Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

[Anne & Lynn Wheeler]

Ed Gerck wrote:
 > Depends on your use. An X.509 identity cert or a PGP cert
> can be made as secure as you wish to pay for. The real
> question, however, that is addressed by the paper is
> how useful are they in terms of email security? How do
> you compare them and which one or which product to choose
> from? What are the trade-offs?

i've periodically written on security proportional to risk ... small sample
http://www.garlic.com/~lynn/2001h.html#61

then the issue is what security are you interested in and what are the
threat models and corresponding countermeasures.

in the security pain model

P .. privacy
A .. authentication
I .. integrity
N .. non-repudiation

you may need authentication and integrity (say from digital signature)
but not necessarily privacy/confidentiality.

in normal ongoing email, there is a lot of repeated stuff and/or
out-of-band stuff ... that makes certificates redundant and superfluous
... they are targeted at the letters of credit/introduction paradigm
from the sailing ship days. certificates basically are representations
of some certifying process performed by a certification authority. the
integrity and security of the certificate itself may have absolutely
nothing to do with the integrity and security of the certification
business process ... minor drift in sci.crypt
http://www.garlic.com/~lynn/2005u.html#9 PGP Lame question

furthermore, the whole complexity and series of processes involved in a
PKI-based infrastructure may have the certificates themselves totally
redundant and superfluous because the recipient has numerous other
indicators that they know who it is that they are dealing with. the
introductioin of PKI and certificates in such an environment may
actually create greater vulnerabilities ... since it may convince the
recipient to trust the PKI operation more than they trust their own,
direct knowledge ... and the PKI operation opens up more avenues of
compromise for the attackers.

... there is even a slightly related article that i ran across yesterday:

An Invitation to Steal; The more you automate your critical business
processes, the more vigilant you need to be about protecting against
fraud
http://www.cio.com.au/index.php/id;1031341633;fp;4;fpid;18

.

the other issue in digital signature based operation is that it is a
part of 3-factor authentication
http://www.garlic.com/~lynn/subpubkey.html#3factor

* something you have
* something you know
* something you are

where the fundamental linchpin for the whole operation is the protection
and confidentiality of the private key. unfortuantely almost all digital
signature operations tend to talk about the integrity and security of
the PKI operation and its certificates ... when they should be talking
about the integrity and security of the private keys and the
integrity and security of the digital signing environment.

i've sporadically gone so far as to assert that the focus on the
integrity and security of PKI and certificates results in obfuscating
the fundamental integrity and security issues with private keys and
digital signing environments (aka long before anybody is talking about
the integrity of the certificates ... they should have resolved that the
private keys are only available in hardware tokens of known and specific
integrity characteristics).

The whole PKI and certificate operation having a design point of
resolving first time interaction between complete strangers (as in the
letters of credit/introduction paradigm from sailing ship days) and
should come after the basic underlying infrastructure isssues involving
trusted communication between two entities has first been resolved
(whether it is first time communication between complete strangers or
not ... which then can be layered on top of a sound infrastructure that
has its fundamental operations already resolved).

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Countries that ban the use of crypto?

[Joseph Ashwood]

- Original Message - 
From: "Jörn Schmidt" <[EMAIL PROTECTED]>

Subject: Re: Countries that ban the use of crypto?



[China bans cryptography]


I'm not going to out anyone on this, but even a quick search of Skype finds 
quite a few individuals who make use of cryptography in China. So I strongly 
suspect that there is a great deal of lenience on that front. In fact, I 
have it on dependable authority that there are a number of places in China 
where the only IM system that functions is Skype.


I have no doubt that China does place controls on it, and it has been 
published a few places that their telecom industry has a particular distaste 
for Skype, but it appears that there is more to it.
   Joe 




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Countries that ban the use of crypto?

[Peter Gutmann]

"JXrn" Schmidt <[EMAIL PROTECTED]> writes:

>However, there are only two countries, to the best of my knowledge, that
>outright ban cryptography: Russia and China. And even that's only a de-facto
>ban since both only require individuals to obtain a license to use
>cryptography in any way, shape or form. From what I have heard, it's nearly
>impossible for your average Joe to actually be issued such a license.

You also have to remember that the severity of Russian law is compensated for
by its non-mandatoryness.  Those who care enough about complying (banks and so
on) shouldn't have much trouble getting the necessary license, everyone else
just goes ahead and uses crypto and no-one cares.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

[James A. Donald]

--
James A. Donald:
> > We can, and should, compare any system with the
> > attacks that are made upon it.   As a boat should
> > resist every probable storm, and if it does not it
> > is a bad boat, an encryption system should resist
> > every real threat, and if it does not it is a bad
> > encryption system.

Aram Perez
> I'm sorry James, but you can't expect a (several
> hundred dollar) rowboat to resist the same probable
> storm as a (million dollar) yacht.

Software is cheaper than boats - the poorest man can
afford the strongest encryption, but he cannot afford
the strongest boat.


--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 /RDdl4GaftLppriBOAhXkSmzUWuV9JdpELHaG+Yq
 4IZIPBnHPpNQYioKOhKdPdh6q6NwgwGDlLnbikvmA


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Countries that ban the use of crypto?

[Peter Gutmann]

Lee Parkes <[EMAIL PROTECTED]> writes:

>A colleague of mine is locked in a battle with a client about the use of NULL
>ciphers for OpenSSL. The client claims that he has/wants to allow NULL
>ciphers so that people in countries that ban the use of crypto can still use
>the website. My colleague wants to know if there is a list of such countries
>that he could use.

I've had a similar debate with banking users who only wanted integrity
protection and didn't care about confidentiality (or at least they didn't want
to invest the CPU time to provide confidentiality, since for their application
it wasn't warranted).

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: [Clips] Banks Seek Better Online-Security Tools

[Bill Stewart]

At 08:05 PM 12/2/2005, [EMAIL PROTECTED] wrote:

You know, I'd wonder how many people on this
list use or have used online banking.


I've used it for about a decade at my credit union,
and I've had my paychecks deposited directly for decades.
There are things I absolutely won't do,
like have a debit card attached to the account,
or have companies authorized to take money out directly,
or have electronic checks of various sorts taken out of the account.
Normally I don't do email with them (though nobody appears to have
noticed them as a phishing target), but I did have one time
I had to ask about a transaction, and they do that by email,
so I was able to trust the responses.

But for basic services where I tell them what to send to whom,
it's reliable, appears to be at least as secure as
the other risks to the account, and it means that the
basic payments I need to make every month happen automatically,
so I only have to pay attention to the occasional variable transaction.

I've also used account-based electronic gold services,
but only transactionally, so at most they end up with a couple dollars
worth of exchange-rate breakage in them, and there are some
non-account-based services that I've also used.
I won't use e-gold - not that their website is obviously insecure,
but for a while there was so much e-gold phishing that
I set my filters to automatically discard anything purporting
to be from them, which might interfere with doing real business.
On the other hand, they don't appear to state a policy of
always digitally signing all transactions, so I'm a bit concerned
beyond the more blatant phishing risks.

Thanks; Bill Stewart




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

[StealthMonger]

"James A. Donald" <[EMAIL PROTECTED]> writes:

> ...  email should be sent by a direct connection from the client to
> the recipient mail server, rather than this store and forward crap.

This would eliminate the only available technique for strong anonymity
or pseudonymity.  Strong anonymity or pseudonymity cannot be achieved
if there is a direct connection from the sender to the recipient
because it can be traced.  For strong anonymity or pseudonymity, the
only available secure technology is anonymizing remailers with random
latency store and forward.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: [Clips] Diebold insider alleges company plagued by technical woes

[Travis H.]

Does anyone here have any links to voting system designs that use
cryptography to achieve their goals?  I'm curious what could be
achieved in that direction.
--
http://www.lightconsulting.com/~travis/  -><- Knight of the Lambda Calculus
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

[James A. Donald]

--
From:   Ed Gerck <[EMAIL PROTECTED]>
> Depends on your use. An X.509 identity cert or a PGP 
> cert can be made as secure as you wish to pay for.

Many users are already using MUAs that check signatures.
Why are phishing targets not already using signed mail? 

I conjecture that this is because true names don't really address the 
issue of true relationships.  Does anyone have any market research 
information as to why phishing targets generally send out plain mail?

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 CMjwBMx17XqegWEl4z+ZLdfTB+wFlQKrdm1516HH
 4/HqDwhTaKRygswyOmR+oP41kfEhib7KJwyxDDq3p



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Countries that ban the use of crypto?

[Alexander Klimov]

On Wed, 7 Dec 2005, JЖrn Schmidt wrote:
>
> However, there are only two countries, to the best of my knowledge,
> that outright ban cryptography: Russia and China. And even that's only
> a de-facto ban since both only require individuals to obtain a license
> to use cryptography in any way, shape or form. From what I have heard,
> it's nearly impossible for your average Joe to actually be issued such
> a license.

This would make every computer user a criminal: default installations
of most *NIXes have openssh, Windows uses cryptography at least for
driver signatures, and in most cases there is an ssl implementation in
his browser. IANAL, but apparently there is no need to have a license
to *use* cryptography in Russia, but one does need a license to *offer*
cryptographic services ( for
):

On the licensing [... 2001-07-13 ... 2001-07-20 ...]

 activity in the propagation of cipher (cryptographic) means; activity
 in the maintenance of cipher (cryptographic) means; the assignment of
 services in the region of the coding of information; development, the
 production of the cipher (cryptographic) means, protected with the
 use of cipher (cryptographic) means of information systems,
 telecommunication systems; activity in the delivery of the
 certificates of the keys of electronic digital signatures,
 registration of the owners of electronic digital signatures, the
 rendering of the services, connected with the use of electronic
 digital signatures, and the confirmation of authenticity of
 electronic digital signatures; activity in the development of the
 electronic devices, intended for secret obtaining of information, in
 the accomodations and the technical equipment (with exception of the
 case, if the activity indicated it is achieved for guaranteeing its
 own needs of legal person or individual owner); activity in the
 development and (or) to the production of the means of protection of
 classified information; activity in the technical protection of
 classified information; development, production, realization and
 acquisition for purposes of sale of the special technical equipment,
 intended for secret obtaining of information, by individual owners
 and by legal persons, that achieve owner's activity;

Arguably, this is better when the situation that everybody can sell
crypto snake oil. BTW, AFAIK, even when the *use* of crypto was banned
in Russia (it was around 1995, IIRC) there was no penalty defined.

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Malicious chat bots

[leichter_jerrold]

[From Computerworld - see
http://www.computerworld.com/securitytopics/security/story/0,10801,106832,00
.html?source=NLT_PM&nid=106832
]

   Security firm detects IM bot that chats with you

   Bot replies with messages such as 'lol no its
   not its a virus'

   News Story by Nancy Gohring

   DECEMBER 07, 2005
   (IDG NEWS SERVICE) - A
   new form of malicious instant-message bot is on the loose
   that talks back to the user, possibly signifying a
   potentially dangerous trend, an instant messaging security
   firm said.

   IMlogic Inc. issued the warning late yesterday after
   citing a recent example of such a malicious bot. On
   Monday, the company first published details of a new
   threat known as IM.Myspace04.AIM. Once the computer of an
   America Online Inc. IM user is infected, the bot sends
   messages to people on the infected user's buddy list,
   making the messages appear to come from the infected user.
   The user isn't aware that the messages are being sent. If
   recipients click on a URL sent with a message, they will
   also become infected and start spreading the virus.

   A bot is a program that can automatically interact with
   people or other programs. AOL, for example, has bots that
   let users ask questions via IM, such as directory queries,
   and the bot responds.

   The unusual part of this malicious bot is that it replies
   to messages. If a recipient responds after the initial
   message, the bot replies with messages such as "lol no its
   not its a virus" and "lol thats cool." Because the bot
   mimics a live user interaction, it could increase
   infection rates, IMlogic said.

   IMlogic continues to analyze this threat but so far it
   seems to only be propagating and not otherwise affecting
   users.

   An AOL spokesman said today that the company's IT staff
   has not yet seen the bot appear on its network. The
   company said it reminds its users not to click on links
   inside IM messages unless the user can confirm that he
   knows the sender and what is being sent.

   Some similar IM worms install spybots or keyloggers onto
   users' computers, said Sean Doherty, IMlogic's director of
   services in Europe, the Middle East and Africa. Such
   malicious programs record key strokes or other user
   activity in an effort to discover user passwords or other
   information.

   "What we're seeing with some of these worms is they vary
   quickly, so the initial one may be a probe to see how well
   it infected users, and then a later variant will be one
   that may put a spybot out," Doherty said. The initial worm
   could be essentially a proof of concept coming from the
   malware writers, he said.

   Computerworld staff writer Todd Weiss contributed to this
   article.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

[Aram Perez]

On Dec 7, 2005, at 10:24 PM, James A. Donald wrote:


--
James A. Donald:

We can, and should, compare any system with the
attacks that are made upon it.   As a boat should
resist every probable storm, and if it does not it
is a bad boat, an encryption system should resist
every real threat, and if it does not it is a bad
encryption system.


Aram Perez

I'm sorry James, but you can't expect a (several
hundred dollar) rowboat to resist the same probable
storm as a (million dollar) yacht.


Software is cheaper than boats - the poorest man can
afford the strongest encryption, but he cannot afford
the strongest boat.


If it is that cheap, then why are we having this discussion? Why  
isn't there a cheap security solution that even my mother can use?


Respectfully,
Aram Perez


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: [Clips] Banks Seek Better Online-Security Tools

[leichter_jerrold]

On Wed, 7 Dec 2005, Bill Stewart wrote:
| At 08:05 PM 12/2/2005, [EMAIL PROTECTED] wrote:
| >You know, I'd wonder how many people on this
| >list use or have used online banking.
| 
| I've used it for about a decade at my credit union,
| and I've had my paychecks deposited directly for decades.
| There are things I absolutely won't do,
| like have a debit card attached to the account,
| or have companies authorized to take money out directly,
| or have electronic checks of various sorts taken out of the account.
Be aware that when you authorize direct deposit to your account, you are
also implicitly authorizing "direct withdrawal".  I found this out many
years ago when an employer accidentally issued paychecks for too much money.
My next bank statement showed the deposit, followed a day later by a
withdrawal to get back to the correct value.

Nothing on any direct deposit authorization form seems to mention this, and
I know of no way to block it - the authorizations are a unit, you can't
agree to one without the other.

Of course, first with check truncation by large institutions, and now
Check 21, the line between paper checks and electronic withdrawals has
become
rather difficult to define.  In theory, you do have the same recourse with
electronically transfered checks (Check 21) that you did with paper ones.
In practice, the copy you receive doesn't normally grant you that level of
recourse - you need an official copy (I forget the actual term in the law),
and unless you know to ask for it, your bank won't give it to you.

Check truncation - where you send a check to a credit card company, say, and
it turns it into a direct withdrawal, so you don't even get a copy of the
check back - is even more problematic.  If, as has happened to me more than
once, they misread the value on the check (typically, the error is to forget
to add .00), yes, the same amount is credited to your card bill as is
debited
from your bank account - but you could be hit up for interest and various
penalties.  The only proof of what the check really said is in the hands of
the credit card company - and I'm not even sure what their obligations are
in
terms of retaining the image and making it available to you.

I wonder if these new processes have given the various financial
institutions
what they wanted, but could never get the courts to agree to, eliminate for
years:  Effectively destroying the legal enforceability of a mark of "In
full
payment" on a check.*
-- Jerry

* If there is a pre-existing dispute between you and another party about
what you owe them, and you give them a check for the amount you claim they
owe that is marked "In Full Payment", if they cash it, they have legally
agreed that that check settles the dispute.  I've only had to use this once,
years back, when a landlord had for months "not gotten 'round to" paying me
a referral fee:  I took the referral fee out of my next month's rent and
marked it "In Full Payment".  I pointed this out to them, because I didn't
really want to go to court about this issue!  They refused to cash the
check,
but by an amazing coincidence delivered my referral check a day later and
then asked me to replace the rent check.  This right remains there - but if
you can't get your hands on the check, it's very difficult to enforce!

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

[Ed Gerck]

Anne & Lynn Wheeler wrote:

i've periodically written on security proportional to risk ... small sample
http://www.garlic.com/~lynn/2001h.html#61

...
introductioin of PKI and certificates in such an environment may
actually create greater vulnerabilities ... since it may convince the
recipient to trust the PKI operation more than they trust their own,
direct knowledge ... and the PKI operation opens up more avenues of
compromise for the attackers.


Regarding PKI, the X.509 idea is not just to automate the process of reliance
but to do so without introducing vulnerabilities in the threat model considered
in the CPS.

What's a bit of a struggle, still, is that many people do not fully realize
that the CPS is outside the scope of PKI. This is both a solution (makes the
X.509 effort independent of local needs) and a big problem, as CAs (writers
of the CPS) have the power to write almost anything they want, including
their notorious DISCLAIMER (where _near_ everything of value to the subscriber
is disclaimed, while _everything_ of value to the user is disclaimed).

That's why its useful to compare X.509 / PKI, PGP, and IBE technologies
for secure email, to know what are the trade-offs.

By comparing the capabilities and faults of the secure email products
per technology used, these and other problems come up in the score card.

Cheers,
Ed Gerck

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

[Anne & Lynn Wheeler]

Ed Gerck wrote:
Regarding PKI, the X.509 idea is not just to automate the process of 
reliance but to do so without introducing vulnerabilities in the threat model 
considered in the CPS.


but that is one of the points of the article that as you automate more 
things you have to be extra careful about introducing new 
vulnerabilities (of course a business operation will make claims that 
while they may have introduced enormous additional complexity and number 
of business processes ... that they are all perfect and have no 
vulnerabilities).


the issue of public key email w/o PKI ... is you have all the identical, 
same basic components that PKI also needs.


there is a local trusted public key repository and a method of getting 
keys into/out of that trusted public key repository. in the non-PKI 
case, the trusted public key repository contains public keys that are 
used to directly authenticate messages from other entities. in the PKI 
case, the trusted public key repository also contains public keys that 
are used to authenticate messages from a certification authority; these 
messages are called digital certificates. the digital certificates, in 
turn contain other public keys that can be used in authenticating 
messages from directly communicating entities.


the original PKI and digital ceritificate design point is the letters of 
credit/introduction (from the sailing ship days) ... addressing first 
time communication between two strangers.


that a large volume of email doesn't involved first time communication 
between two strangers that have no prior relationship ... and so one 
possible question is does a PKI operation ... does the little or no 
added value for such communication possibly offset the drastically 
increased amount of complexity and increased number of business 
processes (that also contribute to possible enormous increase in 
potential for vulnerabilities).


PKI is trying to offer some added value in first time communication 
between two strangers (say the bulk mailing advertising industry) ... 
and it is possibly acceptable the significant increase in business 
processes and complexity is justified in improving reliance in the bulk 
mailing advertising market segment. The question does the vast increase 
in business processes and complexity (with the possibility that the 
increased business processes and complexity also introduce significant 
new types of vulnerabilities) justify its use in the scenarios where 
first time communication between two strangers is not involved.


This is business process analysis of what goes on in a basic public key 
email operation ... aka all the public key operations and the entity's 
trusted public key repository ... and then showing where PKI 
incrementally adds business processes and complexity to that basic 
infrastructure  certification authority public keys added to the 
trusted public key repository, these new kind of messages called digital 
certificates and the indirection between the certification authority's 
public key (in the entity's trusted public key repository) and the 
public key of the other entities communicated with.


The additional digital certificate verification technical steps that a 
PKI operation adds to a core fundamental public key email process (that 
directly has access to public keys of entities directly communicated 
with) ... also drags in the enormous amount of complexity and additional 
business processes that the certification authorities have to perform.


It is some of this other complexity and business processes that may be 
attacked ... as in my oft repeated description of a crook attacking the 
authoritative agency that a certification authority uses for the basis 
of its certification, and then getting a perfectly valid certificate.
The user (relying-party) then may have a perfectly valid public key for 
an entity that they've communicated with for years  but this 
perfectly valid certificate (from a crook) now claims that the user must 
now automatically accept the crook's public key also as representing the 
same entity.


so a traditional risk/threat analysis ... would frequently analyze the 
basic components ... establish a baseline threat/vulnerability profile 
... and then consider what happens when additional complexity does to 
the baseline. I assert that a simple public key email operation can 
establish a baseline w/o any digital certificates ... and then you 
consider what happens when the baseline has digital certificates added
(which then also drags in all the business process vulnerabilities that 
may exist at the certification authority ... and all dependencies that 
tthe certification authority has). we had to sort of look at this sort 
of stuff when we were asked to work with this small client/server 
startup that wanted to do payment transactions on their server

http://www.garlic.com/~lynn/aadsm5.htm#asrn2
http://www.garlic.com/~lynn/aadsm5.htm#asrn3

and we had to go arou