Re: Not everyone knows about strong crypto...

2006-04-19 Thread mis 
and a second data point, not everyone in the mafia chooses good passphrases;

a few years ago the government got a black bag warrant (once and a
renewal) to install some still undescribed keystroke monitoring
technology on nicky scarfo jr's pc, to find out the pgp key of a
spreadsheet of a smalltime mafioso whose hard drive they'd already
taken a copy of.

it turned out to be his father's federal prison number.


On Wed, Apr 19, 2006 at 11:10:49AM -0400, Perry E. Metzger wrote:
> 
> It seems not everyone has gotten the message that monoalphabetic
> substitution was broken many hundreds of years ago. Excerpt:
> 
>   The recently arrested "boss of bosses" of the Sicilian Mafia, Bernardo
>   Provenzano, wrote notes using an encryption scheme similar to the one
>   used by Julius Caesar more than 2,000 years ago, according to a
>   biography of Italy's most wanted man.
> 
> http://dsc.discovery.com/news/briefs/20060417/mafiaboss_tec.html?source=rss
> 
> -- 
> Perry E. Metzger  [EMAIL PROTECTED]
> 
> -
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Unforgeable Blinded Credentials

2006-04-19 Thread Adam Back 
On Wed, Apr 19, 2006 at 11:53:18AM -0700, bear wrote:
> On Sat, 8 Apr 2006, Ben Laurie wrote:
> >Adam Back wrote:
> >> My suggestion was to use a large denomination ecash coin to have
> >> anonymous disincentives :) ie you get fined, but you are not
> >> identified.
> >
> >The problem with that disincentive is that I need to sink the money for
> >each certificate I have. Clearly this doesn't scale at all well.
> 
> Um, if it's anonymous and unlinkable, how many certificates do you
> need?  I should think the answer would be "one."

Agreed, its very nice if we could do this.  However all of the
practical schemes are show-linkable.

I looked at the paper that was referenced earlier in the thread about
the Chameleon [1] credentials which are an attempt to add unlinkable
multi-show to Brands credentials.

So aside from the fact that it uses a non-standard assumption that it
is hard to find e^v = a^x + c mod n (for RSA e,n).  Apparently
Camenisch's other assumption that it is hard to find e^v = a^x +1 was
broken... so thats not very comforting to start.  (They offer no proof
of this assumption).

Then they use an interactive ZKP in the show which I think will
require say 80 rounds for reasonable security, each round involving
some non-trivial computation.

So its not that practical compared to Chaum, Brands etc -- its not
very efficient in time nor communication required for the showing of
the chameleon certs.

Adam

[1] "An Anonymous Credential System and a Privacy-Aware PKI" by Pino
Persiano and Ivan Visconti

I put a copy online here temporarily:

http://www.cypherspace.org/adam/papers/chameleon.pdf

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Unforgeable Blinded Credentials

2006-04-19 Thread bear 


On Sat, 8 Apr 2006, Ben Laurie wrote:

>> Well the other kind of disincentive was a credit card number.  My
>> suggestion was to use a large denomination ecash coin to have
>> anonymous disincentives :) ie you get fined, but you are not
>> identified.
>
>The problem with that disincentive is that I need to sink the money for
>each certificate I have. Clearly this doesn't scale at all well.
>


Um, if it's anonymous and unlinkable, how many certificates do you
need?  I should think the answer would be "one."

Bear

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

fyi: Deniable File System - Rubberhose

2006-04-19 Thread Jeff . Hodges 
From: Owen Blacker <[EMAIL PROTECTED]>
Subject: Deniable File System
To: UK Crypto list <[EMAIL PROTECTED]>
Date: Wed, 19 Apr 2006 11:43:18 +0100 (BST)
Reply-To: [EMAIL PROTECTED]

http://www.schneier.com/blog/archives/2006/04/deniable_file_s.html

Some years ago I did some design work on something I called a Deniable 
File System. The basic idea was the fact that the existence of 
ciphertext can in itself be incriminating, regardless of whether or not 
anyone can decrypt it. I wanted to create a file system that was 
deniable: where encrypted files looked like random noise, and where it 
was impossible to prove either the existence or non-existence of 
encrypted files.

This turns out to be a very hard problem for a whole lot of reasons, and 
I never pursued the project. But I just discovered a file system that 
seems to meet all of my design criteria -- Rubberhose 
 :

Rubberhose transparently and deniably encrypts disk data, minimising
the effectiveness of warrants, coersive interrogations and other
compulsive mechanims, such as U.K RIP legislation. Rubberhose differs
from conventional disk encryption systems in that it has an advanced
modular architecture, self-test suite, is more secure, portable,
utilises information hiding (steganography / deniable cryptography),
works with any file system and has source freely available.

The devil really is in the details with something like this, and I would 
hesitate to use this in places where it really matters without some 
extensive review. But I'm pleased to see that someone is working on this 
problem.

Next request: A deniable file system that fits on a USB token, and 
leaves no trace on the machine it's plugged into.


- -- 
Owen Blacker, London GB
Say no to ID cards: www.no2id.net
- --
They that can give up essential liberty to obtain a little temporary
  safety deserve neither liberty nor safety --Benjamin Franklin, 1759


--

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-04-19 Thread markus reichelt 
* Ian G <[EMAIL PROTECTED]> wrote:

> >So, why not always sign messages to a list that permits
> >signatures?
> 
> It's hard to see the benefit, and it is easy to see the potential
> cost.  In a litiguous world, we are (slightly) better off not using
> messages that are going to haunt us in years to come.  As a
> principle, I'd never advise anyone to sign any message unless they
> could state what that meant.

Well, I for one value the spreading of cryptographic means higher
than what might happen due to some misguided lawyer. with all the
lost privacy due to so-called protection laws from all the
"evildoers" this has only strengthened my resolve. after all, the
lawyers are still there even if one doesn't use cryptographic means.

In my world there's just too much lobbyism involved not to take
action in the vital field of privacy. Most people using electronic
communications either believe that some occasional eavesdropping is
ok (for they have nothing to hide; an arguement solely given by the
state in some 1984 manner), or they don't grasp the extent of
eavesdropping possibilities, or they just don't bother. not bothering
is just equally bad as giving in to the state because if one remains
passive, it is not likely that one will change one's perception
easily switching to actively propagate one's ideals (because of a
certain receptiveness to state arguements). and nowadays it's hard
enough to change things even if one is actively involved.


> It could well be that this is a difference in view across the
> Atlantic.  It seems that many (continental) Europeans do not
> perceive a threat to themselves from things they write; whereas the
> English-centric world is more "NDA" obsessed.

I guess you mean Non-Disclosure Agreement by NDA. All those acronyms;
it's about time the A takes action.

I haven't really perceived it the way you describe, but I don't work
in an environment where such things could matter at all. I'm in the
scientific community (chemistry), and there limits of talk (if you
get the meaning) are described pretty well, and this only affects
some areas of competition.

Given that some individual or even organisation keeps track of its
employees' writings in/on public media, I barely see the benefits
apart from some cases where it comes to leaking info which is already
prohibited by some kind of Non-Disclosure Agreement. those exist here
too, but with all the transparency about it, one really has to be
utterly stupid to mess things up.

From what you write I get the impression that even the slightest hint
about even the slightest clue may cause one harm. In my opinion this
fuels fear, just like telling a teenager not to ever fall in love
because he'll only get hurt anyway. we have misguided lawyers here
too, far too many of them in fact, for about over 20 years, and they
need to get an income. all that increased sueing stuff can be traced
back to the growing numbers of lawyers hitting the open market. not
that it offers a solution but there's still the bottom of the ocean
or the moon, and mars may be an issue soon...


> >Quite frankly, I wouldn't have thought this topic would emerge the
> >way it has on a cryptography mailinglist. Maybe it's about time to
> >publish my article "Why Cryptography Is Important In Modern Life"
> >after all (don't hold your breath; with me being pretty busy it's
> >not due until after eastern).
> 
> Cryptography is a tool, not a religion, notwithstanding the desires
> of many to deify it.  It is the application that delivers benefits,
> and properly thought out apps generally use as little crypto as
> they can get away with.  Top-down applications thinking says "use
> the tool that does the job" whereas bottom-up, toolbox thinking
> says "use this tool because it's so cool!"

I guess you got me wrong, and I'm not sure I get your top-down,
bottom-up analogies. Anyway, I'm not propagating means of
cryptography because of a religious hype or something. to clarify
this, me and my friends are not amused by officials having the legal
means to listen in on email communications, phone conversations, etc.
both without prior suspicion and some kind of notification of the
person(s) being listened in to, let alone legal backup (it was
rendered redundant anyway). because of the terrorist-threat-hype such
processes are now accelerated to fit only the state's benefits, yet
they sold as a citizen's benefit altogether. we have a saying here (i
hope it carries over, i'm not a native english speaker): working at
such a hectic pace replaces an intellectual calm.

From what I wrote above I guess it can be boiled down to this. Means
of cryptography are valued because of the possibility to protect
one's privacy that the state obviously has deemed unnecessary, for
good citizens surely don't have something to hide. simply put, since
we all don't walk the street naked, the state always wins. such a
state is out of balance, and checks are most likely still in place
where they possibly can'

Not everyone knows about strong crypto...

2006-04-19 Thread Perry E. Metzger 

It seems not everyone has gotten the message that monoalphabetic
substitution was broken many hundreds of years ago. Excerpt:

  The recently arrested "boss of bosses" of the Sicilian Mafia, Bernardo
  Provenzano, wrote notes using an encryption scheme similar to the one
  used by Julius Caesar more than 2,000 years ago, according to a
  biography of Italy's most wanted man.

http://dsc.discovery.com/news/briefs/20060417/mafiaboss_tec.html?source=rss

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: MD5 trick

2006-04-19 Thread Ariel Waissbein 
Hi Vlastimil and group,

Gera Richarte has done some interesting work with executable files that
have the same MD5 hash. Take a look at
http://www.coresecurity.com/corelabs/projects/research_topics.php
to see his talk at PacSec `05 and "Two executable files with the same
MD5 hash, crc32, checksum32 and checksum16".

Regards,
Ariel

vlastimil.klima wrote:
> The trick could be shortly expressed as follows:
> "Give me three files and I will give you another three with the
> same MD5 hash"
> 


-- 
Ariel Waissbein
RESEARCHER
CORE SECURITY TECHNOLOGIES

http://www.coresecurity.com/corelabs






-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: MD5 trick

2006-04-19 Thread markus reichelt 
* [EMAIL PROTECTED] wrote:

> Of course, it is a trick. Yesterday I updated my paper "Tunnels in
> Hash Functions: MD5 Collisions Within a Minute"
> (http://eprint.iacr.org/2006/105.pdf) and MD5 collision program
> (http://cryptography.hyperlink.cz/2006/web_version_1.zip).

just being curious: from what you write, it looks like a pure
win-only source. do you happen to have a version that compiles on
some kind of unix?

-- 
left blank, right bald


pgpEgnnT5f1MX.pgp
Description: PGP signature