nmole, that is 10**20 
  molecules. You must completely destroy every one with high certainty.

The whole point about DNA is that you can have few 100-1000 molecules,
and yet still reliably amplify from these microscopic amounts. A drop
of such DNA solution dropped into 98% HClO4 has a half life time of
seconds at best.



New York teen-ager win $100,000 with encryption research (3/14/2000)

2000-03-15 Thread Eugene Leitl


Of course it ain't actual encryption, only (high-payload)
steganography at best. Now, if you sneak a message into a living
critter (a pet ("the message is the medium"), or creating the ultimate
self-propagating chainletter, a pathogen), that would be an
interesting twist.

Interesting is that you can tag the message with a longish
pseudorandom base sequence, which allows you to fish for the fragment
(from digests) via a complementary sequence. Anyone not in posession
of that sequence would have to do a total sequencing.

Of course, using real steganography (camouflaging messages in DNA
(say, "(c) by God, Inc.") as genes or ballast as highly repetitive
sequences) is also an option.

David G. Koontz writes:
  http://www.sjmercury.com/svtech/news/breaking/merc/docs/013955.htm



Re: New York teen-ager win $100,000 with encryption research(3/14/2000)

2000-03-15 Thread Eugene Leitl

Arnold G. Reinhold writes:

  If you know the DNA sequences of alphabet letters, you can PCR probe 
  for common words or word fragments like "the" or "ing" and avoid 
  total sequencing.
 
That's true. Luckily, there is no such test for random base sequences,
though a pseudorandom sequence would certainly be very visible, but
only if the genome has been totally sequenced (currently, an expensive
and slow enterprise, despite Celera making large headways into
it). Hence the need for steganography, which is further worsened by
significant evolutionary conservation throughout the biological
kingdom. The payload will be not be very high.
  
  A recent Genetic Engineering News says the price for synthetic DNA is 
  dropping from $1 per base to about $0.50 per base. That works out to 
  $0.25 per bit. That's about 8 orders of magnitude more expensive than 
  PC disk storage.

This only applies to short sequences. If you have to (PCR-) ligate
your sequences from shorter segments as output by the synthesizer
robot, the price will skyrocket. Hey, nobody said it's going to be
cheap, nor fast ;)

The good part is extremely dense storage (i dot can contain far more
than microfilm), and potential for destruction on demand: via
packaging in a container bisected with a breakable membrane, one part
containing the DNA (precipitated, or as solution) and the other a
strongly fragmenting chemical (DNAses probably too slow, something
strongly oxidizing like concentrated perchloric acid should do).



Re: [FYI] ECHELON for combat of european national culture of bribery?

2000-03-13 Thread Eugene Leitl


Of course U.S. companies are entirely innocent of that practise. 

Right.

Sounds just like another lame excuse to me. Pedophiles, terrorists,
hackers, now it's Evil Euros, snatching up contracts using
bribes. Yawn. I'm surprised Janet Reno has this time nothing to say
about this.

Bill Stewart writes:
  Well, of course they do.  Knowing who to bribe, what they're selling,
  and how much they're charging can be really valuable for
  "national security" interests - not only lets you bargain down your
  bribery payments, but occasionally lets you use blackmail to get
  stuff for free :-)



/. Mozilla Crypto Released for Windows, Linux

2000-03-09 Thread Eugene Leitl


http://www.mozillazine.org/

Thursday March 9th, 2000 

Mozilla Crypto Released for Windows, Linux!

The first crypto-enabled builds of Mozilla have come online. Currently
there are Windows and Linux builds available - a Mac version will be
available soon. Enabled in these initial builds are SSL, the Security
Advisor, and IMAPS. Signed mail and encrypted mail are not yet
implemented.

To try out the PSM (Personal Security Manager), first you need to grab
a special version of M14. There are Talkback and no-Talkback versions
available for Windows, and Talkback and no-Talkback versions available
for Linux. After you have installed this build, run Mozilla and browse
to the PSM page at iPlanet. You can get details on the release, as
well as any special instructions you may need (and instructions for
Linux if you are building the M14 build from scratch). Scroll down the
page, and you will see buttons to install the PSM version for your
system. Clicking the button will start up the XPI installation
routine, and the PSM will be downloaded and installed. After
installation, close Mozilla and reopen to use the PSM. You should be
able to visit secure websites now, and view the Security Advisor
(available from the Tasks menu).

The source code for the PSM has not yet been released.  We will let
you know when it is.



please help FreeNet by becoming a node

2000-03-01 Thread Eugene Leitl


(((I urge you to donate some of your computational/networking 
   resources to the Freenet project, even if it's a single xDSL
   box. Details how to help see Latest News below.)))

http://freenet.sourceforge.net/

"I worry about my child and the Internet all the time, even though
she's too young to have logged on yet. Here's what I worry about. I
worry that 10 or 15 years from now, she will come to me and say
'Daddy, where were you when they took freedom of the press away from
the Internet?'" -Mike Godwin


 FreeNet

 Latest News 

18th Feb 2000 - Now is your chance to help Freenet is now in its
testing phase, to facilitate this we need people who can run a Freenet
node on their computers. To participate you will need a computer
capable of running java 1.1 which has a permanent connection to the
Internet, a fixed IP address, and is not behind a firewall. If you
have access to such a beast and would like to help the Freenet project
please click here for instructions on how to install a Freenet server.

 What is Freenet? 

The Freenet project aims to create an information publication system
similar to the World Wide Web (but with several major advantages over
it - see next section), where information can be inserted into the
system and associated with a "key" (the key is normally some form of
description of the data such as "freenet source code V1.0"). Later
anyone else can retrieve the data using the appropriate key. In this
respect it is a little like the World Wide Web which requires a "URL"
to retrieve a particular document.  To participate in this system
users will simply need to run a piece of Java software on their
computer, and optionally use a client to insert and remove information
from the system.  Anyone can write a client (or indeed a server)
however the reference implementations will be written in Java.  If you
are interested in why someone might want to create a system like
Freenet please take a look at the philosophy page.

 Why is Freenet interesting? 

Click on any of the following reasons for more information about each:

 Freenet does not have any form of centralised control or
 administration 
 It will be virtually impossible to forcibly remove a piece
 of information from Freenet 
 Both authors and readers of information stored on this
 system may remain anonymous if they wish 
 Information will be distributed throughout the Freenet
 network in such a way that it is difficult to determine
 where information is being stored 
 Anyone can publish information, they don't need to buy
 a domain name, or even a permanent Internet
 connection 
 Availability of information will increase in proportion to
 the demand for that information 
 Information will move from parts of the Internet where
 it is in low-demand to areas where demand is greater 

 What is Freenet's current status? 

Much of the server is complete, and a command line client (which is
developed in parallel and shares some code with the server) is also
nearing completion. As of 8th Feb 2000 the following remains to be
done:

 Some minor changes to message behaviour 
 Fix hashing on Liberator (a contributed Perl
 implementation of a Freenet client) 
 Implement tunneling (a mechanism which will
 dramatically improve Freenet response times) 
 Speed up handshaking mechanism (which will also
 improve response times) 
 Conduct a wide-scale multi-node beta-test (at present
 most tests have been conducted by running several nodes
 on the same computer). 

You should subscribe to the announcement mailing list to be informed
of major releases (this is a low traffic mailing list).

 Can I help?

Yes, definitely. If you have Java programming experience, or are
familiar with cryptography then you will be particularly useful, but
everyone is welcome. If you just want to find out more make sure you
have read everything on this site - and then join the General mailing
list. If you are keen to contribute, first take a look at the code in
CVS, then you should join the Development mailing list and let us know
what you think you can do.

 Why implement the first Freenet server in
 Java? 

Because: 

 Java is the most cross-platform language currently
 available 
 There are free Java implementations available such as
 Kaffe, we will ensure that Freenet is always compatible
 with these versions even if Sun attempt to make it more
 difficult for free Java implementations to keep up. 
 Java has excellent network support 
 Java is easier to debug than other languages such as C++,
 and this lets us get on with the business of implementing
 Freenet quickly and reliably! 



Re: Napster - the quiet revolution

2000-02-28 Thread Eugene Leitl


I haven't had the opportunity to try Napster yet (upgrade to glibc is
way overdue). Everybody is raving about it, though, so it is probably
very good.

It seems however, that Napster suffers from a few design flaws:
centralism (there is a central database, right?); it seems to produce
cleartext traffic in certain patterns on a certain port (otherwise the
protocol wouldn't have been reverse engineered so quickly and it would
not be so easily detectable/blockable, as recently happening in
certain university networks striving to conserve bandwidth). Is this
correct?

It would have been nice to to be able to run the global title index
via a distributed database (no single point of failure, e.g. due to
unfriendly legal action), which establishes connects through
addresspace searches of nearby (in terms of number of hops and/or
bandwidth) nodes, and sending something very much resembling a SSL
connection as created by a vanilla secure browser session, both in in
regards to used protocol and traffic pattern. Scanning for/blocking
Napster traffic would so become much more difficult. An obvious
problem is how to avoid collision with vanilla https (other than
intercepting/redirecting https://aaa.bbb.ccc.ddd/napster/
traffic. Perhaps just using https on a different port would be a
smarter idea, though usage of a nonstandard port is bound to draw
closer scrutiny).

A moderate connectivity (say, ~10), with each node acting as a relay,
would allow each node to reach any other node within just a few hops
over the virtual network. Caching the index of titles stored directly
on these nodes could probably reduce the traffic quite a bit. A
top-100 list and related-list (users who downloaded this title also
downloaded the following titles, ranked by total downloads) would seem
to greatly increase program functionality.

It would seem to be necessary to limit the scope of visibility to
direct neighbours only, to prevent malicious users from obtaining
extensive lists of other Napster users' addresses. To increase
obfuscation, introducing some traffic mixing should be contemplated,
injecting pseudorandom garbage traffic between direct neighbours to
foil statistical traffic attacks./paranoia

The program should be capable of serving arbitrary types of digital
content.

The rationale is to sneak code into a widely used utility which would
create an infrastructure for secure anonymous peer to peer
communication, content sharing and digital payments (let's call it
CryptNet) on top of insecure, increasingly monitored/filtered public
networks.

Comments?

-- Eugene



Copy protection proposed for digital displays

2000-02-21 Thread Eugene Leitl


http://www.eetimes.com/story/OEG2217S0039

Copy protection proposed for digital displays

By David Lammers
EE Times
(02/17/00, 7:02 p.m. EST) 

PALM SPRINGS, Calif.-At the Intel Developer Forum here, Intel
Corp. unveiled a copy protection scheme that will add a layer of
encryption between the system and the digital display.

The High-bandwidth Digital Copy Protection (HDCP) approach encrypts
each pixel as it moves from a personal computer or set-top box to
digital displays, such as digital flat panels and high-definition
televisions.

HDCP is an Intel-developed specification that will complement the work
developed with the Digital Display Working Group (DDWG), said Mark
Waring, an Intel technology initiatives manager who is the DDWG
secretary.

While the Digital Transmission Content Protection approach provides
encryption for digital content as it moves over a 1394 interface, the
HDCP is complementary.

"HDCP encrypts the final link, from the device to the display, that
has been the missing link" in the various copy protection schemes
developed thus far, said Waring, who earlier worked as a display
engineer at Sharp Corp.

Intel will release a draft version of the license agreement by Monday,
Feb. 21, at the Digital Content Protection web site. Also, individuals
can go to the site to request a copy of the specification.

At IDF's product demo pavilion, Silicon Image, Inc. (Sunnyvale,
Calif.)  demonstrated what it said was the first implementation of
HDCP on its digital video interface (DVI) silicon. Transmitter and
receiver silicon performed the HDCP authentication, encryption, and
decryption functions, while supporting the DVI digital transmission
rate of 5 G-bits/sec between the host and display.

HDCP uses a 56-bit key, with individual keys distributed to the
various vendors. A violated key could be tracked down and revoked over
a satellite broadcast network, for example. Waring said he expects the
major silicon vendors to have HDCP-compliant silicon ready by the
July-August time frame.



Re: Blue Spike and Digital Watermarking with Giovanni

2000-01-16 Thread Eugene Leitl


Well, the deformations must be smooth, so this just describes an
attack against a certain type of watermarks.

As I said, it is difficult to resiliently watermark a single image.

Paul Crowley writes:
  As far as I know, all fielded watermarking schemes can be defeated
  with simple, invisible distortions of the image - see
  
  http://www.cl.cam.ac.uk/~fapp2/steganography/
  
  for work done by Fabien Petitcolas and Ross Anderson.  You don't even
  have to have more than one copy of the picture or know very much about
  the scheme in use.



Re: Debit card fraud in Canada

1999-12-14 Thread Eugene Leitl

Arrianto Mukti Wibowo writes:

  About Mondex, probably you are right. No information is available about the
  internals of Mondex, and is kept secret, unlike CAFE which the specification

The fact that Mondex keeps its VM specs secret does not forebode well
for its security. Apparently, the VM designer also doesn't know squat
about good VM design for C programs.

Make from it whatever you will.

  was made open (it was a research project anyway). We can assume that Mondex
  does rely heavily on the tamper resistant device.



Re: Semantic Forests, from CWD (fwd)

1999-12-03 Thread Eugene Leitl

Steven M. Bellovin writes:
 
  The problem, from the perspective of an intelligence agency, is figuring out 
  what to listen to.  Let's do some arithmetic.
  
  The product you cite requires at least a 133 Mhz Pentium; 200 Mhz preferred.  
  How many such chips are needed?  Well, according to a map on a wall near my 

Ahem. DSPs are very cheap (like $10) in large quantities, and are
roughly comparable or better than a P200, especially for numerical
purposes and if properly optimized. From a certain scale onward (I'm
sure that Echelon exceeds the threshold easily) you can use ASICs, at
least for the most computationally intensive algorithm stages, which
makes it even cheaper (also in terms of footprint and
power/airconditioning, which can be surprisingly expensive). Then of
course you can hard-disk record a temporal window of every current
conversation (which can be as deep as a whole call: compressed voice
is low-bandwidth and hard drives are cheap), while sifting for certain
keywords (with recent neuronal hardware techniques looking for
keywords from a limited vocabulary or looking for specific speakers
should be a piece of cake). If no hits occur, you discard the
call. (Or process random calls if there is too much slack in the
pool). If if the hits are over threshold, you keep the hitherto
recorded call window plus intercept the whole call, then submit the
job for (computationally expensive) high-fidelity crunching (which is
probably not better than the best commercially available), which may
give you -- how much? -- maybe 90-95% of recognition rate. If the AI
(which can be something trained on a large real-world case knowledge
base) deems the conversation to be hot, it passes on the transcript to
a human. If you swamp their (limited, expensive, slow to expand)
processing capabilities, you tweak the threshold until they just can
cope.

Of course there are conversations from certain people (crypto
activists, politicians, criminals, C.E.Os etc.), which get filed
automatically. I don't think the fact that most of Echelon is about
industrial espionage is a big secret.

Even if above isn't true (yet), it is imo sound practice to assume a
worst case.

  office (see http://www.telegeography.com/Publications/cmap99.html), there are 
  currently about 150 Gbps worth of fiber across the Atlantic.  That's about 2.7 
  potential million phone channels.  A lot of that is data, of course -- shall 
  we say 75%?  That still leaves us with ~675K simultaneous calls.  That's an 
  awful lot of CPU power, even by NSA's standards.

Afaik the current telephone system can't work if more than (order of
magnitude) ~10% of customers attempt to speak simultaneously. The
world population might be 5-6 billion, but most of them don't have
phones. The amount of international calls must be but a tiny fraction
of total calls.

  And it gets worse -- within a year, the FLAG and TAT-14 cables will come 
  online, adding at least 800 Gbps of capacity...
 
As far as I know the transatlantic fibers are mostly idling. There
aren't that many humans around who want to make international
calls. I'd surmise the growth saturates sooner or later. The fraction
of voice vs. data will be increasingly skewed towards data. 
Of course currently voice is typically much more important than data...

  Tentative conclusion:  they need to listen to the signaling channels, so that 
  they can focus their efforts.  *Then* they can do the voice recognition and 
  pattern-matching tricks.
 
Afaik focusing has been intelligence's basic tenet since time immemorable.

   --Steve Bellovin
  
  



Re: 56 Bits?????

1999-11-03 Thread Eugene Leitl


I presume if he fails to deliver the goods on time you'll henceforth
consider 56 bit secure, in all eternity (=5-10 years)?

Strange kind of reasoning.

Marshall Clow writes: 
  OK, Bob.
  You have claimed to be from Missouri.
  Show me.
  
  Here's an encrypted file, encrypted with a 56 bit key. 
  Return to me the plaintext contents and I will pay you $175
  plus $25 so you can claim a profit.
  
  Since you say it will take about 3 days, I'll give you 10.
  This offer expires on at 11:59 PST November 7, 1999.
  
  Well?



Re: grabbed video as a source of entropy

1999-09-29 Thread Eugene Leitl

David Honig writes:

  Even if I had the same hardware, perhaps the tolerances on my ADCs are
  different from yours.  
  
  And illumination levels will affect certain kinds of noise.

Sure, but the entropy generation rate will be in any case higher than
stuff coming from /dev/dsp
 
  The point: Measure it.
  
  Use Shannon's entropy formula, for instance.  
 
I'm not very well versed in such matters, and pressed for time in my
day/night job.

  I wouldn't mind any pointers to sources extracting, say, LSB from
  grabbed frames.
  
  Distill (irreversibly compress, e.g., by xor'ing several words together)
  your data.  Measure again; distill again until 1 bit/baud.  Hash before use.
 
I was looking for sources performing such steps. And I wouldn't want
to crypto-hash lest the raw entropy gets debased by hidden algorithmic 
order.

  Any OTP tool should facilitate or automate these steps.



grabbed video as a source of entropy

1999-09-25 Thread Eugene Leitl


I've recently aquired a video camera (bttv-based 3Com Bigpicture, can
do 30 fps true color 640x480). I've noticed that under certain
conditions images can become quite noisy. Does anyone has data on the
amount and quality of the entropy produced?

I wouldn't mind any pointers to sources extracting, say, LSB from
grabbed frames.



Re: having source code for your CPU chip -- NOT

1999-09-24 Thread Eugene Leitl


For the truly paranoid: it is perfectly possible to boostrap a working
Forth environment *by hand*, whether by hand assembly and flashing the
resulting image, or by porting eForth (or any Forths written in C) to
an embedded target.

You simply can't fit any Trojan in there: a minimal Forth OS can fit
into just 2 k, typical environments take 12..16 kBytes. Of course
you're abandoning any GNU/Unix compatibility, but the intrinsic
rewards of a Forth environment can be considerable -- I don't know of
any more productive system.

Is there a crypto code library out there?

Greg Rose writes:
  At 09:02 23/09/1999 -0400, Steven M. Bellovin wrote:
  By example, I 
  could verify the machine code for IDEA, but not PGP and certainly not your 
  favorite version of UNIX.
  
  Actually, while there are bugs and security holes, it's pretty certain that
  V6 Unix didn't have any crypto trapdoors ... and you can now own your very
  own source code license for early Unix including C compiler, complete with
  source for a PDP-11 emulator to run it on... this might come in handy one
  day as a stable, recreatable base.
  
  See http://minnie.cs.adfa.edu.au/PUPS , the PDP and Unix Preservation Society.
  
  [Of course, what guarantees does one have about the provenance of the
  code? --Perry]



Re: Power analysis of AES candidates

1999-09-15 Thread Eugene Leitl

Eli Brandt writes:

  If so, doubling the cap size halves the cutoff frequency (right?),
  halving the leaked power.  Integrating runs gives signal voltage
  linear in n and noise voltage sqrt(n); voltage ratio is sqrt; power
  ratio is linear.  So leaked-signal power is
  Theta( (attacker's number of runs) / (capacitor size) ).
  No asymptotic edge either way; attacker wins against bounded cap size.
  /handwave

I don't quite understand your handwave analysis: if we use
supercapacitors we can power the embedded unit for hours straight. A
typical encryption round completes in milliseconds at best, I don't
see how microsecond spike demands can ever leak out regardless whether
we measure till the Big Crunch or the day after tomorrow.

Apart from such crude-but-effective countermeasures we haven't even
begun tackling lunatic fringe stuff like reversible computation.



Re: Power analysis of AES candidates

1999-09-14 Thread Eugene Leitl

John Gilmore writes:

  What are you guys talking about?  Differential power analysis doesn't
  require any physical attack, nor does it deal with voltage
  variations.  (You are probably thinking of Shamir's fault-injection

You can't do differential power analysis if you supply power
photonically to an encapsulated unit. Power dissipated gets averaged
out over time so you can't just monitor the temperature.

  attacks.)  Differential power analysis measures the current
  consumption of the part as it operates, completely outside the device.

1) A self contained, sealed unit is immune to this
2) What prevents us from measuring the power  fill out lacunes a la
resistance heating? The unit would then show constant dissipation
regardless of which computation it performs.

  It uses statistical techniques to confirm or reject hypotheses about
  the key values being operated on in the final rounds of encryption
  algorithms.  Paul Kocher's team has developed some countermeasures,
  see the end of the technical discussion linked from:
  
http://www.cryptography.com/dpa/index.html
  
   John



crypto file system for Linux: which?

1999-08-25 Thread Eugene Leitl


Hi,

recently we had a break-in where very valuable intellectual property
was stolen along with (negligeable) hardware.

To prevent this in future I'd like to establish a (physically secured)
Linux SMB server running a cryptographic file system.

I've taken a quick look, and there seem to exist essentially two
packages: one which encrypts at the partition, and the file system
level. (There seems to be also a system which encrypts/decrypts ~/ at
each login, but I doubt that's compatible with Windows).

Which cryptographic file system would you recommend?

Also, I'm unsure how authentication is accomplished. Are
passwords/phrases required at each access/session? Do passwords go
encrypted over the network?

Also, in future I'd like to use soft RAID (at least mirroring) and
XFS. It would be nice to have a crypto file system which can be
mounted over that.

TIA,

Eugene



Re: depleting the random number generator -- repeated state

1999-07-31 Thread Eugene Leitl

David Honig writes:

  One of the many uses of nitric acid.  Ie, take random samples

I thought this is mostly done by removing the bulk of the package
polymer by grinding, and then subjecting the rest of it to a plasma
etch.

I haven't put a processed wafer into nitric acid yet, but I could
imagine it does horrible things to small structures.

  apart and look at them.  There are commercial places that
  will do the lab work for you.

Since this involved manual work and heavy apparatus (UHV plasma etch
chamber, EM, etc.) as well as know-how (finding a structure and
guessing what it does) it won't be exactly cheap.



RE: US Urges Ban of Internet Crypto

1999-07-30 Thread Eugene Leitl

Lucky Green writes:

  [Before a reader replies with an argument based on a claim that strong
  crypto is in the process of becoming ubiquitous, please take a look at your
  phone. Does it perform 3DES encryption? Do the phones of the majority of

Phone? Why do I need a stupid phone if there's http://www.speakfreely.org/
It's cheaper, too.

  people you call perform 3DES encryption? Alternatively, you could take a
  look your email client. Does it support strong crypto? Great! Now what

Sure.

  percentage of emails you send *and receive* each day use strong crypto? If
  your answer is 95% or higher, you might have a point, if it wasn't for the
  fact that the Minister hasn't been shown the video tape just yet].
 
Should strong crypto be outlawed, my mail traffic will consist mostly
of Pretty Goofy Pictures, and snowy video feed from the webcam. Most
of them will be really just pretty goofy pictures, with a wee bit of
nondeterministic noise added.

Besides, you can control buddy-to-buddy software distribution exactly
as well as prevent people from swapping mp3 warez among friends. What
next, outlaw compilers? Outlaw hardware? Outlaw people? Don't think so.



US Urges Ban of Internet Crypto

1999-07-28 Thread Eugene Leitl

John Young writes:

  Nations do not control distribution of intangible items. While 
  I recognize that this issue is controversial, unless we address 
  this situation, use of the Internet to distribute encryption products 
  will render Wassenaar's controls immaterial."

I just love this sentence. So, let's create unenforcible legislation,
and then try to pave over all the world in the attempt to make reality
comply. Name's Janet Reno, huh? 

What's worse, the gullible Germans will probably heel.



A Massively Parallel Cryptosystem Based on Cellular Automata

1999-07-20 Thread Eugene Leitl


What is your oppinion on the security of this system. Any obvious
flaws?

http://www.santafe.edu/~hag/ca11/ca11.html


A Massively Parallel Cryptosystem Based on Cellular Automata

Howard Gutowitz ESPCI; Laboratoire d'Electronique 10 rue Vauquelin;
75005 Paris, France [EMAIL PROTECTED]

The DES is an example of an iterated cryptosystem, a cryptosystem in
which a function is applied many times to a message in order to
encrypt it. From the physicists point of view, an iterated
cryptosystem is an example of a dynamical system, a system whose state
evolves over time. Dynamical systems theory encompasses the study of a
wide range of phenomena, chaos being the most well known. Some of
these phenomena have correlates in cryptography, and can be used as
the basis of cryptographic schemes. A certain type of dynamical
system, called cellular automata, are particularly well suited for
cryptographic application.

A cellular automaton is a discrete dynamical system. Space, time, and
the states of the system are discrete. Each point in a regular spatial
lattice, called a cell, can have any one of a finite number of
states. The states of the cells in the lattice are updated according
to a local rule. That is, the state of a cell at a given time depends
only on its own state one time step previously, and the states of its
nearby neighbors at the previous time step. All cells on the lattice
are updated synchronously. Thus the state of the entire lattice
advances in discrete time steps.  Since the update rule is simple,
local, and discrete, it can be executed in easily-constructed
massively-parallel hardware at extraordinary speeds, without round-off
errors.

I have developed a cryptosystem, called CA-1.1, which illustrates some
of the principles of encryption with cellular automata. In CA-1.1, a
message is encoed as a state of the system, and various cellular
automaton rules applied to it to produce a new state which is the
ciphertext. To decrypt, the same cellular automaton rules are applied
in reverse order. The cellular automata employed are derived from a
secret key.

CA-1.1 uses both reversive and irreversible cellular automaton
rules. Under a reversible rule, each state of the lattice comes from a
unique predecessor state, while under an irreversible rule, each state
can have many predecessor states.  During encryption, irreversible
rules are iterated backwards in time. To go backward from a given
state, one of the possible predecessor states is selected at
random. This process can be repeated many times. Backward iteration
thus serves to mix random information with the message
information. CA-1.1 uses a particular kind of partially linear
irreversible rule which is such that a random predecessor state for
any given state can be rapidly built. Reversible rules are also used
for some stages of encryption. The reversible rules (simple parallel
permutations on sub-blocks of the state) are fully non-linear, while
the irreversible rules are partially linear. The irreversible rules
are derived entirely from information in the key, while the reversible
rules depend both on key information and on the random information
inserted during the stages of encryption with irreversible rules.

CA-1.1 features an authentication mechanism which renders
chosen-ciphertext attack difficult. This authentication mechanism
ensures that only ciphertext produced by the system loaded with a
given key is decrypted using the same key.

CA-1.1 is built around a block-link structure. That is, the processing
of the message block is partially segregated from the processing of
the stream of random information inserted during encryption. This
random information serves to link stages of encryption together. It
can also be used to chain together the encryption of a stream of
blocks. The information in the link is generated within the encryption
apparatus. It is not accesible even to legitimate users of the system,
hence it is not available for chosen-plaintext attacks.

A detailed explanation of how CA-1.1 works can be found in references
[1,2].  Further details, as well as U.S. licensing information can be
obtained from the author at the above address.

References:

[1] H. Gutowitz, "Method and Apparatus for Encryption, Decryption, and
Authentication using Dynamical Systems", U.S. patent application (100
pg. 1992)

[2] H. Gutowitz, "Cryptography with Dynamical Systems" to appear in:
"Cellular Automata and Cooperative Phenomena", Eds: E. Goles and
N. Boccara, K. Reidel Press (38 pg. 1993)



Re: depleting the random number generator

1999-07-18 Thread Eugene Leitl

bram writes:

  Most of the fancy reseedable PRNG schemes people have come up with are
  based on using secure hashes.

They are sure validated, but are they the best we can do? MD5, the
nonplusultra, really?



Re: depleting the random number generator

1999-07-18 Thread Eugene Leitl

bram writes:
 
  I'm not sure if anybody's yarrowified /dev/random yet - I think someone
  from coderpunks was working on it.

Does anybody know how cellular automata perform re cryptographically
solid random number generators? They can crank out a lot of integers
with a minimum investment in instructions executed.



how secure is digital pulse radio?

1999-06-29 Thread Eugene Leitl


I assume you are aware of the forthcoming digital pulse radio
technology http://www.time-domain.com/technology.html

It is not exactly crypto, but uses ultra-wideband low-power (they
claim 10 miles with 500 uW) emissions and pseudo random codes to 
shift the spike train encoding the information stream. It looks very
like white noise.

What is your estimate how difficult it would be to screen for such
communication channels, and how rapidly could one crack them (assuming 
no further encryption of the traffic)?

-- Eugene Leitl



Python RSA

1999-06-24 Thread Eugene Leitl


Got this from Mordy Ovits [EMAIL PROTECTED]

Is the following of more than trivial value? It does seem to use L
integers... 

#!/usr/bin/python 
from sys import*;from string import*;a=argv;[s,p,q]=filter(lambda x:x[:1]!=
'-',a);d='-d'in a;e,n=atol(p,16),atol(q,16);l=(len(q)+1)/2;o,inb=l-d,l-1+d
while s:s=stdin.read(inb);s and map(stdout.write,map(lambda i,b=pow(reduce(
lambda x,y:(x8L)+y,map(ord,s)),e,n):chr(b8*i255),range(o-1,-1,-1)))

Invoked as:

echo 'Top secret message.' | rsa.py 10001 1967cb529 ciphertext
cat ciphertext | rsa.py -d ac363601 1967cb529 

* rsa.py (4 lines): Performs RSA public key
encryption/decryption.  It requires two arguments, and can accept a
single option: '-d' for decryption (the default action is encryption).
The first argument must be the required exponent, expressed in
hexadecimal, and the second is the modulus, also in hex.  You still
have to choose the correct exponent, whether the '-d' option is
present or not; '-d' simply changes the number of bytes read at a
single time.

As an example: Let us assume the modulus is 6819722537, the
encryption exponent is 65537, and the decryption exponent is
2889233921.  Then, after converting the numbers to hex, we can encrypt
and then decrypt by the following commands:




Re: 56 Bits?????

1999-01-03 Thread Eugene Leitl


Wiping is not enough in some cases. With magnetical proximal probe
microscopy one can read residual magnetisation even in low-level
formatted disks.

First wiping with ones and zeroes and then overwriting several times
with (pseudo)random sequences offers better protection.

The optimal solution would seem to use cryptographical files systems,
and enough RAM not to use a swap file/partition.

Since modern RAM supposedly almost operates in the nonvolatile
ferroelectric regime (the next generation of RAM), true paranoids
would probably want ot apply above wiping technique to RAM at each
shutdown.

Arnold G. Reinhold writes:
  On the specific complaint that seems to have started this thread, the 
  lack of a wipe option in the file encryption, I would just like to 
  point out that wiping the original file when you encrypt it is 
  nowhere near enough. Many popular applications, such as MS Word, 
  create temp files all over the place. A better approach is to wipe 
  all disk free space regularly. This can be easily automated in the 
  MacOS using shareware utilities and Applescript.