802.11 Wired Equivalent Privacy (WEP) attacks
as reported on Good Morning Silicon Valley: Researchers from UC Berkeley and private security firm Zero-Knowledge Systems have uncovered a means of disrupting the Wired Equivalent Privacy (WEP) algorithm, an important part of the 802.11 corporate standard for wireless computer networks. While data transmitted over these networks is encrypted, the researchers determined that it was easy to modify 802.11 equipment to pillage that data. http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
History Channel television show on NSA
The 'History Channel' cable TV network will air a show about the NSA tomorrow night January 8, at 8 pm Eastern. Their website says this about it: America's Most Secret Agency The National Security Agency, America's most secret and controversial agency, is charged with safeguarding the nation's strategic intelligence information and decoding the secret communications of our enemies. For only the second time in its nearly 50 year history, the N.S.A. allowed cameras inside its Ft. Meade, Maryland, headquarters, and the director, Lt. General Michael V. Hayden, sits for a rare interview and addresses issues such as privacy. Tune in and find out if Big Brother is watching you!
Quantum crypto announcement from Mitsubishi
From ZDNet Asia (last week): http://www.zdnetasia.com/news/dailynews/story/0,210021,20072964,00.htm Unbreakable cryptographic communication made possible 26 September 2000 Mitsubishi has successfully realized quantum cryptographic communication systems as a security system. TOKYO - Mitsubishi Electric Corp. and the Research Institute for Electronic Science, Hokkaido University, announced today the success of their quantum cryptographic experimental system. This is the first report in Japan concerning quantum cryptosystem experiments for absolute security against cryptanalysis. . . . .
News on Interntational Forum on Surveillance by Design (fwd)
This (rather long) message was posted to the Internet Societal Task Force (ISTF) discussion list. The ISTF has recently formed a workgroup on privacy and security which is referred to as PAPSPI. Some of the material discussed at the symposium on surveillance might be of interest to this list. -- Forwarded message -- Date: Mon, 25 Sep 2000 19:22:13 +0100 From: Christian de Larrinaga [EMAIL PROTECTED] Reply-To: ISTF Discussion [EMAIL PROTECTED] To: ISTF Discussion [EMAIL PROTECTED] Cc: "Davies,SG" [EMAIL PROTECTED] Subject: News on Interntational Forum on Surveillance by Design Simon Davies and his colleagues at the London School of Economics provided an excellent day on Friday. I outline a brief and subjective overview. I was pleased to be joined during the day by ISTF colleague the newly appointed chair to the PAPSPI Jonathan Robin. This was an authoritative day long overview and discussion of the state of surveillance on the Internet and telecommunications networks with a number of noted experts in the field giving presentations. Areas discussed are in the programme (copied below), although the running order varied on the day. Particular attention at the start was paid to the global picture of interceptions by security services deployment of the Echelon network, the French equivalent nicknamed "frenchelon" etc and many programmes by governments around the world to establish satelllite evesdropping technologies, undersea cable taps, microwave interceptions etc. This moved into more detailed information on national initiatives such as Carnivore and the "little black box" of the RIP Act. Vint's and other submissions on inspecting Carnivore was not available at the conference and I did not get an opportunity to submit. Jon Crowcroft of UCL and the IETF / IAB gave an overview of the role of the IETF and dismissed the ability of the security services to intercept anything like the amount of traffic that the Internet is producing let alone store it. Duncan Campbell asked Jon whether this in his view hindered the potential for governments to intercept in a more targetted way, for instance by filtering for key headers, then for keywords etc until only a very small subset of the original data flow is actually intercepted and then stored. Jon Crowcroft admitted that that scenario was feasible although the placement of intercepts on the Internet may be routed around. There was also an interesting talk by encryption expert Dr. Ross Anderson of Cambridge University on the security regime and comparisons of analogue, UMTS, G3 cellular which appeared to indicate that the encryption regime of such networks is open to interception, although to varying degrees. The standards work of ETSI in particular came in for a considerable critique so much so that their use of the word "user" being synonymous with "security service". Many ETSI standards documents were presented which revealed the level of backdoors for interception built into ETSI based standards. This contrasted very strongly with the IETF response to such security service requests - No. The rationale that backdoors to technologies create security weaknesses. ETSI standards are so defined that they provide multi user interceptions on the basis that no two agencies simultaneously intercepting traffic are allowed to be capable of knowing the other is listening too! It might be noted (but wasn';t at the conference) that ETSI is one of the standards organisations recognised as a "global" standards organisation by ICANN. This was followed by an exposition by Gus Hosein of the LSE and Betty Shave of the Dept of Justice (USA) on the European Union Cybercrimes consultation. There are issues for privacy and security of Internet users and a potential impact on exsting human rights legislation in Europe. ISOC England will be making a submission on this when the new draft comes through. I would be happy to see a joining of forces on this to make this a larger perhaps ECC or ISOC submission. I had the honour to sit next to the mutli imprisoned Boris Putsinov who is still speaking out for citizens rghts and who later gave a talk on the Russian SORM programme. There were also up to date analyses on the Dutch and British intiatives at internal interception laws. The Dutch in particular are preparing new draft laws which look very intrusive if enacted. The session ended with the sponsors providing a commercial view of how technology is providing answers to interception attempts. Starium presented their encryption phone which promises global protection with built in triple DES encryption. Zero Knowledge presented an overview of their proxy network technology which provides an untraceable anonymous Internet underlay. My comment We continue to face a short term future of organised paranoia on the part of governments and organisations. Their determination to have access to the information flows and data stores of our emerging hyperspatial
Council of Europe draft Cybercrime treaty
The Council of Eurpoe has released a draft of its cybercrime treaty. The idea here is to get signatory nations to adopt similar laws as their own national laws. A news article I read states that the treaty would criminalize some forms of security testing and analysis. One provision would require: Section 2 Procedural law Article 14 - Search and Seizure of Stored Computer Data . . . . 5. Each Party shall take such legislative and other measures as may be necessary to empower its competent authorities to order for the purposes of criminal investigations and proceedings any person who has knowledge about the functioning of the computer system or measures applied to secure the computer data therein to provide all necessary information, as is reasonable, to enable the undertaking of the measures referred to in paragraphs 1 and 4. This would require giving keys to authorities who were investigating your system. The draft treaty (English version) is at: http://conventions.coe.int/treaty/en/projets/cybercrime.htm
American Express disposable card numbers
From zdnet.com: http://www.zdnet.com/zdnn/stories/news/0,4586,2625758,00.html?chkpt=zdhpnews01 Not much available on American Express's website, other than a signup form to give them your email address so they can send you info on when it is available. Security fix: Disposable credit cards? American Express plans to offer disposable credit-card numbers for online shopping amid continued consumer concerns over online security. By Jathon Sapsford, WSJ Interactive Edition September 8, 2000 5:45 AM PT Picture American Express Co., amid continued consumer concerns over online security, is proposing an answer: disposable credit-card numbers. The New York travel and financial-services company announced a new technology allowing registered holders of any American Express card the ability to shop online with a random number, rather than their credit-card number. The card number would be good for one transaction only, and shoppers would no longer have to give their credit-card number to merchants over the Web. The service, to be called Private Payments, will be free for cardholders and will cost nothing extra for merchants who accept American Express. The service will be available to holders of any American Express card within a month. /etc.
Re: reflecting on PGP, keyservers, and the Web of Trust
On Tue, 5 Sep 2000, David Honig wrote: If you have a secure channel to exchange a passphrase in, you have no need for PK. Public key allows digital signatures, which a secure channel for key exchange doesn't provide. Two parties may choose to use symmetric encryption for exchanging messages and agree between themselves to accept any message encrypted with the secret key to be a binding expression - but this method does not prevent Alice from encrytping a message to herself and claiming it came from Bob. Either party can cheat in this way with symmetric key.
Re: RSA expiry commemorative version of PGP?
There are also existing applications like the time stamper in England, automated keyservers, mailer add-ins, and anonymous remailers which use the 2.x formats, so the 'installed base' is more than just individual users. The point about old computers is particularly apt, and there are mini-OSes like picoBSD and so forth which could support the older versions, ssh, abd a terminal program, all from a floppy. Timestamper URL: http://www.itconsult.co.uk/stamper.htm On Thu, 3 Aug 2000, Arnold G. Reinhold wrote: Another reason for PGP 2.x compatibility is that there are a lot of old computers out there that will not run more modern versions. Many of these machines find their way into 3rd-world countries and NGOs where there is a life-and-death need for security. Also there is a argument that these old machines are significantly more secure than new equipment. The real threat to PGP security is clandestine software that captures and leaks your secret key. Bloatware (30-50 million lines of code in Windows 2000) has made any kind of independent OS security checking nearly impossible. BIOSs and CPU firmware have also grown enormously and offer room for all sorts of mischief. An old 68000 Mac or 8086 PC with no hard drive is a lot more trustworthy in my opinion, and can make a very effective crypto box. Arnold Reinhold At 3:58 PM -0400 8/3/2000, Derek Atkins wrote: The problem is not necessarily in getting users of PGP 2.x to upgrade. That will happen on its own. The problem is that users of PGP 2.x have old keys and, worse, old DATA that is encrypted and signed in the PGP 2.x formats using the PGP 2.x algorithms. The point is not to be able to create new messages that older implementation can read (although I certainly wouldn't complain if that actually happened). Rather, the point is to be able to access all that old, encrypted data. I still use PGP 2.6 because I have years worth of data encrypted and signed using PGP 2.6 formats, and I don't want to lose the information. Some of the information is signed by OTHER people, so just decrypting and re-encrypting isn't sufficient. -derek Frank Tobin [EMAIL PROTECTED] writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adam Back, at 12:01 -0400 on Thu, 3 Aug 2000, wrote: I beg to differ. The fastest way to get people to upgrade is if the new version works with the old version. There are still many pgp2.x users who don't upgrade because they then lose the ability to communicate with other 2.x users. Your proposal just perpetuates the problem. My proposal is realistic in the face that RFC 2440 is the standard to follow. One problem that people face today is that they still only think there are 3 real classes of PGP implementations out there; PGP 2.x, PGP 5.x and above, and GnuPG. However, as more and more implementations arise, the need for RFC 1990 users to abandon their implementations will become more obvious. People also think that the only difference between 2.x and OpenPGP implementations it the algorithms used. Key formats have changed, the message format has changed, compression algorithms, and a host of other changes. To think that maintaining compatiblity is as simple as plugging in RSA and IDEA is ridiculous. Look at signed messages posted to BugTraq, or other widely-known lists. The signatures are all made by OpenPGP-compatible implemenations. I would argue the pressure should be placed on 2.x users, not blaming PGP Inc. or GnuPG or the rest. The GNU ethic about not using IDEA, is counterproductive; that just means more poeple use IDEA, because they can't upgrade because it won't work if they do. (while this paragraph does not make much sense to me, I'll try to reply) Irregardless, the GNU ethic is about creating and promoting Free(tm) software. Period. Any usage of IDEA would go contrary to it. - -- Frank Tobinhttp://www.uiuc.edu/~ftobin/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.2 (FreeBSD) Comment: pgpenvelope 2.9.0 - http://pgpenvelope.sourceforge.net/ iEYEARECAAYFAjmJnGwACgkQVv/RCiYMT6MwsACfbw27PLFXn8hJ/0WmoeMqpDlg be0AmgMLaZ7sCODr8DohZar0/qzJEwQt =91f9 -END PGP SIGNATURE- -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH [EMAIL PROTECTED]PGP key available
Ridding IP of logic, reason, and law
In that thread about calling RSA by another name, William Allen Simpson [EMAIL PROTECTED], wrote: | Note that somebody is claiming patents on RIPEMD and SHA1, among many | other problems. I suppose that I shouldn't be surprised. (heavy sigh) FIPS 180-1 states: | Patents: Implementations of the SHA-1 in this standard may be covered by | U.S. and foreign patents. I would think 'implementations' in that context means software systems that incorporated SHA-1, where the overall system includes the SHA-1 algorithm. (The citation for SHA-1 may have changed recently and it may be 180-2; but I doubt anything changed in the standard related to intellectual property. There was something in the Federal Register, but I don't recall the change being significant - maybe it passed its 5 year review?) If the US federal government owns this algorithm, then it can't be patented. Of course this doesn't alter the fact that filing bogus patent claims has become an industry in itself, and damnably profitable, perhaps, like sin often is.
Edupage: Warrants for Online Data Soar
From Edupage 28 Jul: WARRANTS FOR ONLINE DATA SOAR The federal government has rapidly escalated its seizure of U.S. citizens' online data in recent years, according to a new study conducted by USA Today. The results of the study, which show that the number of search warrants issued for online data is up 800 percent over the past few years, caught Capitol Hill lawmakers and civil libertarians off guard. The sought-after data includes cases regarding child pornography, fraud, violent crime, and harassment. USA Today confined its study to warrants served on America Online's networks, but Andrew Grosso, a lawyer specializing in computer law, says there has been an across-the-board increase in the number of warrants and subpoenas issued to all ISPs and e-mail providers. The study's findings were jarring to some federal lawmakers. House Majority Leader Dick Armey (R-Texas) is calling for law enforcement agents to explain why they are issuing such a high number of search warrants to service providers. (USA Today, 28 July 2000)
Re: Ridding IP of logic, reason, and law
On Sat, 29 Jul 2000, Rich Salz wrote: If the US federal government owns this algorithm, then it can't be patented. I'm not sure if you are referring to SHA1 in particular, or in general. While I don't know about SHA-1, the US Government *can* own patents. For example, here's one that's actually kinda relevent. :) Yeah, you're right. I remember the patent discussion came up a while back with the NSA's Semantic Forest thing. I think it's the heat, global warming is ruining my memory. As I recall, though, there was at one time a provision of law in the US that the federal government couldn't copyright their documents. Maybe that is changed now. I still seems like US federal 'inventions' should belong to the people. Who the hell are they representing anyway? [The U.S. government can't copyright things but it can patent them. Copyright is not the same as patents. --Perry]
World Bank report and Economist article; digital cash
another GMSV news item: In the aftermath of the recent publication of a paper suggesting that digital currency may well render central banks obsolete, a group of economists have stepped forward to argue that such a thing will never happen. Why? As the Economist puts it: "Cash leaves no tracks, and makes no demands on anybody else's integrity." with links to: http://www.worldbank.org/research/interest/confs/upcoming/papersjuly11/papjuly11.htm and an article in the Economist at: http://www.economist.com/editorial/freeforall/current/index_fn0436.html The Economist article also includes links to papers at the Worldbank site, and touts anonymity as a unique and sustaining advantage of physical currency, perhaps guided by an appreciation of Chaum's business acumen in lieu of an understanding of his math papers.
Re: Electronic Signatures Yield Unpleasant Surprises
On Sun, 25 Jun 2000, Don Davis wrote: i'm sorry, but this is a foolish complaint. their specialty is as demanding as ours; why demand that they should master our specialty, when we make no effort to master theirs, and 'You may abuse a tragedy, though you cannot write one. You may scold a carpenter who has made you a bad table, though you cannot make a table. It is not your trade to make tables.' (Samuel Johnson) when we make no effort to help them understand crypto? all we've had to say to legislators and regulators is, "don't regulate crypto, leave us alone," and then surprise, surprise: even when we might want them to support crypto with laws, they don't know enough about crypto to be able to regulate it. There are several members of this list, and many specialists in security, who have written papers for Congress, offered testimony, appeared before committees, etc. Not all of this testimony has been negative, and much of it has been even-handed and informative. if we are successful in making crypto that's usable enough to become pervasive, then industry and the public will need new laws to help resolve social conflicts involving crypto, such as inevitably will arise. thus, it's our responsibility to help advise legislators constructively on cryptographic and security matters, but the civilian crypto community has quite consistently rejected and ridiculed every governmental foray into cryptographic legislation. indeed, the crypto community goes further, by ridiculing any cryptographer or security expert who supports legislative efforts. we're the ones who have screwed this up, not the legislators or their staffers. - don davis, boston I think the crypto community has made considerable contributions to the civil debate, especially relating to the Clipper Chip and key escrow, and some members of the community regularly offer comments and advice. Some of the papers written and talks given have been cogent and insightful, not at all negative or harsh in tone or sentiment. If the staff of major House and Senate Committees can't be bothered to ask the appropriate questions, or are too lazy or otherwise co-opted to seek the input of consumer advocates on this type of legislation, then I think they and their bosses have screwed this up. In my experience as a staff attorney to legislative committees, I found it relatively easy to identify and contact people from expert communities to assist me in my work. That was what I was paid for.
Re: Electronic Signatures Yield Unpleasant Surprises
On Fri, 23 Jun 2000, William Allen Simpson wrote: . . . . Surprise! Many consumers comparison shop on-line, but quit before purchasing, making their final purchase at a later time in a conventional manner. Vendors are now permitted another new fee for "withdrawal of consent". According to Congressional staff, this new fee may not have been intended to be charged until after a consummated transaction. Such a limitation is not explicitly stated in the legislation. It is hard to imagine that a court would enforce the new fee without an actual purchase of a product. However, according to the same staff, this specific language was vetted with Dell, Gateway, Hewlett-Packard, MicroSoft, and other vendors. No consumer advocates were mentioned. A reporter for CNet wrote a story on this bill before it passed and the story focused on 'digital signatures'. I wrote the reporter and pointed out that the bill dealt only with 'electronic signatures' which have nothing to do with cryptography. This is the response I got back from the reporter: || I contacted the House as soon as I got your email, and after some || probing-it took a couple of hours to get someone "informed" on the || phone-determined that I had been misinformed. The House people had || talked extensively about digital signatures, when the bill is in fact || about electronic signatures, as you said. That the people I spoke with || did not initially know the difference in this important legislation is || a bit disconcerting. This is a pretty sad state of affairs. We don't really expect the elected members of Congress to know very much, but it is alarming to find out the staff can't (or won't) do a decent job, either.
GNU Privacy Guard license question
-BEGIN PGP SIGNED MESSAGE- from the documentation for GnuPG: http://www.gnupg.org/gph/en/pgp2x/t1.html | Note: Using the extension modules idea.c and rsa.c without licensing the | patented algorithms they implement may be illegal. I do not recommend | you use these modules. If you have PGP 2.x keys, I suggest you revoke | them in favor of new keys and encourage correspondents who use PGP 2.x | keys to do the same. Is this right? If one obtained PGP 2.x legally, and used RSA and IDEA in conformance with the original license for personal use, would that license permit the use of the older PGP keys with Gnu Privacy Guard? I don't have a copy of the old PGP license around. I presume one could continue to use PGP 2.x indefinitley under the old license. Will this change in a couple of months when the RSA paptent expires? -BEGIN PGP SIGNATURE- Version: PGP 6.5.3 Comment: RSA 1024 key iQCVAwUBOUT8DF3wG27m1aM1AQEVOQQAn/M9+HfuKqRTJMA9LHlNhxizWndUdVFB lImSGWmd8rqEqyPCS6KlyLF0IK9Hz+Sz9+6LywaTcpibTDZWhzQqoefg4ty3vbYB AGZ2upZBOlVB7NKFN33w/g8EA3OszRfzVEKKWVEmWvZvcgm6WxbMBdLr+ax0lxKr HF0I1y98DN4= =Afey -END PGP SIGNATURE-
Re: legal status of digital signatures
For purposes of clarification, the proposed federal law deals with 'electronic signatures' defined as: | (5) ELECTRONIC SIGNATURE.-- The term electronic signature means an | electronic sound, symbol, or process, attached to or logically | associated with a contract or other record and executed or adopted by a | person with the intent to sign the record. This definition is essentially the same as that of the Uniform Electronics Transactions Act (UETA), recently proposed by the National Conference of Commissioners on Uniform State Laws. The committee notes associated with this definition in the UETA state: | It is important to realize that this definition is intended to cover the | standard webpage click through process. For example, when a person | orders goods or services through a vendor's website, the person will be | required to provide information as part of a process which will result | in receipt of the goods or services. When the customer ultimately gets | to the last step and clicks "I agree," the person has adopted the | process and has done so with the intent to associate the person with the | record of that process. The actual effect of the electronic signature | will be determined from all the surrounding circumstances, however, the | person adopted a process which the circumstances indicate s/he intended | to have the effect of getting the goods/services and being bound to pay | for them. The adoption of the process carried the intent to do a legally | significant act, the hallmark of a signature. These definitions obviously don't have much to do with cryptography, and would include things like a 'signature' in a plain text RFC 822 email message, or a faxed copy of a signed document. The UETA and accompanying notes is available at: http://www.law.upenn.edu/bll/ulc/uecicta/etaam99.htm I think Perry is right, generally speaking. An argument could certainly be made - with or without this federal act, or without any of the various state laws on the books - that a _real_ digital signature (like an RSA digital signature) is legally binding for any purpose and in the same context that a holographic or handwritten signature would be binding. I assume that when Perry says 'digital signature' he means digital signature, and not 'electronic signature' as defined above. The Statute of Frauds doesn't really present that big of a legal obstacle, since the modern interpretations of 'writing' are broad enough to include electronic writings. I also think that a good argument could be made on non-repudiation, with or without the proposed federal law or any of the existing state statutes, based on an RSA-type signature - modulo the usual caveats about the key not being compromised, etc. -- pj On 9 Jun 2000, Perry E. Metzger wrote: Steve Bellovin [EMAIL PROTECTED] writes: According to the AP, U.S. House and Senate negotiators have reached a compromise on legislation that will set national standards for digital signatures and the like. Details are in http://www.nandotimes.com/no_frames/technology/story/0,4500,500213819-500301920-501670828-0,00.html By the way, I Am Not A Lawyer, but digital signatures are certainly legally binding already under the common law for anything that isn't covered by the Statute of Frauds, and it isn't even clear that anything but the simplest legislation would be needed to deal with eliminating the ambiguity in situations that are covered by the Statute of Frauds. It would be interesting if one of our lawyers who subscribe to the list could comment on this. Perry
Re: RFC 2828 on Internet Security Glossary (fwd)
Thanks to Rich Salz for identifying the appropriate IETF forum for discussions related to the compsec glossary. Amir Herzberg and others were wondering where to send comments. -- Forwarded message -- Date: Wed, 31 May 2000 09:48:38 -0400 From: Rich Salz [EMAIL PROTECTED] To: "P.J. Ponder" [EMAIL PROTECTED] Subject: Re: RFC 2828 on Internet Security Glossary (fwd) There is a new Internet Draft entitled 'Internet Security Glossary' which defines terms and provides references. The RFC is part of the IETF PKIX working group; revisions and comments are discussed on that groups' mailing list. For info, go to http://www.ietf.org, the security area, PKIX working group. /r$
RFC 2828 on Internet Security Glossary (fwd)
There is a new Internet Draft entitled 'Internet Security Glossary' which defines terms and provides references. One purpose of the new glossary is to harmonize usage within Internet standards documents. See end of message for the URL. related to the recent discussion on defining 'forward secrecy', this new glossary has the term 'perfect forward secrecy', but that entry only directs one to: 'public-key forward secrecy', which has the following definition (and call for assistance). (The paragraphs denoted 'I' are Internet related; the ones marked 'C' are comments from the editors.) $ public-key forward secrecy (PFS) (I) For a key agreement protocol based on asymmetric cryptography, the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future. (C) Some existing RFCs use the term "perfect forward secrecy" but either do not define it or do not define it precisely. While preparing this Glossary, we tried to find a good definition for that term, but found this to be a muddled area. Experts did not agree. For all practical purposes, the literature defines "perfect forward secrecy" by stating the Diffie-Hellman algorithm. The term "public-key forward secrecy" (suggested by Hilarie Orman) and the "I" definition stated for it here were crafted to be compatible with current Internet documents, yet be narrow and leave room for improved terminology. (C) Challenge to the Internet security community: We need a taxonomy--a family of mutually exclusive and collectively exhaustive terms and definitions to cover the basic properties discussed here--for the full range of cryptographic algorithms and protocols used in Internet Standards: (C) Involvement of session keys vs. long-term keys: Experts disagree about the basic ideas involved. - One concept of "forward secrecy" is that, given observations of the operation of a key establishment protocol up to time t, and given some of the session keys derived from those protocol runs, you cannot derive unknown past session keys or future session keys. - A related property is that, given observations of the protocol and knowledge of the derived session keys, you cannot derive one or more of the long-term private keys. - The "I" definition presented above involves a third concept of "forward secrecy" that refers to the effect of the compromise of long-term keys. - All three concepts involve the idea that a compromise of "this" encryption key is not supposed to compromise the "next" one. There also is the idea that compromise of a single key will compromise only the data protected by the single key. In Internet literature, the focus has been on protection against decryption of back traffic in the event of a compromise of secret key material held by one or both parties to a communication. (C) Forward vs. backward: Experts are unhappy with the word "forward", because compromise of "this" encryption key also is not supposed to compromise the "previous" one, which is "backward" rather than forward. In S/KEY, if the key used at time t is compromised, then all keys used prior to that are compromised. If the "long-term" key (i.e., the base of the hashing scheme) is compromised, then all keys past and future are compromised; thus, you could say that S/KEY has neither forward nor backward secrecy. (C) Asymmetric cryptography vs. symmetric: Experts disagree about forward secrecy in the context of symmetric cryptographic systems. In the absence of asymmetric cryptography, compromise of any long- term key seems to compromise any session key derived from the long-term key. For example, Kerberos isn't forward secret, because compromising a client's password (thus compromising the key shared by the client and the authentication server) compromises future session keys shared by the client and the ticket-granting server. (C) Ordinary forward secrecy vs. "perfect" forward secret: Experts disagree about the difference between these two. Some say there is no difference, and some say that the initial naming was unfortunate and suggest dropping the word "perfect". Some suggest using "forward secrecy" for the case where one long-term private key is compromised, and adding "perfect" for when both private keys (or, when the protocol is multi-party, all private keys) are compromised. (C) Acknowledgements: Bill Burr, Burt Kaliski, Steve Kent, Paul Van Oorschot, Michael Wiener, and, especially, Hilarie Orman contributed ideas to this discussion. -- Forwarded message --
European Union sets free export of encryption products (fwd)
European Union sets free export of encryption products Jelle van Buuren 22.05.2000 EU sets encryption free, USA protest The European ministers of Foreign Affairs are expected to decide monday to lift all barriers to the export of encryption software to countries outside the European Union. Till now, companies wanting to export encryption products had to ask for permission. The authorities first investigated if the buyer was 'secure'. Intelligence services also investigated the products, which made it possible to copy the keys or demand weakening of the encryption standard as a condition for approval. Decisions could drag on for months, which hampered the trade in encryption software. Besides that, the European industry has asked repeatedly for secure and good encryption, as a condition to boost ecommerce. They want to develop, use and export their own encryption products, as there is mistrust towards American encryption products which are believed to be weakened by the American intelligence agencies, or have secret backdoors. According to the spokesman of commissioner Liikanen of the Information Society, secret services still can ask companies to the destination of their export: 'But they can't any longer block the export. Companies are allowed to export their encryption products without any interference of the intelligence community.' link in message below to the rest of the story: -- Forwarded message -- Date: Wed, 24 May 2000 06:42:56 + (GMT) From: [EMAIL PROTECTED] Reply-To: ISTF Discussion [EMAIL PROTECTED] To: ISTF Discussion [EMAIL PROTECTED] Subject: European Union sets free export of encryption products For your information. Thanks to Slashdot.org for the link. http://www.heise.de/tp/english/inhalt/te/8179/1.html Patrick Vande Walle -- If you want to contribute to the Internet future, consider joining the Luxembourg chapter of the Internet Society http://woolly.org/isoclu
Xerox, Microsoft, XrML, ContentGuard, c.
Microsoft is funding an initiative at Xerox's Palo Alto Reseach Center on digital rights management. Lots of press hype available at their sites. They are touting an 'open' standard initiative called XrML, which is an attempt to harmonize digital rights syntax. There is a lengthy web form located at: http://www.xrml.org/tech_xrml_form.asp which I guess allows one to download the XrML spec. Why they just couldn't post it on the site is beyond me - especially if they would like to characterize it as an open standard. It's easier to get PGP or an ISO standard. I filled in the form, and got this reply: | Thanks for registering with XrML.org | The XRML spec will be mailed to the e-mail address [EMAIL PROTECTED] within | five business days. I think one needs Adobe Acrobat version 4.05 to read the spec, according to a message posted on their webboard. Some of the patents cited at the XrML (http://www.xrml/org) site: http://www.patents.ibm.com/details?pn=US05715403__ http://www.patents.ibm.com/details?pn=US05638443__ http://www.patents.ibm.com/details?pn=US05634012__ http://www.patents.ibm.com/details?pn=US05629980__
RFC 2792 on Key and Signature Encoding for KeyNote (fwd)
from the RFC distribution list: A new Request for Comments is now available in online RFC libraries. RFC 2792 Title: DSA and RSA Key and Signature Encoding for the KeyNote Trust Management System Author(s): M. Blaze, J. Ioannidis, A. Keromytis Status: Informational Date: March 2000 Mailbox:[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Pages: 7 Characters: 13461 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-angelos-keynote-dsa-rsa-encoding-01.txt URL:ftp://ftp.isi.edu/in-notes/rfc2792.txt This memo describes RSA and DSA key and signature encoding, and binary key encoding for version 2 of the KeyNote trust-management system.
Re: time dependant
Would this work? Maybe it's too simple. 1. A sends B an encrypted file. 2. Sometime later, A sends B the decryption key. I haven't had a chance to read all the links listed here, yet, due to the press of other matters. It does sound like an interesting problem, which may depend on a Trusted Third Party, which we know doesn't exist, or launching rocket ships, which is costly. I was just thinking that if it is OK to trust oneself to later send the key, then that might work, modulo an accident or personal lapse. -- pj re: subject - it is, of course, 'dependent' with e three times, no a. On Wed, 8 Mar 2000 [EMAIL PROTECTED] wrote: I think the secret sharing direction as Raph has described below is indeed the most reasonable way to solve this problem. In fact, for a long time, I've considered such a `secure long term archive` one of the important applications to the work we've been doing on Proactive security, which takes secret sharing forward by periodically refreshing the shares. (BTW, this is where I have a huge problem with Cryptonomicon!!) Here are some relevant works: For reference to most works on proactive security see our `proactive security homepage` at http://www.hrl.il.ibm.com/Proactive/index.html. For an easy overview see R.Canetti, R.Gennaro, A.Herzberg and D.Naor. Proactive Security: Long-term protection against break-ins. CryptoBytes RSA Laboratories Newsletter, August 1997. To see how to keep the clocks synchronized in such mobile adversary setting... ask me, it's a new result and we haven't put in the site yet - hope to do it soon to see how to keep the storage requirements reasonable see: Krawczyk, H., "Secret Sharing Made Short" Advances in Cryptology -- CRYPTO 93 Proceedings, Lecture Notes in Computer Science Vol. 773, Springer-Verlag, D. R. Stinson, ed , 1993, pp. 136-146. Krawczyk, H., "Distributed Fingerprints and Secure Information Dispersal", Proceedings of the Twelfth Annual ACM Symposium on Principles of Distributed Computing (PODC'93), 1993, pp. 207-218. here are two papers addressing exactly the time-release crypto problem: M. Kudo, "Distributed Time-Key Cryptosystem By Using Three-Party Timestamping Protocol," IBM Research Report, RT5141, 1998. http://net55.trl.ibm.com/kudo/Publication/ResRep1/crypto.pdf Note: I hope the above URL is on the Internet and not our Intranet... also I believe Kudo-san and collugues have a follow on paper in which they actually claim proactive security but I need to dig this up (it appeared in some crypto conf in Singapore very late on 1999, not CCS, was it AsiaCrypt?) I'm copying Kudo-san so he can send us (or at least me the exact reference... Conditional Oblivious Transfer and Timed-Release Encryption Giovanni Di Crescenzo, Rafail Ostrovsky, and S. Rajagopalan Computer Science Department, University of California San Diego, http://www.argreenhouse.com/papers/rafail/42.ps Best Regards, Amir Herzberg Manager, E-Business and Security Technologies IBM Research Lab in Haifa (Tel Aviv Office) http://www.hrl.il.ibm.com New e-mail: [EMAIL PROTECTED] New Lotus notes mail: amir herzberg/haifa/ibm@IBMIL Raph Levien [EMAIL PROTECTED] on 08/03/2000 00:09:11 Please respond to Raph Levien [EMAIL PROTECTED] To: "Cryptography" [EMAIL PROTECTED] cc: "Arrianto Mukti Wibowo" [EMAIL PROTECTED] (bcc: Amir Herzberg/Haifa/IBM) Subject: time dependant mukti wrote: I want to know whether there is a crypto building block which doesn't allow someone to open an encrypted message before a certain date. The way I'd do this is to split up the encryption key with a shared secret scheme, then give the shares to a number of trusted third parties, who agree to release the shares at the agreed-upon time and no sooner. If they all decide to cheat on their agreement, then you lose, although if the fraction over your threshold decide to stay honest, then you win even if the rest cheat. It sounds like there might be a business in this. It's relatively straightforward to implement, and there don't seem to be any excruciatingly difficult issues of trust and policy, just whether or not the trusted third party is going to follow the agreement. Raph
US congressman blasts China crypto policy
Beijing slammed over encryption --- A United States Congressman has criticised new encryption regulations released by Beijing, calling them a major invasion of privacy against computer users worldwide, including US citizens. "It's time for the Chinese Government to support the privacy of its citizens instead of invading it, and to create an environment in which electronic commerce can flourish," Republican Robert Goodlatte said in the international equivalent of a "dear colleague" letter. rest of the news story: http://www.technologypost.com/enterprise/Daily/2209104156615.asp
Re: The problem with Steganography
On Tue, 25 Jan 2000, Rick Smith wrote: . . . . For example, many stego implementations involve embedding data in the low order bits of a graphical image. Those low order bits undoubtedly have some measurably non-random statistical properties. Once we replace those bits with data, the bits will have serously random statistical properties. So, we can detect stego'ed data if the implementation uses any well known strong encryption algorithm. Why disturb the measurably non-random statistical properties of the low order bits? No one says you have to use your crypto output straight, without 'bluing', so to speak. What if we replace every nth lower order bit, and make n relatively large? Message carrying capacity is reduced, but it becomes harder to see (guess) that a message is hidden there. I wonder if stego users will have to choose between uncrackable encryption or undetectable data. Or extreme inefficiency? Rick. [EMAIL PROTECTED]
Re: The problem with Steganography
I think this is a security model issue. Steganography is useful if there is some out of band communication ahead of time. If there is no way to let the receiving party know that he or she will be receiving a hidden message, and how to retreive it, then steganography isn't useful. Without the knowledge of where the message is and how to retreive it, the intended recipient and the attacker are both prevented from reading it. In some situations, steganography can be usefully employed, but it isn't a panacea for all secure communication applications. The 'problem' is not with steganography, but with trying to apply it outside of a security model that permits it. On 25 Jan 2000, lcs Mixmaster Remailer wrote: The problem with Steganography is that there's basically no way to clue people in to it's location without clueing everyone into it. That's not a problem. By definition, successful steganography is undetectable even when you know where to look. Otherwise the steaganography has failed. Encryption is successful if the attacker can't find information about the plaintext without the key. Ideally, he can't answer questions about the plaintext any better with access to the ciphertext than without. Steganography is successful if the attacker can't distinguish message-holding data from ordinary data without the key. Ideally, he can't guess whether a message is present any better upon inspecting the cover data than he could without being able to see it. With this model there is no problem in making everyone aware of where to look for cover traffic with stego data in it.
Re: How old is TEMPEST? (was Re: New Encryption Regulations have other gotchas)
By 1970-71 the US Air Force was testing its own facilities for emanations, and as a low grade enlisted person with a Top Secret/Crypto clearance, I was allowed to see the results of a test conducted against a facility where I worked. The site used KY-8's and KY-28's, and we thought we were very secure. The people in the Tempest van read us like a book, having picked up signals on the way to KY's. I got the impression Tempest was fairly well institutionalized by then, at least in the USAF, and that some of the old hands had seen this before. I can't recall whether the term 'Tempest' itself was an acronym, although most sources now say it was not (e.g., online computer dictionary) but these sources could be wrong. On Mon, 24 Jan 2000, Arnold G. Reinhold wrote: Regarding the question of how far back TEMPEST goes, I took a look at David Kahn's "The Codebreakers" which was copyrighted in 1967. TEMPEST is not listed in the index. However I did find the following paragraph in a portion of the chapter on N.S.A. that discusses efforts to improve the US State Department's communications security (p. 714): "... the department budgeted $221,400 in 1964 for 650 KW-7's. ... The per-item cost of $4,500 may be due in part to refinements to prevent inductive or galvanic interaction between the key pulses and the plaintext pulses, which wire tappers could detect in the line pulse and use to break the unbreakable system through its back door. " This would be the electro-mechanical equivalent of TEMPEST and suggests that NSA was well aware of the compromising potential of incidental emanations long before the computer communications era. Another useful data point would be earliest reports about the BBC's system for detecting unlicensed television receivers. That system used vans equipped to detect a TV's local oscillator, but may well be an offshoot of emanations intelligence research. Arnold Reinhold
Re: Cryptic Crypto Rules Uncloaked
On Tue, 23 Nov 1999, Robert Hettinga wrote: (quoting an article in the _The Standard_ by Keith Perine) . . . . For years, the U.S. government, led by FBI director Louis Freeh, has argued that the U.S. must keep a tight lid on the export of data-scrambling products that guard information transmitted via the Internet. Well, at least as far as my recollection goes, the US position certainly pre-dates Louis Freeh, Bill Clinton, and George Bush. Don't most of these regulations at least go back as far as NSDD 145*, which I think was on Reagan's watch, and there were probably other, less visible, restrictions before that. Just a minor point in the great sweep of things, but the current administration didn't start any of this, they're just guilty of perpetuating it. Some newsie should do a story that traces US crypto restrictions back to its origins. . . . . Among industry's concerns: How the regulations will define retail products and government entities. Direct exports to foreign governments are more tightly controlled than retail sales. And, even under the new regulations, direct sales to seven nations that the U.S. says are guilty of state-sponsored terrorism - including Cuba, Iraq and Syria - are forbidden outright. Maybe I'm missing something here, but don't representatives of almost all countries shop regularly in New York, Miami, L.A., etc., where they have missions and embassies and that sort of thing? Does anyone suppose the clerks in retail stores are even going to know about, let alone help enforce, export rules on commercial software products? This seems pretty stupid, or naive, at least. Maybe the stuff won't be shipped directly there, but what's the point if you can buy it over the counter and then send it yourself? .. * I think I have the number wrong on the US National Security Defense Directive, but it was something like 1455 or 1445. It would be in Kahn's book, probably.
Key sizes paper published
Bruce Schneier noted in the latest 'Crypto-Gram' a paper on key sizes written by Arjen Lenstra and Eric Verheul: http://www.cryptosavvy.com The paper explains the methods used to arrive at various estimates. One interesting note is the expected weakness of the US Digital Signature Standard (DSS) - it is recommended for commercial applications only until about 2002 (for the field size) and about 2013 for hashes. They also note that NIST is working on a replacement of the DSS with longer key sizes. The Crypto-Gram newsletter is at: http://www.counterpane.com/labs.html
Re: White House Report: Preserving America's Privacy in the Next Century
On Fri, 17 Sep 1999, Robert Hettinga wrote: skipping over the Industrial Revolution and the Louisiana Purchase We must also recognize the inherent security risks posed by the spread of and dependence on "open systems" and ready accessibility. The Defense Department's situation is typical. Making open, publicly-reviewed systems readily accessible is a security goal, not a threat. We all benefit from the use of open source software that is reviewed by anyone that wants to look at it, anytime they want to look at it, without any NDAs or other restrictions.
Re: Why did White House change its mind on crypto?
On Fri, 17 Sep 1999, Greg Broiles wrote: . . . . What scares me is the possibility that there won't even be an argument about whether or not a particular clump of ciphertext decodes to a particular bit of plaintext because I don't think it'll be possible to cross-examine prosecution witnesses about the way that they came into possession of what's purported to be plaintext. They won't need to say how they came into possession of the plaintext, because that would reveal their methods . . . . Would the courts allow the prosecution to admit evidence without recognizing the right of cross examination of witnesses or examination of evidence and its provenance? I helped defend a case in law school (as a clerk; I couldn't practice yet) that involved a wiretap, and the FBI and US Attorney's Office had to give us copies of the tapes, and the phone records, and everything. That was twenty years ago, but I don't think things have changed that much. Then again, I have never been involved with a case where secret government information gathering was an issue bearing on a significant piece of evidence. I'd be interested to hear from anyone that has seen how courts would react in similar situations - where the prosecution attempts to introduce evidence but 'can't say' where it came from or how they happened to have it
Re: plausible CAPI recovery designs (Re: FW: Cryptonym...)
On Thu, 9 Sep 1999, Adam Back wrote: This general area of discussion -- software modification authentication -- is a bit fuzzy: if you can modify the software you can patch out the check of the signature (a correctly placed NOP is known to do it). One of the things SET had right was including the fingerprint of the next (replacement or fallback) key in the cert. It would seem to be a simple matter to implement the way they did with the SET spec. The next key, of course, has to stored securely.
(a snippet from) Edupage, 18 June 1999 (fwd)
* Edupage is a service of EDUCAUSE, an international nonprofit association dedicated to transforming education through information technologies. * . . . . PANEL VOTES TO RESTRICT SCRAMBLING TECHNOLOGIES The House Commerce telecommunications subcommittee has approved a measure to prohibit the export of encryption technologies that would be used to aid drug trafficking, sexual exploitation, and organized crime. The provisions were added to an existing House bill that would allow the export of encryption products that are already on the market in foreign countries. The existing bill already restricted exports of products that would be used to aid terrorism or unauthorized military use, but the amendments added new categories to the list that critics say are much too broad. "The Mafia uses automobiles to make their getaways," says Rep. Edward Markey (D-Mass.). "We don't want to ban automobiles." (Baltimore Sun 06/17/99) . . . . * COPYRIGHT INFORMATION News abstracts Copyright 1999, Information Inc., Bethesda, MD Edupage Copyright 1999, EDUCAUSE * EDUCAUSE, an international nonprofit association dedicated to transforming education through information technologies
Re: Assigning Roles to Strangers
On Wed, 2 Jun 1999 [EMAIL PROTECTED] wrote: We are investigating the use of public key certificates, either x509, SPKI or other, to establish trust among two `strangers` (parties without a prior long term relationship). We will appreciate any feedback, and are looking forward to serious parties interested in pilot deployments. Please see our site http://www.hrl.il.ibm.com/TrustEstablishment, and in particular the paper: Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers Best Regards, Amir Herzberg Manager, E-Business and Security Technologies IBM Research - Haifa Lab (Tel Aviv Office) http://www.hrl.il.ibm.com New e-mail: [EMAIL PROTECTED] New Lotus notes mail: amir herzberg/haifa/ibm@IBMIL The function of the 'collector' seems to be dependent upon a secure DNS or some way of authenticating the sites which are visited to collect the missing certs. I have only made a quick pass through the document and I may have missed something important. If the collector acts on URLs then it is subject to spoofing and inherent weaknesses in the DNS. The message above seems to indicate that different forms of certificates may be used, the paper itself indicates X.50v3 only. I'm not keen on X.509, for some of the same reasons that led to the development of SPKI, but I don't want to light off another religious battle on BER encoding and ASN.1 and etc. I'll send some comments on that for 66 Swiss francs. In the example, |! Second rule : a hospital recommended by at least 2 hospitals, and |there is no warning about it from any hospital --- | RULE |INCLUSION ID="reco" TYPE="Recommendation" FROM="hospitals" |REPEAT=2/INCLUSION |EXCLUSION ID="warn" TYPE="Warning" FROM="hospitals"/EXCLUSION | FUNCTION how does the 'exclusion' work without an exhaustive search of all hospital issuers or collectors? Is there a central global repository of 'warnings' in this example, like CRLs? I read the description of the 'exclusion' tag, but it escapes me how that would work in a practical sense. Is it the same thing as saying there are no certificates anywhere where issuer = hospital that contain a warning about the subject hospital? Does it mean that if there is a warning found in the local database or in certs we have already collected, then the subject hospital is excluded? It would seem in a policy like the one in the example, that an affirmative action would be required on the part of the TE to go and see if there are any warnings, anywhere, that relate to that hospital. Similar to a CRL? Based on a first reading, you seem to have taken elements from some of the better work being done and applied them in potentially interesting ways. I'll read it over again in the daylight. -- pjp
Hushmail reviews?
The Hushmail website (https://www.hushmail.com/) notes that the service was reviewed by security experts and it seems at first glance to have some interesting features. Source code for the Java is available for review, too. Any views on this? tech overview: https://www.hushmail.com/tech_description.htm
winnowing and chaffing app
From NewsScan, which is sort of a follow-on thing from the people who used to do Edupage (John Gehl Suzanne Douglas): . . . . ARCOT PLANS TO OUTSMART SMART CARDS Internet startup Arcot Systems is advocating a new approach to buying over the Internet. Arcot's software authenticates transactions that can be sent to any PC with a Web browser, eliminating the need for extra equipment such as "smart card" readers. The technology uses an approach known as "chaffing and winnowing," whereby the important information (a user's password) is hidden in unrelated gibberish in order to protect it. "It's like protecting your house by hiding a million keys under your doorstep," says a security expert who's studied the system. "Only you know which is the right one." Arcot plans to give away the PC software, while selling the server programs to companies that process confidential data, such as medical or financial records. (Wall Street Journal 25 May 99) http://wsj.com/ . . . . Copyright 1999. NewsScan Daily (R) is a publication of NewsScan.com, which also produces Innovation Weekly, covering trends, strategies and innovations in business and technology. They have a website with some press releases and other things dated may 25, 1999 at: http://www.arcot.com. They have a testimonial from Bruce Schneier and they reference Prof. Rivest's paper on chaffing winnowing.