Book Review
Hi Folks, Does anyone have a review on the upcoming book Modern Cryptanalysis: Techniques for Advanced Code Breaking by Christopher Swenson? Thanks, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Dutch Transport Card Broken
Hi Folks, Ed Felten has an interesting post on his blog about a Dutch smartcard based transportation payment system that has been broken. Among other foolishness, the designers used a custom cryptosystem and 48 bit keys. Not to defend the designers in any way or fashion, but I'd like to ask, How much security can you put into a plastic card, the size of a credit card, that has to perform its function in a secure manner, all in under 2 seconds (in under 1 second in parts of Asia)? And it has to do this while receiving its power via the electromagnetic field being generated by the reader. Regards, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OK, shall we savage another security solution?
Hi Jerry, On Tuesday, September 18, 2007, at 07:24PM, Leichter, Jerry [EMAIL PROTECTED] wrote: Anyone know anything about the Yoggie Pico (www.yoggie.com)? It claims to do much more than the Ironkey, though the language is a bit less marketing-speak. On the other hand, once I got through the marketing stuff to the technical discussions at Ironkey, I ended up with much more in the way of warm fuzzies than I do with Yoggie. Here's another secure USB flash drive: http://www.kingston.com/flash/DTSPdemo/eval.asp with minimal marketing-speak. Regards, Aram - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: flavors of reptile lubricant, was Another Snake Oil Candidate
Hi Folks, My last comment on this. I've stated my own personal opinion and anyone is free to disagree. On Sep 13, 2007, at 9:33 AM, Ali, Saqib wrote: On 13 Sep 2007 13:45:42 -, John Levine [EMAIL PROTECTED] wrote: I always understood snake oil crypto to refer to products that were of no value to anyone, e.g., products that claim to have secret unbreakable encryption, million bit keys, or one time pads produced by PRNGs. hear hear! I think in the zeal for criticism of the IronDrive, folks have expanded the definition of Snake Oil to include All security products. I don't like the Military Grade AES Encryption phrase that IronDrive uses on their website, cause that implies they know what Military is using. Maybe somebody should notify DoD that these IronDrive folks know what Military uses to encrypt info ;-) But other then that I don't see any Snake Oil Crypto like techno-babble used by IronDrive Marketing. I don't know if a product has to meet m of n criteria as stated in http://www.interhack.net/people/cmcurtin/snake-oil-faq.html, but, IMO, IronKey meets the following criteria: Technobabble, Experienced Security Experts, Military Grade and to a certain extend Unbreakability (normally applied to software, but IronKey claims the epoxy prevents criminals from getting to the internal hardware components). Respectfully, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Another Snake Oil Candidate
Hi Jon, On Sep 11, 2007, at 5:35 PM, Jon Callas wrote: I'm a beta-tester for it, and while I can understand a small twitch when they talk about miltary and beyond military levels of security, it is very cool. It has hardware encryption and will erase itself if there are too many password failures. I consider that an issue, personally, but it appeals to people. The reason I consider it an issue is that I have had to use a brain-dead-simple password I'm not going to forget because if I get cute and need to try a number of things, poof, I'm dead. Yeah, it's using AES CBC mode, but that's a good deal better than a lot of encrypted drives that are using ECB. It also has their own little suite of Mozilla plus Tor and Privoxy for browsing and they've set it up so that you can run that on another computer from the drive. It's not bad at all. My only real complaint is that it requires Windows. The IronKey appears to provide decent security while it is NOT plugged into a PC. But as soon as you plug it in and you have to enter a password to unlock it, the security level quickly drops. This would be the case even if they supported Mac OS or *nix. As I stated in my response to Jerry Leichter, in my opinion, their marketing department is selling snake oil. Regards, Aram - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Another Snake Oil Candidate
The world's most secure USB Flash Drive: https://www.ironkey.com/demo. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Quantum Cryptography
Hi Folks, On a legal mailing list I'm on there is a bunch of emails on the perceived effects of quantum cryptography. Is there any authoritative literature/links that can help clear the confusion? Thanks in advance, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
The best riddle you wil hear today...
http://farm1.static.flickr.com/191/480556169_6d731d2416_o.jpg - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: More info in my AES128-CBC question
Hi Nico, On Apr 23, 2007, at 8:11 AM, Nicolas Williams wrote: On Sun, Apr 22, 2007 at 05:59:54PM -0700, Aram Perez wrote: No, there will be message integrity. For those of you asking, here's a high level overview of the protocol is as follows: [...] 3) Data needing confidentiality is encrypted with the SK in the mode selected in step 1. The message is integrity protected with MK. A new MK is generated after a message is sent using MK(i+1) = H[MK(i)] You don't necessarily have to change the integrity protection key for every message. One thing this says is that the protocol involves an ordered stream of messages. You need to change the integrity key if you want to prevent replay attacks. No, the message do not have to be ordered in any fashion. And in fact, an attacker would not send the messages in the correct order. Hope this clarifies things somewhat. It does. You can get by without a random IV by using CBC analogously to how you use counter modes and cipher streams in general. The key thing is to avoid key and IV/counter re-use. For a protocol where ordered delivery of messages is expected/ required this is easy to achieve. Derive the key and/or counter/IV from a message sequence number and do it in such a way that you either cannot repeat them or are very, very unlikely to repeat them and you're fine. But be careful. Simply chaining the IV from message to message will create problems (see SSH). The intention would be a new IV with each message begin sent. What is the concern with using random IVs/confounders anyways? The need for an entropy source? If so keep in mind that a PRNG will be sufficient for generating the IVs/confounders and that you'll generally need some source of entropy for at least some protocol elements (e.g., nonces). The concern was that that's the way SD cards do it today. Another response was you haven't heard of anyone breaking SD cards have you? Thanks, Aram - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Change of Heart WRT to a Fixed IV of 0's
Hi Folks, The latest version the document, where the use of a fixed IV of zeros was originally proposed, now has a regular random IV. Thanks for all the support, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
More info in my AES128-CBC question
Hi Folks, First, thanks for all your answers. The proposal for using AES128-CBC with a fixed IV of all zeros is for a protocol between two entities that will be exchanging messages. This is being done in a standards body (OMA) and many of the attendees have very little security experience. As I mentioned, the response to my question of why would we standardize this was that's how SD cards do it. I'll look at the references and hopefully convince enough people that it's a bad idea. Thanks again, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Interesting paper on PKI and TRUSTe
Abstract Widely-used online trust authorities issue certifications without substantial verification of the actual trustworthiness of recipients. Their lax approach gives rise to adverse selection: The sites that seek and obtain trust certifications are actually significantly less trustworthy than those that forego certification. I demonstrate this adverse selection empirically via a new dataset on web site characteristics and safety. I find that TRUSTe-certified sites are more than twice as likely to be untrustworthy as uncertified sites, a difference which remains statistically and economically significant when restricted to complex commercial sites. I also present analogous results of adverse selection in search engine advertising - finding ads at leading search engines to be more than twice as likely to be untrustworthy as corresponding organic search results for the same search terms. See http://www.benedelman.org/publications/advsel-trust-draft.pdf Enjoy, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EMC is buying RSA
On Jun 29, 2006, at 2:26 PM, Steven M. Bellovin wrote: http://www.tmcnet.com/usubmit/-emc-announces-definitive-agreement- acquire-rsa-security-further-/2006/06/29/1700560.htm says that EMC is buying RSA. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb Here's another version of the story: http:// news.moneycentral.msn.com/ticker/article.asp?Feed=BWDate=20060629ID =5836046Symbol=US:RSAS Regards, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Chinese WAPI protocol?
Hi Richard, I have not looked at WAPI, but they have been trying to get it approved for a number of years, check out http://en.wikipedia.org/wiki/WAPI (has link to algorithm) and http://www.foxnews.com/story/0,2933,199082,00.html. Regards, Aram Perez On Monday, June 12, 2006, at 03:25PM, Richard Salz [EMAIL PROTECTED] wrote: Today in slashdot (http://it.slashdot.org/it/06/06/12/0710232.shtml) there was an article about China wanting to get WAPI accepted as a new wireless security standard. Has anyone looked at it? /r$ -- SOA Appliances Application Integration Middleware - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Chinese WAPI protocol?
Hi Folks, My apologies on stating that the Wiki page had a link to the algorithm. I saw the link but didn't click on it to see if in fact there was a description of the actual algorithm. Regards, Aram Perez On Monday, June 12, 2006, at 06:45PM, David Wagner [EMAIL PROTECTED] wrote: [snip] [*] Contrary to what Adam Perez's email might suggest, Wikipedia does not have a link to a specification of SMS4 or of WAPI. Wikipedia has an entry for SMS4, but about all it says is that not much is publicly known about SMS4. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Why phishing works
I don't recall seeing this here, but a friend sent me the following link: http://people.deas.harvard.edu/~rachna/papers/ why_phishing_works.pdf Enjoy, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: passphrases with more than 160 bits of entropy
On Mar 22, 2006, at 4:28 AM, Thierry Moreau wrote: Travis H. wrote: Hi, Does anyone have a good idea on how to OWF passphrases without reducing them to lower entropy counts? That is, I've seen systems which hash the passphrase then use a PRF to expand the result --- I don't want to do that. I want to have more than 160 bits of entropy involved. More than 160 bits is a wide-ranging requirement. Entropy is a highly discussed unit of measure. And very often confused. While you do want maximum entropy, maximum entropy is not sufficient. The sequence of the consecutive numbers 0 - 255 have maximum entropy but have no randomness (although there is finite probability that a RNG will produce the sequence). Regards, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: passphrases with more than 160 bits of entropy
On Mar 22, 2006, at 9:04 AM, Perry E. Metzger wrote: Aram Perez [EMAIL PROTECTED] writes: Entropy is a highly discussed unit of measure. And very often confused. Apparently. While you do want maximum entropy, maximum entropy is not sufficient. The sequence of the consecutive numbers 0 - 255 have maximum entropy but have no randomness (although there is finite probability that a RNG will produce the sequence). One person might claim that the sequence of numbers 0 to 255 has 256 bytes of entropy. It could be, but Shannon would not. Another person will note the sequence of numbers 0-255 completely describes that sequence and is only 30 bytes long. I'm not sure I see how you get 30 bytes long. Indeed, more compact ways yet of describing that sequence probably exist. Therefore, we know that the sequence 0-255 does not, in fact, have maximum entropy in the sense that the entropy of the sequence is far lower than 256 bytes and probably far lower than even 30 bytes. Let me rephrase my sequence. Create a sequence of 256 consecutive bytes, with the first byte having the value of 0, the second byte the value of 1, ... and the last byte the value of 255. If you measure the entropy (according to Shannon) of that sequence of 256 bytes, you have maximum entropy. Entropy is indeed often confusing. Perhaps that is because both the Shannon and the Kolmogorov-Chaitin definitions do not provide a good way of determining the lower bound of the entropy of a datum, and indeed no such method can exist. No argument from me. Regards, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Entropy Definition (was Re: passphrases with more than 160 bits of entropy)
On Mar 22, 2006, at 2:05 PM, Perry E. Metzger wrote: Victor Duchovni [EMAIL PROTECTED] writes: Actually calculating the entropy for real-world functions and generators may be intractable... It is, in fact, generally intractable. 1) Kolmogorov-Chaitin entropy is just plain intractable -- finding the smallest possible Turing machine to generate a sequence is not computable. 2) Shannon entropy requires a precise knowledge of the probability of all symbols, and in any real world situation that, too, is impossible. I'm not a cryptographer nor a mathematician, so I stand duly corrected/chastised ;-) So, if you folks care to educate me, I have several questions related to entropy and information security (apologies to any physicists): * How do you measure entropy? I was under the (false) impression that Shannon gave a formula that measured the entropy of a message (or information stream). * Can you measure the entropy of a random oracle? Or is that what both Victor and Perry are saying is intractable? * Are there units of entropy? * What is the relationship between randomness and entropy? * (Apologies to the original poster) When the original poster requested passphrases with more than 160 bits of entropy, what was he requesting? * Does processing an 8 character password with a process similar to PKCS#5 increase the entropy of the password? * Can you add or increase entropy? Thanks in advance, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CD shredders, was Re: thoughts on one time pads
On Feb 1, 2006, at 3:50 AM, Travis H. wrote: On 1/28/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: In our office, we have a shredder that happily takes CDs and is designed to do so. It is noisy and cost $500. Here's one for $40, although it doesn't appear to shred them so much as make them pitted: http://www.thinkgeek.com/gadgets/security/6d7f/ For a few more dollars, you can get one where the residue is powder: http://www.securityprousa.com/dodcddestroyer.html. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: X.509 / PKI, PGP, and IBE Secure Email Technologies
On Dec 7, 2005, at 8:40 AM, James A. Donald wrote: -- From: Ed Gerck [EMAIL PROTECTED] Subject:X.509 / PKI, PGP, and IBE Secure Email Technologies http://email-security.net/papers/pki-pgp-ibe.htm X.509 / PKI (Public-Key Infrastructure), PGP (Pretty Good Privacy) and IBE (Identity-Based Encryption) promise privacy and security for email. But comparing these systems has been like comparing apples with speedboats and wingbats. A speedboat is a bad apple, and so on. We can, and should, compare any system with the attacks that are made upon it. As a boat should resist every probable storm, and if it does not it is a bad boat, an encryption system should resist every real threat, and if it does not it is a bad encryption system. I'm sorry James, but you can't expect a (several hundred dollar) rowboat to resist the same probable storm as a (million dollar) yacht. There is no such thing as one-size encryption system fits all cases. Regards, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Web Browser Developers Work Together on Security
Core KDE developer George Staikos recently hosted a meeting of the security developers from the leading web browsers. The aim was to come up with future plans to combat the security risks posed by phishing, ageing encryption ciphers and inconsistent SSL Certificate practise. Read on for George's report of the plans that will become part of KDE 4's Konqueror and future versions of other web browsers... http://dot.kde.org/1132619164/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Another Skype Study
Don't recall seeing this on the list: http://www.ossir.org/windows/ supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf Enjoy, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
High-risk flaws in Skype
http://searchsecurity.techtarget.com/originalContent/ 0,289142,sid14_gci1136763,00.html?track=NL-102ad=530772 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Motorist wins case after maths whizzes break speed camera code
On Aug 10, 2005, at 7:01 PM, Victor Duchovni wrote: On Wed, Aug 10, 2005 at 02:29:38PM -0400, [EMAIL PROTECTED] wrote: The facts are very scrambled but I like it. The brief TV reports from lawyers were more factual. Motorist wins case after maths whizzes break speed camera code http://www.faqs.org/qa/rfcc-1420.html Possibly related: http://www.redflex.com.au/traffic/pdfs/RedflexSpeed2V2.pdf From the brochure: Security/Encryption: all enforcement information is public key authenticated using MD5 encryption to ensure information is authentic and tamper free. So, of course, it must be very secure, no marketing enhancements here. On the other hand, it seems that the prosecutor didn't use/hire the proper expert witness. Putting aside the inaccuracies of the article I'm trying to interpret correctly what the article stated. The record being protected by MD5 consists of the time, date, place, numberplate and speed. Assuming that only the speed was in question, then it should be possible to calculate all the MD5's for all possible speed values and see if you get a collision (actually, just the speed values above the speed limit). Just my 2 centavos, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: the limits of crypto and authentication
On Jul 14, 2005, at 8:13 PM, Rich Salz wrote: If you had two products ... both effectively performing the same function, one you already had deployed, which was significantly cheaper, significantly simpler, and significantly faster, which one would you choose? I was told that one of the reasons SSL took off was because Visa and/or MC told merchants they would for the time being treat SSL as card- present, in terms of fraud penalties, etc. If this is true (anyone here verify? My source is on the list if s/he wants to name themselves), then SSL/SET is an interesting example of betting on both sides. On the contrary, merchants were (and maybe still are) being charged MOTO (mail order/telephone order) rates for using SSL. Even SET was going to charge MOTO rates until just before it was finalized. The payment card companies weren't getting enough interest for SET and decided to offer card-present rates to get more interest in SET. SSL took off because it was free, in over 90% of the browsers (Netscape own the browser market then), and it was easy to integrate into shopping carts. As a merchant, basically your only cost was your VeriSign cert. But you are correct in that the payment card companies were in an interesting position: on one hand they charge higher rates for using SSL but on the other hand, the perception was that something more secure than SSL was needed. One other point, SET did NOT require certs for the consumers. The client-merchant protocol supported clients without certs. Respectfully, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: ID theft -- so what?
RANT-PET_PEEVEWhy do cryptography folks equate PKI with certificates and CAs? This fallacy is a major root cause of the problem IHO. Why was the term PKI invented in the late 70s/early 80s (Kohnfelder's thesis?)?. Before the invention of asymmetric cryptography, didn't those people who used symmetric cryptography need an SKI (secret key infrastructure) to manage keys? But no one uses the term SKI or talks about how to manage secret keys (a very hard problem). Anytime you use any type of cryptography, you need an infrastructure (http://en.wikipedia.org/wiki/Infrastructure) to manage your keys, whether secret or public. There are at least two public key infrastructures that do NOT require CAs: PGP and SPKI. But like in so many real life cases, the best technology does not always win and we are stuck with the system that garnered the most business/ economic support./RANT-PET_PEEVE Respectfully, Aram Perez On Jul 14, 2005, at 6:19 AM, Perry E. Metzger wrote: Ian Grigg [EMAIL PROTECTED] writes: It's 2005, PKI doesn't work, the horse is dead. He's not proposing PKI, but nymous accounts. The account is the asset, the key is the owner; Actually, I wasn't proposing that. I was just proposing that a private key be the authenticator for payment card transactions, instead of the [name, card number, expiration date, CVV2] tuple -- hardly a revolutionary idea. You are right, though, that I do not propose that any PK_I_ be involved here -- no need for certs at all for this application. I don't claim this is a remotely original idea, by the way. I'm just flogging it again. But, thank the heavens that we now have reached the point where people can honestly say that PKI is the root cause of the problem. Root Cause of the Problem isn't correct either. It is better to say that PKI doesn't solve many of the hard problems we have, or, in some cases, any problems -- it doesn't per se cause any problems, or at least not many. This is not a new realization -- this goes back a long way. People were saying PKI was a bad idea a decade ago or more. A number of the people here, including me, gave talks on that subject years ago. I spoke against PKI during the debate I was invited to at the Usenix Electronic Commerce Workshop in 1998 or so, and at many opportunities before and since. Dan Geer has a pretty famous screed on the subject. Peter Gutmann talks about the follies of X.509 so often it is hard to keep up. I don't mean to single us out as visionaries -- we were just saying things lots of other people were also saying. Honestly, where have you been? Can you now tell the browser people? I can smell the rest of this discussion right now, Ian. You'll misunderstand the constraints the browser people are under, and start claiming SSL is bad (or unnecessary) about 20 seconds after that. I'm not playing the game. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: the limits of crypto and authentication
On Jul 14, 2005, at 6:23 AM, Perry E. Metzger wrote: Rich Salz [EMAIL PROTECTED] writes: I think that by eliminating the need for a merchant to learn information about your identity I have aimed higher. Given that we're talking about credit instruments, Wasn't that a goal of SET? Some of it was, yah. I don't claim that any of this is original. The problem with SET was that the protocol was far too complicated to implement (hell, the spec was nearly too heavy to lift), and it was proposed well before people even had USB connectors on their computers, let alone cheap USB card interfaces. I think people threw out the baby with the bathwater, though. The general idea was correct. While the SET protocol was complicated, it's failure had nothing to do with that fact or the lack of USB on PCs. You could buy libraries that implemented the protocol and the protocol did not require USB. IMO, the failure had to do with time-to-market factors. In the late 90s, when ecommerce was just at it's infancy and you took the risk of setting up a web store, were you going to wait you could integrate a SET toolkit into you web site and until your customers had SET wallets installed on their PCs before selling a product? Or were you going to sell to anyone who used a web browser that supported SSL? It was very simple economics, even if you had to pay VeriSign $400 for your SSL certificate and pay Visa/MasterCard a higher fee. Respectfully, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Blowsearch Secured Messanger
sarcasmBSM must be very secure!/sarcasm Quote from the web site: Blowsearch Secured Messenger utilizes the OpenSSL library to provide encryption routines for your Instant Messages. We use a combination of randomly selected schemes and bit lengths, ranging up to 4096 bits, with additional algorithms added in to make your messages even more secure. We start with an RSA foundation and move out from there. http://www.blowsearch.com/bsm/howitworks.php - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Al Qaeda crypto reportedly fails the test
Hi Chris, Steven M. Bellovin writes: http://www.petitcolas.net/fabien/kerckhoffs/index.html for the actual articles.) Does there exist an English translation (I'd be surprised if not)? If not, I'd be happy to provide one if there were sufficient interest. I'd be interested in an English version. Thanks! Aram - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: should you trust CAs? (Re: dual-use digital signature vulnerability)
Hi Adam, From: Adam Back [EMAIL PROTECTED] Date: Fri, 30 Jul 2004 17:54:56 -0400 To: Aram Perez [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], Cryptography [EMAIL PROTECTED], Adam Back [EMAIL PROTECTED] Subject: Re: should you trust CAs? (Re: dual-use digital signature vulnerability) On Wed, Jul 28, 2004 at 10:00:01PM -0700, Aram Perez wrote: As far as I know, there is nothing in any standard or good security practice that says you can't multiple certificate for the same email address. If I'm willing to pay each time, Verisign will gladly issue me a certificate with my email, I can revoke it, and then pay for another certificate with the same email. I can repeat this until I'm bankrupt and Verisign will gladly accept my money. Yes but if you compare this with the CA having the private key, you are going to notice that you revoked and issued a new key; also the CA will have your revocation log to use in their defense. At minimum it is detectable by savy users who may notice that eg the fingerprint for the key they have doesn't match with what someone else had thought was their key. I agree with Michael H. If you trust the CA to issue a cert, it's not that much more to trust them with generating the key pair. Its a big deal to let the CA generate your key pair. Key pairs should be generated by the user. From a purely (and possibly dogmatic) cryptographic point of view, yes, key pairs should be generated by the user. But in the real world, as Ian G points out, where businesses are trying to minimize costs and maximize profits, it is very attractive to have the CA generate the key pair (and as Peter G pointed, delivers the pair securely), and issue a certificate at the same time. I hope you are not using a DOCSIS cable modem to connect to the Internet, because that is precisely what happened with the cable modem. A major well-known CA generated the key pair, issued the certificate and securely delivered them to the modem manufacturer. The modem manufacturer then injected the key pair and certificate into the modem and sold it. I guess you can say/argue that there is a difference between a user key pair and a device key pair, and therefore, it can work for cable modems, but I don't how you feel/think/believe in this case. Until fairly recently, when smart card could finally generate their own key pairs, smart cards were delivered with key pairs that were generated outside the smart card and then injected into them for delivery to the end user. I'm not trying to change your mind, I'm just trying to point out how the real business world works, whether we security folks like it or not. Respectfully, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: should you trust CAs? (Re: dual-use digital signature vulnerability)
Hi Adam, The difference is if the CA does not generate private keys, there should be only one certificate per email address, so if two are discovered in the wild the user has a transferable proof that the CA is up-to-no-good. Ie the difference is it is detectable and provable. As far as I know, there is nothing in any standard or good security practice that says you can't multiple certificate for the same email address. If I'm willing to pay each time, Verisign will gladly issue me a certificate with my email, I can revoke it, and then pay for another certificate with the same email. I can repeat this until I'm bankrupt and Verisign will gladly accept my money. I agree with Michael H. If you trust the CA to issue a cert, it's not that much more to trust them with generating the key pair. Respectfully, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New Attack on Secure Browsing
Hi Ian, Congratulations go to PGP Inc - who was it, guys, don't be shy this time? - for discovering a new way to futz with secure browsing. Click on http://www.pgp.com/ and you will see an SSL-protected page with that cute little padlock next to domain name. And they managed that over HTTP, as well! (This may not be seen in IE version 5 which doesn't load the padlock unless you add it to favourites, or some such.) Here what I saw when going to the PGP site: Windows XP Pro: IE 6.x: No padlock Firefox 0.9.2: Padlock on address bar and tab Mac OS 10.2.8: IE 5.2: No padlock Safari 1.0.2: Padlock on address bar but no on tab Fixfox 0.8: Padlock on address bar and tab Camino 0.7: Padlock on address bar and tab You stated that http://www.pgp.com is an SSL-protected page, but did you mean https://www.pgp.com? On my Powerbook, with all the browsers I get an error that the certificate is wrong and they end up at http://www.pgp.com. I'm not sure if PGP deliberately set out to confuse naïve users since their logo has been the padlock for a while. Many web sites have their logo displayed on the address bar (and tab) when you go to there site, see http://www.yahoo.com or http://www.google.com. Maybe Jon can answer the question. Respectfully, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: identification + Re: authentication and authorization
Hi Ed and others, Like usual, you present some very interesting ideas and thoughts. The problem is that while we techies can discuss the identity theft definition until we are blue in the face, the general public doesn't understand all the fine subtleties. Witness the (quite amusing) TV ads by CitiBank. With high regards, Aram Perez [snip] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]