Re: [cryptography] airgaps in CAs
On 12/9/11 6:16 , Peter Gutmann wrote: > Arshad Noor writes: > >> Every private PKI we have setup since 1999 (more than a dozen, of which a >> few >> were for the largest companies in the world) has had the Root CA on a >> non-networked machine with commensurate controls to protect the CA. > > What about TSAs, where you need a key with an irrevocable cert active on a > machine directly connected to the Internet? Then why not use GuardTime or some similar service: http://en.wikipedia.org/wiki/Linked_timestamping I believe that for actual sub-CA-s issuing certificates to users, it is quite common to have them on-line to some extent (ip-net not sneakernet). Especially in commercial CA world. -- @MartinPaljak +3725156495 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How are expired code-signing certs revoked?
writes: >One would assume that the effort to get such a signing certificate would >persuade the bad team to use that cert for targeted attacks, not broadcast >ones, in which case you would be damned lucky to find it in a place where you >could then encapsulate it in a signature-based protection scheme. My post was based on data gathered by a well-known anti-malware company, I'm just reporting what they found in real-world use. In any case getting signing certs really isn't hard at all. I once managed it in under a minute (knowing which Google search term to enter to find caches of Zeus stolen keys helps :-). That's as an outsider, if you're working inside the malware ecosystem you'd probably get them in bulk from whoever's dealing in them (single botnets have been reported with thousands of stolen keys and certs in their data stores, so it's not like the bad guys are going to run out of them in a hurry). Unlike credit cards and bank accounts and whatnot we don't have price figures for stolen certs, but I suspect it's not that much. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How are expired code-signing certs revoked?
Peter Gutmann writes: -+--- | This means that once a particular signed binary has been detected | as being malware the virus scanner can extract the signing | certificate and know that anything else that contains that | particular certificate will also be malware, with the certificate | providing a convenient fixed signature string for virus scanners | to look for. | One would assume that the effort to get such a signing certificate would persuade the bad team to use that cert for targeted attacks, not broadcast ones, in which case you would be damned lucky to find it in a place where you could then encapsulate it in a signature-based protection scheme. --dan good reading: Cormac Herley, The Plight of the Targeted Attacker in a World of Scale http://research.microsoft.com/pubs/132068/TargetedAttacker.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] airgaps in CAs
Arshad Noor writes: >Every private PKI we have setup since 1999 (more than a dozen, of which a few >were for the largest companies in the world) has had the Root CA on a >non-networked machine with commensurate controls to protect the CA. What about TSAs, where you need a key with an irrevocable cert active on a machine directly connected to the Internet? Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Another CA hacked, it seems.
Ralph Holz writes: >As I said, at this rate we shall have statistically meaningful large >numbers of CA hacks by 2013: KPN is claiming there's nothing to worry about, please move along: http://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fforum.kpn.com%2Ft5%2FNews-stream%2FUPDATE-11-30-KPN-sluit-tijdelijk-website-Gemnet%2Fba-p%2F8477 Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] OpenDNS
From: "jd.cypherpunks" >David Ulevitch is rolling out OpenDNS http://david.ulevitch.com/ What do you think? He's been running https://www.opendns.com/ for quite some time. I read somewhere that the project is making $200K a month by selling the redirects, but a) That seems grossly inflated, and b) Someone is paying to operate the servers. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How are expired code-signing certs revoked?
"mhey...@gmail.com" writes: >In a CRL that contains an element that revokes the CRL signing certificate, >only that element can be assumed to be correct. All other list elements are >suspect. Uhh, read my original text again. This is your personal opinion. Ask a bunch of PKI people, or look at what real applications do, and you'll get any one of the three interpretations I described. The fact that you think this doesn't mean that anything actually does it. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] OpenDNS
On 12/08/2011 01:09 PM, jd.cypherpunks wrote: David Ulevitch is rolling out OpenDNS http://david.ulevitch.com/ What do you think? I assume you're talking about their new DNSCrypt application. They seem to be saying it's an implementation of DJB's DNSCurve protocol. https://twitter.com/#!/davidu/status/144213491736248320 Some source code is here. https://github.com/opendns/dnscrypt-proxy AFAICT this is for a proxy to (guess who) OpenDNS only at this point. I don't know if they're planning to release code for the resolver side. It may be intended for use with OpenDNS only. The code is pretty clean looking, to the point of being sterile. No author attribution or even source code comments. I haven't come across any protocol documentation. It looks pretty simple, mostly just encrypting the DNS packets as messages with NaCL cryptobox http://nacl.cr.yp.to/box.html . Of course, the details matter and I haven't looked into it thoroughly. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How are expired code-signing certs revoked?
On Wed, Dec 7, 2011 at 4:32 PM, Peter Gutmann wrote: > > In the presence of such a [self-revoking] revocation [of a root certificate] > applications can react in one of three ways: they can accept the CRL > that revokes the certificate as valid and revoke it, they can reject the > CRL as invalid because it was signed by a revoked certificate, or > they can crash... > Um, the real problem is not revoking the root certificate but what other certificates to temporarily trust in the face of the revoked root certificate (In the past, I have chosen the simplest to code option of "none" but with the knowledge that things might break). In a CRL that contains an element that revokes the CRL signing certificate, only that element can be assumed to be correct. All other list elements are suspect. If a self-signed CA certificate lands in that CA's CRL, then, of course the self-signed certificate can now be considered compromised. Either the original private key signed the CRL or the compromising copy signed it - both cases mean the root private key must be considered compromised. Of course, the second case means some malicious entity wanted to crash some piece of code that crashes in this case. I can't think of another reason the malicious entity would "out" themselves other than crashing buggy code. All other elements in that CRL, and, indeed, all CRLs dating back to the time of the compromise, might be invalid CRL elements. Code I have written in the past assumed those certificates were invalid even though they might not be. This was with full knowledge of the possible but unlikely denial-of-service attack (there are so many better things one can do with a compromised CA key then issue bad CRLs). Any CRL-based DoS attack doesn't need to last too long because the CA can issue new certificates signed with a new key in short order - getting the new certificates including the new root certificate distributed, of course, can take more time. -Michael Heyman ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] OpenDNS
David Ulevitch is rolling out OpenDNS http://david.ulevitch.com/ What do you think? --Michael ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] airgaps in CAs
I am aware of at least one public CA - still in business - that fits this description. Every private PKI we have setup since 1999 (more than a dozen, of which a few were for the largest companies in the world) has had the Root CA on a non-networked machine with commensurate controls to protect the CA. Arshad Noor StrongAuth, Inc. On 12/08/2011 06:54 AM, Eugen Leitl wrote: Is anyone aware of a CA that actually maintains its signing secrets on secured, airgapped machines, with transfers batched and done purely by sneakernet? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Another CA hacked, it seems.
Hi, > Did they successfully hack the CA functionality or just a web site housing > network design documents for various dutch government entities? From what > survives google translate of the original dutch it appears to be the latter > no? Too early for a definite call. But there is also this report that 1,000 certs have been revoked in the past 2-3 months. http://translate.google.com/translate?hl=nl&sl=nl&tl=en&u=http%3A%2F%2Fwebwereld.nl%2Fnieuws%2F108829%2Fspoeddebat-over-ingetrokken-kpn-certificaten-.html Might also be some routine revocation for replaced certs, though; reasons are not given it seems. > And if Kerckhoff's principle was followed what does it matter if some > network design docs were leaked. You would hope they dont contain router > passwords or such things. Yes, with respect to the hope part. Although, personally, I wouldn't dream of running phpmyadmin if I were a CA. > I'd hestitate calling that a "CA hacked" even if the web site was a web > site > belonging to someone who operates a CA. > Is there more detail? Not yet, I think. So let's not call it "hacked", if you want, but just "seriously embarassed". And I keep looking over towards the popcorn, tea & biscuits stand. :-) Ralph -- Dipl.-Inform. Ralph Holz I8: Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] airgaps in CAs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/08/2011 09:54 AM, Eugen Leitl wrote: > Is anyone aware of a CA that actually maintains its signing secrets > on secured, airgapped machines, with transfers batched and done > purely by sneakernet? Only for one company that went out of business in 2008. - -- The Doctor [412/724/301/703] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Life is too short to drink bad coffee. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7g6VwACgkQO9j/K4B7F8FKpQCfZoVe24M6BFkR3IFzlmR1DTEA 1GYAoO2ZZGa8Ke1qi3ZAHcQ74dE9k0UX =8FKj -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How are expired code-signing certs revoked?
2011/12/7 Marsh Ray : > > On 12/07/2011 07:01 PM, lodewijk andré de la porte wrote: >> >> I figured it'd be effective to create a "security awareness group" >> figuring the most prominent (and only effective) way to show people >> security is a priority is by placing a simple marking, something like >> "this site isn't safe!" > > > I thought the international symbol for that was already agreed upon: > goatse.cx > > > > On 12/07/2011 07:13 PM, lodewijk andré de la porte wrote: >> >> I'm afraid signing software is multiple levels of bullocks. Imagine a >> user just clicking yes when something states "Unsigned software, do >> you really want to install?". > > > You're just thinking of a few code signing schemes that you have direct > experience with. > > Apple's iPhone app store code signing is far more effective for example. https://krebsonsecurity.com/2011/11/apple-took-3-years-to-fix-finfisher-trojan-hole/ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How are expired code-signing certs revoked?
On Thu, Dec 8, 2011 at 9:26 AM, Darren J Moffat wrote: > On 12/08/11 03:27, Nico Williams wrote: >> You misunderstand. The Android code signing model isn't intended to >> protect you from installing malware: it's intended to help Android a) >> provide isolation between apps from different sources, b) protect your >> apps from untrusted updates. > > Android gives you hints about what a given APK might be upto by telling you > *before* you agree to install it what permissions it wants. Indeed, but this has nothing to do with Android's signature model. Signatures are there for continuity. > I've rejected several otherwise interesting sounding (probably legit) apps > from the Google Market because the list of permissions looked excessive to > me based on what that apps claims to do. And when every app you want [eventually] wants complete free range, what do you do? Android should at least let the user reduce the privileges of paid-for applications -- the current situation is intolerable. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How are expired code-signing certs revoked?
On 12/08/2011 09:16 AM, Darren J Moffat wrote: On 12/07/11 14:42, William Whyte wrote: Well, I think the theoretically correct answer is that you *should*... these days all the installers can be available online, after all. Except when the installer CD you need is the one for the network driver on the new machine without which you can't get online ! There are systems that aren't online, and there are systems that shouldn't be online for good reasons. For example the power grid. If we consistently neglect this scenario, then if the Internet ever suffers more than a brief outage we could find ourselves rebuilding society from the iron age. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How are expired code-signing certs revoked?
On 12/07/11 14:42, William Whyte wrote: Well, I think the theoretically correct answer is that you *should*... these days all the installers can be available online, after all. Except when the installer CD you need is the one for the network driver on the new machine without which you can't get online ! I've been in this situation several times before. -- Darren J Moffat ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] airgaps in CAs
Is anyone aware of a CA that actually maintains its signing secrets on secured, airgapped machines, with transfers batched and done purely by sneakernet? -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Another CA hacked, it seems.
On 9/12/11 01:46 AM, Adam Back wrote: I'd hestitate calling that a "CA hacked" even if the web site was a web site belonging to someone who operates a CA. My question is whether the website / database had subscriber information on it. That's a CA hack, albeit more a privacy hack than a crypto-system hack. I'm presuming it did but the article doesn't seem to say. Is there more detail? +1 iang http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwebwereld.nl%2Fnieuws%2F108815%2Fweer-certificatenleverancier-overheid-gehackt.html&act=url ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Another CA hacked, it seems.
Did they successfully hack the CA functionality or just a web site housing network design documents for various dutch government entities? From what survives google translate of the original dutch it appears to be the latter no? And if Kerckhoff's principle was followed what does it matter if some network design docs were leaked. You would hope they dont contain router passwords or such things. I'd hestitate calling that a "CA hacked" even if the web site was a web site belonging to someone who operates a CA. Is there more detail? Adam On Thu, Dec 08, 2011 at 03:26:08PM +0100, Ralph Holz wrote: As I said, at this rate we shall have statistically meaningful large numbers of CA hacks by 2013: http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwebwereld.nl%2Fnieuws%2F108815%2Fweer-certificatenleverancier-overheid-gehackt.html&act=url Ralph ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Another CA hacked, it seems.
As I said, at this rate we shall have statistically meaningful large numbers of CA hacks by 2013: http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwebwereld.nl%2Fnieuws%2F108815%2Fweer-certificatenleverancier-overheid-gehackt.html&act=url Ralph -- Dipl.-Inform. Ralph Holz I8: Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Law of unintended consequences?
On 8/12/11 12:01 PM, lodewijk andré de la porte wrote: I figured it'd be effective to create a "security awareness group" figuring the most prominent (and only effective) way to show people security is a priority is by placing a simple marking, something like "this site isn't safe!" and contacting the owners with what the exploit is. One problem with any "opinion group" is that if it succeeds, it can be got at. Rich corporations join, snow the members with their paid employees, and then it becomes a commercial-sales organisation, punting marks to the highest bidder. You succeed, then you lose it. That'd also provide challenge to those who participate and it doesn't hurt anyone. I think it's most likely a mind-spinoff of lulzsec's work, who took it to the extreme. Yeah. So, then we get the issue that their opinion is different to others. Taking a leaf from my experience, CAs: the guys that are running around recording all the certificates out there, like EFF and so forth, and then rating the site on their certificate goodness .. they think they are improving security by finding bad practices. But their model of security is the PKI model, which they've adopted without question. Which we now know (empirically) to be fundamentally broken. So these groups are busy running around promoting an old idea of security that actually sets users up for the fall. It kind of shocked me that regardless of the good spirit of my idea, the image of a happy hacker talking about how amazingly well he pulled off some hack and another about the stimulating it is to work with people who "live for it", would also be utterly illegal! I kinda liked the fact that the Internet was like a wild west, law is local and everything is possible and permitted. It being digital people wouldn't get quite so hurt if things went wrong. Now with security and size came legal matters. The funny thing to observe is that those who bring in the law have no idea of what's going on, they are (literary!) from another world! But with there laws the first thing they banned were the vigilante's, the criminals are still there. Some aren't building fences because the police will come busting everyone who passes into their backyard anyway, people become defenseless! Yes. If the law makes people defenceless, does that mean the police have to defend them? Good luck on that, it's pretty clear that the police will take your report and file it somewhere. Beyond that? Article about some guy who was hit with a dual channel attack for $45k, and the police thing it is too small http://www.scmagazine.com.au/News/282310,45k-stolen-in-phone-porting-scam.aspx/0 Interesting footnote on the PKI secure browsing claim that it tells you who you are connected to (or whatever the claim is today): the article doesn't even bother to mention that the guy's website connection had to perverted in some way as well. It's simply exploring how the dual channel (cell) was broken. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography