Re: Linux-based wireless mesh suite adds crypto engine support
At 03:25 PM 9/30/04 -0700, John Gilmore wrote: Crypto hardware that generates random numbers can't be tested in production in many useful ways. My suggestion would be to XOR a hardware-generated and a software-generated random number stream. If one fails, whether by accident, malice, or design, the other will still randomize the resulting stream. Belt AND suspenders will keep your source of randomness from being your weakest link. A good idea, but also: consider that hardware based RNGs are not so hard to make. An FM radio soundcard, audio digitizer, and some homebrew (perhaps standard-crypto-hash-based) software suffices for moderate bandwidth true RNG construction. Using an evaluation metric like Diehard and/or a Shannon or Mauer entropy measure ices the cake (as well as being required for initial and continuing monitoring). (Insert the usual caveats about PRNGs being undetectable, OS subversion, white vans driving your FM hiss, etc.) Very cheap and if you can master a hash function component, not tricky. Obviously too much trouble for Joe Sixpack, but I think that certain online gambling houses (not US of course) have made their own sources, and definately not too hard for anyone who codes and has crypto-clue. OTOH Joe can benefit from his radio-tuner card plus off the shelf inspectable software since he ought not to trust Bigcorp's embedded nominal RNG. Joe Sixpack might also be an abbreviation for a foreign government. Should the Pakis really trust Intel's RNG? PS: your belts and suspenders argument also applies to trusting cipher algorithms. Best to chain a few. Also useful to twiddle a few S-box bits, even if you get suboptimal properties, so as to deter cheap crackers using COTS cipher chips. (Doing dictionary regexp search, not the impractical exhaustive search, of course.) This works particularly well in large random-S-box constructs like Blowfish (et al) compared to the more spartan (thus degradable) DES S-boxes. The weakest link will be bipedal for the forseeable future. = 36 Laurelwood Dr Irvine CA 92620-1299 VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP ICBM: -117.7621, 33.7275 PGP PUBLIC KEY: by arrangement Send plain ASCII text not HTML lest ye be misquoted. Really. -- Don't 'sir' me, young man, you have no idea who you're dealing with Tommy Lee Jones, MIB - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Linux-based wireless mesh suite adds crypto engine support
From: John Gilmore [EMAIL PROTECTED] Sent: Sep 30, 2004 6:25 PM To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Linux-based wireless mesh suite adds crypto engine support Crypto hardware that does algorithms can be tested by periodically comparing its results to a software implementation. Production applications should probably be doing this -- maybe 1% of the time. I think the need for interoperability constrains the ability for a crypto module to implement some weak algorithm in place of AES or 3DES. Unless the designer can know which encrypted messages have to be handled by someone else's non-hacked module, he can't safely do this. Crypto hardware that generates random numbers can't be tested in production in many useful ways. My suggestion would be to XOR a hardware-generated and a software-generated random number stream. If one fails, whether by accident, malice, or design, the other will still randomize the resulting stream. Belt AND suspenders will keep your source of randomness from being your weakest link. I'll note that this is supported two separate ways in the (in progress) X9.82 standard. a. A standard way to produce a random bit generator with a guaranteed fallback to computational security is to XOR the outputs of some good hardware generator with the outputs of a crypto PRNG (aka DRBG in X9.82-ese). b. Any approved random bit generator can always be combined with an unapproved generator by XORing. The only security requirement here is that the unapproved generator be independent of the approved one. All that said, though, it's far from clear how you monitor this in the standard crypto environment, since you usually take great pains to make it hard for anyone to get key material out of the tamper-resistant modules. You provide the random value to XOR into the RNG output, and the module says Thanks, I XORed it in. Trust me. Or, you demand the random value from its RNG, XOR in your own, but now, you've exposed the key outside the tamper-resistant module, which introduces a whole different set of problems. I'm sure there are some clever crypto protocol ways to address this (basically, do a zero-knowledge proof of the value of the random number you used in deriving the key), but I have a hard time thinking this is at all practical John --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
National IDs for everybody?
http://news.com.com/2102-1028_3-5395386.html?tag=st.util.print CNET News National IDs for everybody? By Declan McCullagh http://news.com.com/National+IDs+for+everybody/2010-1028_3-5395386.html Story last modified October 4, 2004, 12:01 PM PDT Rep. David Dreier wants to force all Americans to carry a national ID card around with them. The California Republican is not about to describe his new bill in those terms, but that's the reality. Dreier's legislation would prohibit employers from hiring people unless the job applicants first obtain new federal ID cards with their photograph, Social Security number and an encrypted electronic strip with additional information. Any employer who fails to comply faces hefty fines and prison terms of up to five years. Dreier is smart enough to realize that these federal IDs would be immediately forged, so he takes the next step of linking them to an employment eligibility database that's queried by card readers whenever the ID is swiped. The employment database is required to include all such data maintained by the Department of Homeland Security, combined with what the Social Security Administration has on file. Most all bills die without the dignity of a floor vote. But Dreier is a rising star in the Republican Party with the influence to enact legislation quickly. As a chairman, he's one of the youngest to head the powerful House Rules Committee, not to mention acting as co-chair of Californians for Bush and chairman of Gov. Arnold Schwarzenegger's transition team. In 1998, his conservative voting record garnered a perfect 100 percent rating from the Christian Coalition--and a zero percent rating from the left-leaning Americans for Democratic Action. Last week, Dreier appeared on MSNBC as a Republican spokesman before the presidential debate. Any employer who fails to comply faces hefty fines and prison terms of up to five years. The ostensible reason Dreier gives for a federal ID: curbing illegal immigration, the subject of a recent Time magazine cover story. The explosion in counterfeit identity documents and employers who are unable or unwilling to establish the authenticity of documents presented by job applicants severely undermines our national security, Dreier said when introducing his bill, which he calls the Illegal Immigrant Enforcement and Social Security Protection Act. The real reasons are slightly more complicated. Tight re-election campaign Dreier is used to commanding handsome victories at the polls every two years over his Democratic rivals. But since 1996, Dreier's re-election percentages have dipped below 60 percent a few times, and events in the last month slammed the powerful Republican with a series of embarrassing pre-Election Day setbacks. First came allegations in the LA Weekly newspaper and the New York Post that Dreier, who has amassed a slew of anti-gay votes, is homosexual. Then two local talk show hosts, John Kobylt and Ken Chiampou of KFI-AM 640, became fed up with Dreier's stand on immigration. They organized a Fire Dreier rally on Sep. 15 on charges that illegal immigrants from Mexico have wreaked havoc on California's economy. Held outside Dreier's Glendora, Calif., office, it drew hundreds of protesters armed with signs and bullhorns who called for a political human sacrifice, according to the Pasadena Star-News. The real problem with Dreier's plan is not that it creates an ID card. Driver's licenses do that today. Conservative publications continued the attack--a worrisome sign for a Republican who won't deny wanting to be speaker of the House someday. WorldNetDaily columnist Jane Chastain wrote an article on Sept. 16 endorsing the Fire Dreier scheme: It will leave congressmen, who have done little or nothing to help stem the tide of illegal immigrates, quaking in their boots. The upshot? Just hours before the Fire Dreier protest, the embattled congressman informed the Claremont Kiwanis Club that he would introduce his national ID bill. Six days later, Dreier did just that. The real problem with Dreier's plan is not that it creates an ID card. Driver's licenses do that today. But Dreier would create a back-end database for authentication purposes that could track whenever the ID is swiped. Just as the Social Security Number's uses grew, those readers would appear just about everywhere: banks, office buildings, supermarkets. Such a database would overflow with detailed records of all of our life's activities and create an irresistible temptation for misuse by corrupt officials or electronic intruders. Dreier isn't alone. A Senate bill introduced last month in response to the 9/11 Commission's report would give the Department of Homeland Security unfettered power to regulate state drivers' licenses and ID cards. The House version takes a similar approach. Both measures say federal agencies will only accept licenses and ID cards that comply--a requirement that would affect anyone who wants
Re: IBM's original S-Boxes for DES?
Steven M. Bellovin wrote: It was only to protect against differential cryptanalysis; they did not know about linear cryptanalysis. More accurately, they didn't protect against linear cryptanalysis - there is no way to know if they knew about it and either didn't want to make changes to protect against that (they weakened the key, so may have wished to keep *some* attacks viable against it to weaken it still further), had to choose (against *either* differential or linear, as they didn't know how to protect against both) or simply the people doing the eval on DES didn't know, as it was rated above their clearance level. We only have a single event to go from (that DES was indeed protected against one not the other) so can't really judge motivation or knowledge. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Credentica Web site is up
--- begin forwarded text From: Stefan Brands [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Credentica Web site is up Date: Tue, 5 Oct 2004 13:55:30 -0400 Dear All, This e-mail is to inform you that our corporate Web site at http://www.credentica.com is up. We welcome any suggestions for improvement, and encourage you to establish links to our home-page from your blogs, news postings, and Web sites! Best regards, Stefan Brands Credentica 740 Notre Dame W, #1500 Montreal, QC Canada H3C 3X6 Tel: +1 (514) 866.6000 PS Pages that may be of particular interest: - http://www.credentica.com/about.php (overview of what we do and how we differ) - http://www.credentica.com/solutions.php submenus (explanations of product benefits in key markets) - http://www.credentica.com/the_mit_pressbook.php (the entire MIT Press book available for free download) White papers and product data sheets are in preparation and will be posted in the next couple of months. PPS The site is best viewed with a Javascript-enabled browser, and has been tested only with leading browsers. --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Brands credential book online (pdf)
Stefan Brands book on his credential / ecash technology is now downloadable in pdf format from credentica's web site: http://www.credentica.com/the_mit_pressbook.php (previously it was only available in hardcopy, and only parts of the content was described in academic papers). Also the credentica web site has gone live, lots of content. Credentica is Stefan's company around digital credentials ecash / anonymity news watchers may have seen some discussion of the credentica startup company earlier this year. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]