Re: GPS integrity

2000-05-10 Thread Steve Cook 

A company called Certified Time offers secure NIST-based time data and has
many unkind things to say about the integrity of GPS time signals. You
might find some useful references among the documents they have posted at
http://www.certifiedtime.com/site/repository/index.html


At 09:24 AM 5/8/00 +0300, [EMAIL PROTECTED] wrote:


I'm looking for info on GPS security, specifically, its integrity /
authentication mechanisms to protect against spoofing.
This is important since many systems assume GPS is a secure source of time
and location. (My interest in this began as we are completing paper on
proactive secure clock synchronization, and figured we ought to compare
this to the approach of using GPS receivers to provide secure time.)

As recently discussed on this and other lists, the accuracy of commercially
available (civilian) GPS has recently been improved by the removal of the
Selective Availability degradation of the Coarse Acquisition (C/A) signal.
However, after (very limited) digging up some GPS papers/web sites, I
didn't find any mention of authentication/integrity/anti-spoofing
mechanisms to the C/A signal. I did find a brief mention that the (still
encrypted) P/Y signal has some anti-spoofing mechanism; but I didn't see
any details on how that is done (such details may be confidential).

I'm interested in both the C/A and the P/Y integrity mechanisms. The
anti-spoofing of the P/Y signal is, to me, more of academical interest. I
find the C/A signal integrity more interesting as it is available for
commercial use. How hard is it to spoof it? Is there any real difficulty in
protecting its integrity ? Or is it protected well?

Thanks for any help/info.

Best Regards,
Amir Herzberg

IBM Research Lab in Haifa (Tel Aviv Office)
http://www.hrl.il.ibm.com

Re: more re Encryption Technology Limits Eased

1999-09-16 Thread Steve Cook 

When we got an export license for Stronghold earlier this year (don't ask),
the process consisted of filling out an application form listing the types
of encryption and ciphers supported, key sizes supported, etc., then
answering a few follow-up questions of that sort from some NSA staffer, and
then pestering them for 5 or 6 weeks until they provided a response. No
source code review. 

--Steve Cook

At 01:27 PM 9/16/99 -0700, Tom Weinstein wrote:
John Gilmore wrote:
 
 There's a vague and undefined term in the press leaks so far:
 
 One-Time Technical Review
 
 What does this mean?  It appeared in some early crypto liberalization
 bills floated in Congressional committees.

Based on my previous experience with the export process, here's what I think
this means:

  You have to tell the NSA what you're doing and let them think
  about it for a while.  You'll have to answer any questions they
  have, but they aren't likely to ask for source code.  It's not
  something you want to do the week before you ship.  It's a process
  that's likely to take a couple months and involve more than one
  face to face meeting with NSA people.

Of course it may mean something completely different.  I've been surprised by
what the NSA does more often than not.


--
Steve Cook   e-mail: [EMAIL PROTECTED]
C2Net Software, Inc.   http://www.c2.net/
1440 Broadway, Suite 700fax: 510-986-8777
Oakland, CA 94612 USA  tel: 510-986-8770 Ext. 312

Re: VeriSign OK'd for strong-crypto exports (was Re: ECARM NEWS for March 10,1999 Second Ed.)

1999-03-11 Thread Steve Cook 

VeriSign received permission to issue VeriSign's Global Server ID digital
server certificates to several, fairly broad categories of users located in
any of the 44 listed countries. This permission was granted under the BXA's
recently-issued license exception "ENC".

This same license exception is available for most crypto products; C2Net
recently received an "ENC" export license for our Stronghold web server.
Stronghold is made outside the US, so it's available worldwide even the
export license, but we had to get a license for it so VeriSign could be
allowed to issue GSID certs to sites running Stronghold.

GSID certs were announced last year by VeriSign and Netscape. Microsoft
quickly followed with their equivalent "Server Gated Crypto". These systems
use special certs to switch regular 40-bit "export grade" browsers into
128-bit mode. (Obviously, the browsers must be designed to recognize the
certs and must have 128-bit code built in. All Netscape and MSFT "export"
browsers released since early last year have this facility.)

Web sites wishing to conduct secure e-commerce with non-US based customers
are the primary audience for the GSID certs. Companies can also use GSID
certs on intranet servers to provide secure access from their non-US sites.

The beauty of the system is that it's already built into most of the
browsers currently in use around the world, so it's completely transparent
for the end user. VeriSign has a real lock on this; the problem for
competitive CA's is that the system requires a corresponding root cert be
installed in the browser. VeriSign's have been distributed with the
browsers for over a year now. In theory, a user could install a new root
cert upon visiting a site for the first time, but few e-commerce sites are
interested in putting off potential customers with such a procedure. For
this reason, VeriSign can get away with charging $895 per year for GSID
certs as opposed to $349 for regular certs.

The downside of the GSID scheme is that the certs expire annually, and
companies who rely on them are at the mercy of whatever rule changes might
be made in the future (mandatory escrow of the private key for the GSID
cert comes to mind). The GSID certs are hopefully a temporary "solution"
and it would be best to discourage anyone from relying on them too much.

C2Net's SafePassage Web Proxy is an alternative solution, but it must be
downloaded and installed by the end user. Fortify is another solution,
basically a patcher that "upgrades" export-grade Netscape browsers to run
128-bit crypto but it likewise requires active effort by the end user.
Ultimately, widespread use of Cryptozilla or other full-strength browsers
is the best solution.


At 02:50 PM 3/11/99 -0500, Richard D. Murad wrote:
Does anybody know if any "strings" were attached to this?

Rick Murad

At 07:02 PM 3/10/99 -0500, Robert Hettinga wrote:
At 2:00 PM -0500 on 3/10/99, [EMAIL PROTECTED] wrote:


 Title: VeriSign OK'd for strong-crypto exports
 Resource Type: News Article
 Date: March 8, 1999, 12:10 p.m. PT
 Source: CNET News.com
 Author: Bloomberg News
 Keywords: EXPORT CONTROL  ,ENCRYPTION  ,SOFTWARE,GOVT APPROVAL

 Abstract/Summary:
 VeriSign, a top maker of encryption software that keeps online
 transactions secure, said it was given approval by the government
 to sell strong versions of its software outside the United States,
 sending its shares to a record high.

 VeriSignsaid the Commerce Department's Bureau of Export
 Administration gave approval for it to sell 128-bit data
 encryption technology to overseas subsidiaries of U.S. companies,
 online merchants, and health-care and insurance organizations.


 Original URL: http://www.news.com/News/Item/0,4,33447,00.html?pfv

 Added: Tue  Mar  0 9:0:0 22:2 1999
 Contributed by: Keeffee

-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
Philodox Financial Technology Evangelism http://www.philodox.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

--
Steve Cook   e-mail: [EMAIL PROTECTED]
C2Net Software, Inc.   http://www.c2.net/
1440 Broadway, Suite 700fax: 510-986-8777
Oakland, CA 94612 USA  tel: 510-986-8770 Ext. 312