QotD
found at http://webpages.charter.net/allanms/2004/07/instant-immortality.html Amateurs study cryptography; professionals study economics. (Bob Hettinga, this is your cue. :) Udhay -- ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Hacking tool 'draws FBI subpoenas'
http://www.theregister.co.uk/2004/11/25/nmap_draws_fbi_subpoenas/print.html The Register Biting the hand that feeds IT The Register » Security » Network Security » Original URL: http://www.theregister.co.uk/2004/11/25/nmap_draws_fbi_subpoenas/ Hacking tool 'draws FBI subpoenas' By Kevin Poulsen, SecurityFocus (klp at securityfocus.com) Published Thursday 25th November 2004 10:42 GMT The author of the popular freeware hacking tool Nmap warned users this week that FBI agents are increasingly seeking access to information from the server logs of his download site, insecure.org. I may be forced by law to comply with legal, properly served subpoenas, wrote Fyodor, the 27-year-old Silicon Valley coder responsible for the post scanning tool, in a mailing list message. At the same time, I'll try to fight anything too broad... Protecting your privacy is important to me, but Nmap users should be savvy enough to know that all of your network activity leave traces. Probably the most widely-used freeware hacking tool, Nmap is a sophisticated port scanner that sends packets to a machine, or a network of machines, in an attempt to discern what services are running and to make an educated guess about the operating system. An Nmap port scan is a common prelude to an intrusion attempt, and the tool is popular both with security professionals performing penetration tests, and genuine intruders with mischief in their hearts. Last year Nmap crept into popular culture when the movie the Matrix Reloaded depicted Carrie-Anne Moss's leather-clad superhacker Trinity performing an Nmap portscan (http://www.theregister.co.uk/2003/05/16/matrix_sequel_has_hacker_cred/) on a power grid computer prior to hacking in. But success comes with a price, and on Tuesday Fyodor felt the need to broach the sobering topic of FBI subpoenas with his users. He advised his most privacy conscious users to use proxy servers or other techniques when downloading the latest version of Nmap if they want to ensure their anonymity. In a telephone interview, Fyodor said the disclaimer wasn't prompted by any particular incident, and that he'd received less than half-a-dozen subpoenas this year. It's not a huge number, but I hadn't received any before 2004, and so it's a striking new issue, he said. None of the subpoenas produced anything, Fyodor says, either because they sought old information that had already been deleted from his logs, or because the subpoenas were improperly served. In every case the request has been narrowly crafted, usually directed at finding out who visited the site (http://www.insecure.org/) in a very short window of time, such as a five minute period. They have not made any broad requests like, 'Give me anyone who's visited insecure.org for a certain day,' he says. Fyodor theorizes the FBI is investigating cases in which an intruder downloaded Nmap directly onto a compromised machine. They assume that she might have obtained that URL by visiting the Nmap download page from her home computer, he wrote. He confesses mixed feelings over the issue. The side of me that questions authority is skeptical of these subpoenas, he told SecurityFocus. The other side says, this may be a very serious crime committed ... and if I were the victim of such a crime I would probably want people to cooperate -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Proving the correctness of a network encryption system test system
Alice has: 1. A system which does processing of encrypted network streams. Alice wants the following from Bob: 2. A test system for the processing system in 1. This system is going to be used to decide if the processing system in 1 is working (processing) as it should. 3. A test system for the test system in 2. This system is going to be used to decide if the test system in 2 is working (testing) as it should. 4. A specification for the test system in 3. This specification shall contain explicit and well defined critera for how to decide that the test system in 2 is working (testing) as it should. So the question really is; how does Bob convince Alice that the test system in 2 works (tests) as it should? Alice does not need strict formal mathematical proofs for the correctness of 2, but neither is she going to be satisfied by hearing Bob (in his best Snake Oil voice) say: Trust me, I know what I'm doing... Does anyone have any good pointers to information about problems like these? Thanks in advance, Fredrik Henbjork - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
MyKad too hi-tech to forge
http://thestar.com.my/news/story.asp?file=/2004/11/27/nation/9513530sec=nation The Star Online News Saturday November 27, 2004 MyKad too hi-tech to forge BY JANE RITIKOS KUALA LUMPUR: The National Registration Department has detected about 10 cases of forged MyKad issued to illegal immigrants in the country since it was introduced in 2001. However, the chips in the cards were not forged ones. Its director-general Datuk Wan Ibrahim Wan Ahmad said those caught with the fake cards were Indonesians and Bangladeshis, who claimed they had paid about RM200 for the card. The fake cards looked like genuine ones except that the forgers could not duplicate the smart chip imbedded in MyKad. The physical appearance of the card looks real but the chip, a vital component of the card, is functionless and cannot be used for transactions. This is because the features of the MyKad chip are so high-tech that they cannot be duplicated. Even if they could make a forged chip it has no data that is linked to our database, he said. Wan Ibrahim also said the chip in the fake MyKad was not readable. We don't believe the chip can ever be forged. The information in our chip has data and biometric features, he said. The MyKad chip stores information of the cardholders including their identity cards, driving licences, passports and health data. Wan Ibrahim said there were also those caught with fake MyKad which had their laminated sheet tampered with to alter the physical details and picture. When these cards are read, the identity of the bearer is that of someone else. These included those who were checked at the Immigration checkpoints at the airport. At a glance the cards looked real, he added. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
I'm sorry, I haven't a clue
http://www.guardian.co.uk/print/0,3858,5072953-103390,00.html Guardian | Comment I'm sorry, I haven't a clue However cracked they may be, our fascination for codes remains Mark Lawson Saturday November 27, 2004 The Guardian The discovery of a code at Shugborough Hall, in Staffordshire - O.U.O.S.V.A.V.V - that may disclose the location of the holy grail has been widely compared to Dan Brown's super-selling novel The Da Vinci Code. This Shugborough cryptograph - on which old Bletchley Park codebreakers have been working - is seen as life imitating art, but the relationship between popular fiction and reality is more often the reverse. Novels sell well because they reflect our times: art imitating life, if often in heavy disguise. The biggest-selling novels of the 70s - Jaws and The Godfather - concerned shadowy forces, fish and criminal, beneath the surface of society. We can now see that these tales reflected the menaces to the American way from the cold war, Vietnam and Watergate. Similarly, the millions drawn in Britain at the same period to the animal epic Watership Down were drawn by a sentimental regret that our traditional way of life was being swamped by modernity. So, if bestselling books contain hidden messages about our times, then The Da Vinci Code, having cryptography as both content and method, may be the ultimate popular fiction. We can guess that the reason Brown's book has sold in such quantities is that we live surrounded by codes and puzzles that we fear may be broken (such as our computer and digital communications), or that we fear will not be (Osama bin Laden's instructions to his followers, the big wedding in America that turned out to be 9/11). It's the same instinct - of fear and fascination with encryption - that leads people to read both The Da Vinci Code and the newspaper stories about a supposed clue to the holy grail. And, coincidentally, a new non-fiction book reveals that one of the world's most famous figures believes that a secret code gives meaning to his life. The Pope in Winter, by John Cornwell, discusses John Paul II's conviction that his attempted assassination in 1981 had been predicted by an apparition of Christ's mother speaking to Portuguese children in 1917. But the lesson of both the Shugborough puzzle and the Pope's divine code is that predictive cryptography - as distinct from practical code-breaking, such as the Enigma work at Bletchley - works better in fiction than fact. The problem for code-breakers is that they are often forced to assume that a setter sophisticated with letters or numbers would be sloppy with grammar and spelling. Hence, notoriously, Nostradamus, credited by some fans with predicting the rise of a German tyrant called Hister, must be assumed to have had massive predictive powers but limited dictionary skills. So it is with Shugborough's O.U.O.S.V.A.V.V sequence. Cryptologists suggest that the letters can be made to say the Hebrew phrase Why Feather Curve or, in Latin, Best wife, best sister, widower most loving vows virtuously. But both interpretations feel like the kind of sentence you end up with after failing to solve a puzzle, rather than what you would begin with in setting one - a code consists of language to be broken, but it's not clear why it would be rooted in broken English. A similar application of linguistic imprecision to an art that should be precise is the Pope's assumption of the Third Secret of Fatima. This final dictation given to the Portuguese children by their shimmering vision was sealed by the Vatican for many decades, leading to much prediction that it contained the date of the end of the world. There were rumours of popes fainting when they took the envelope out of their library. At the turn of the millennium, John Paul II decided to break the code. He revealed that the long-suppressed message foresaw that a man in white would fall to the ground. He was convinced that these words anticipated his shooting in Rome. In fact, as Cornwell's book points out, you have to arm-lock the prophecy to get this reading. The seer in Portugal predicted that the white-clad man would be killed by a group of soldiers who fired bullets and arrows at him. Numerous civilians would also die in the attack. This raises the Nostradamus problem: why would someone with the ability to tell the story of the future be shown such a corrupted narrative? The need for codebreakers to ignore the bits that don't fit is why such puzzles are most satisfying in novels where, unusually, both the cipher and the solution are provided by the same mind and therefore must match. The prophecies of Nostradamus have always sold well, but The Da Vinci Code is Nostradamus without the bits that have proved to be embarrassingly wrong. Those who believe that the road to the holy grail leads from a stone at Lord Lichfield's family home should crack this code: T1BEM. The M, if it helps, is minute. -- - R. A. Hettinga mailto: [EMAIL
ACLU concerned that microchip passports won't be encrypted
http://www.indystar.com/articles/5/197851-1715-P.html The Indianapolis Star ACLU concerned that microchip passports won't be encrypted Associated Press November 27, 2004 WASHINGTON -- The Bush administration opposes security measures for new microchip-equipped passports that privacy advocates contend are needed to prevent identity theft, government snooping or a terrorist attack, according to State Department documents released Friday. The passports would emit radio waves that could be read electronically from as far away as 30 feet, according to the American Civil Liberties Union, which obtained the documents under a Freedom of Information Act request. The ability to remotely read personal data raises the possibility that passport holders would be vulnerable to identity theft, the ACLU said. It also would allow government agents to find out covertly who was attending a political meeting or make it easier for terrorists to target Americans traveling abroad, the ACLU said. Frank Moss of the State Department said the United States wants to ensure the safety and security of Americans traveling abroad. But encrypting the data might make it more difficult for other countries to read the passports, Moss said. All new U.S. passports issued by the end of 2005 are expected to have a chip containing the owner's name, birth date, issuing office and a biometric identifier -- a photo of the owner's face. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RSA Implementation in C language
Hi, Can anybody tell me where I can get an implementation of RSA algorithm in C language? I searched for it, but could not locate one. I would be grateful to you if you could give me the location of the source code. Thanks and Regards, Sandeep - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Some Secret: Open House, Open Bar
Must have passed some kinda big supplemental. Cheers, RAH --- http://www.washingtonpost.com/ac2/wp-dyn/A8583-2004Nov23?language=printer The Washington Post washingtonpost.com Round-Trip or One-Way Tickets? By Al Kamen Wednesday, November 24, 2004; Page A19 Some Secret: Open House, Open Bar Remember a while back when it came out that intelligence agencies such as the National Security Agency -- the supersecret spy crowd -- did not have the resources to keep up with the flood of intercepts to be able to translate terrorists' chatter on a timely basis? This naturally caused a big fuss, and Congress pledged big bucks to get the spooks up to speed. Seems to have worked out fine, judging from an invite we got to attend an open house Dec. 7 at the National Cryptologic Museum behind the Shell station at Fort Meade. Lots of fine finger food to be had, including a brie encrote with brown sugar and pecans, some Swiss cheese and chablis stuffed mushroom caps, a bit of roast turkey with cranberry mayo and mini pumpkin cheesecakes. Our very fine invite with the NSA gold-embossed seal notes Open bar. Must have passed some kinda big supplemental. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
SSL/TLS passive sniffing
Hi all, I'm a bumbling crypto enthusiast as a sideline to my other, real, areas of security expertise. Recently a discussion came up on firewall-wizards about passively sniffing SSL traffic by a third party, using a copy of the server cert (for, eg, IDS purposes). There was some question about whether this is possible for connections that use client-certs, since it looks to me from the spec that those connections should be using one of the Diffie Hellman cipher suites, which is obviously not vulnerable to a passive sniffing 'attack'. Active 'attacks' will obviously still work. Bear in mind that we're talking about deliberate undermining of the SSL connection by organisations, usually against their website users (without talking about the goodness, badness or legality of that), so how do they get the private keys isn't relevant. However, I was wondering why the implementors chose the construction used with the RSA suites, where the client PMS is encrypted with the server's public key and sent along - it seems to make this kind of escrowed passive sniffing very easy. I can't think why they didn't use something based on DH - sure you only authenticate one side of the connection, but who cares? Was it simply to save one setup packet? Anyone know? Cheers, ben - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: RSA Implementation in C language
http://www.homeport.org/~adam/crypto/ On Mon, Nov 29, 2004 at 01:47:05PM +0530, Sandeep N wrote: | Hi, | | Can anybody tell me where I can get an implementation of RSA | algorithm in C language? I searched for it, but could not locate one. | I would be grateful to you if you could give me the location of the | source code. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL/TLS passive sniffing
Ben raises an interesting thought: There was some question about whether this is possible for connections that use client-certs, since it looks to me from the spec that those connections should be using one of the Diffie Hellman cipher suites, which is obviously not vulnerable to a passive sniffing 'attack'. Active 'attacks' will obviously still work. Bear in mind that we're talking about deliberate undermining of the SSL connection by organisations, usually against their website users (without talking about the goodness, badness or legality of that), so how do they get the private keys isn't relevant. We have the dichotomy that DH protects against all passive attacks, and a signed cert protects against most active attacks, and most passive attacks, but not passive attacks where the key is leaked, and not active attacks where the key is forged (as a cert). But we do not use both DH and certificates at the same time, we generally pick one or the other. Could we however do both? In the act of a public key protected key exchange, Alice generally creates a random key and encrypts that to Bob's public key. That random then gets used for further traffic. However could one do a Diffie Hellman key exchange and do this under the protection of the public key? In which case we are now protected from Bob aggressively leaking the public key. (Or, to put it more precisely, Bob would now have to record and leak all his traffic as well, which is a substantially more expensive thing to engage in.) (This still leaves us with the active attack of a forged key, but that is dealt with by public key (fingerprint) caching.) Does that make sense? The reason I ask is that I've just written a new key exchange protocol element, and I thought I was being clever by having both Bob and Alice provide half the key each, so as to protect against either party being non-robust with secret key generation. (As a programmer I'm more worried about the RNG clagging than the key leaking, but let's leave that aside for now...) Now I'm wondering whether the key exchange should do a DH within the standard public key protected key exchange? Hmmm, this sounds like I am trying to do PFS (perfect forward secrecy). Any thoughts? iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: RSA Implementation in C language
Admittedly somewhat old and creaky, but try Googling RSAREF. I don't know where that stands for IP rights (presumably we still have copyright), bout for research it's a startin point. Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sandeep N Sent: Monday, November 29, 2004 3:17 AM To: [EMAIL PROTECTED] Subject: RSA Implementation in C language Hi, Can anybody tell me where I can get an implementation of RSA algorithm in C language? I searched for it, but could not locate one. I would be grateful to you if you could give me the location of the source code. Thanks and Regards, Sandeep - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
SSL/TLS passive sniffing
Ian Grigg writes: I note that disctinction well! Certificate based systems are totally vulnerable to a passive sniffing attack if the attacker can get the key. Whereas Diffie Hellman is not, on the face of it. Very curious... No, that is not accurate. Diffie-Hellman is also insecure if the private key is revealed to the adversary. The private key for Diffie-Hellman is the private exponent. If you learn the private exponent that one endpoint used for a given connection, and if you have intercepted that connection, you can derive the session key and decrypt the intercepted traffic. Perhaps the distinction you had in mind is forward secrecy. If you use a different private key for every connection, then compromise of one connection's private key won't affect other connections. This is true whether you use RSA or Diffie-Hellman. The main difference is that in Diffie-Hellman, key generation is cheap and easy (just an exponentiation), while in RSA key generation is more expensive. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL/TLS passive sniffing
Ian Grigg writes: I note that disctinction well! Certificate based systems are totally vulnerable to a passive sniffing attack if the attacker can get the key. Whereas Diffie Hellman is not, on the face of it. Very curious... No, that is not accurate. Diffie-Hellman is also insecure if the private key is revealed to the adversary. The private key for Diffie-Hellman is the private exponent. If you learn the private exponent that one endpoint used for a given connection, and if you have intercepted that connection, you can derive the session key and decrypt the intercepted traffic. I wasn't familiar that one could think in those terms. Reading here: http://www.rsasecurity.com/rsalabs/node.asp?id=2248 it says: In recent years, the original Diffie-Hellman protocol has been understood to be an example of a much more general cryptographic technique, the common element being the derivation of a shared secret value (that is, key) from one party's public key and another party's private key. The parties' key pairs may be generated anew at each run of the protocol, as in the original Diffie-Hellman protocol. It seems the compromise of *either* exponent would lead to solution. Perhaps the distinction you had in mind is forward secrecy. If you use a different private key for every connection, then compromise of one connection's private key won't affect other connections. This is true whether you use RSA or Diffie-Hellman. The main difference is that in Diffie-Hellman, key generation is cheap and easy (just an exponentiation), while in RSA key generation is more expensive. Yes. So if a crypto system used the technique of using Diffie-Hellman key exchange (with unique exponents for each session), there would be no lazy passive attack, where I am defining the lazy attack as a once-off compromise of a private key. That is, the attacker would still have to learn the individual exponent for that session, which (assuming the attacker has to ask for it of one party) would be equivalent in difficulty to learning the secret key that resulted and was used for the secret key cipher. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]