Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

[ianG]

On 25/02/12 18:50 PM, Jon Callas wrote:


"...We're not *stupid*."


Once upon a time ...ok skip the annoying anecdote and get to the question:

What would be the smallest steganography program that someone could type 
in and use to hide ones secret archive in plain site?


iang



...a long long time ago, I used to port network code on demand.  This 
was before the net.  So I had a bootstrapping problem.  This was before 
the time of compatible magnetic media too, I guess, but, every machine 
had a serial port.


I wrote a little network slave program in C, and a larger master one. 
The master one stayed on the primary source machine.  The slave one I 
typed in.  I got it down to around a page of C in time, and it would 
generally take under an hour to get it up and humming.  Oh, and I had a 
little home-made rs232 patch kit.  End of distracting anecdote.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[dan]

Well put, James.  Warren Buffet's arguments are, to my eye,
aligned with yours.  He argues that gold has no intrinsic
value, unlike farmland or a company like Coca Cola.  In that
way, his evaluation is as instrumentalist as is yours, to the
extent that I understand the both of you.  His discussion of
gold, per se, is getting some press.  See

2011 shareholder letter
www.berkshirehathaway.com/letters/2011ltr.pdf

What I would add to your analysis of fiat currency is to agree
that nails, moonshine liquor, and antibiotics are replacements
for fiat currency, but I must also note that the modern economy
is all but totally dependent on large enterprises which, because
of their largeness alone, simply cannot engage in barter.  As such,
the failure of fiat currency is a return to another time; friction
(transfer costs) would be too great for any other outcome.  Just
as Internet hacking is material to the first world but not the
third, so too would be the failure of fiat currency.

Yours in off-topicality,

--dan

A democracy...can only exist until the voters discover that they
can vote themselves the Public Treasury.
-- Alexander Fraser Tyler

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Diginotar summary

[Peter Gutmann]

The following is an attempt to gather all the information on the Diginotar
meltdown in one place.  There's references to external sources ("[REF...]")
and cross-links ("!!") which aren't present in the text, but apart from
that it should be pretty complete.  I've posted it here in case anyone finds
it useful, and if there's anything I've missed or that's incorrect, please let
me know.

Peter.

-- Snip --

A far more serious CA compromise occurred a few months later.  The problem was
first noticed when Iranian users of Google's chrome browser, which contains
hardcoded knowledge of the certificates that are expected from Google sites (a
technique known as "certificate pinning"), started getting warnings that the
sites were serving unexpected certificates [REF: 1a, 1b].  This problem, which
ultimately affected up to 300,000 users [REF: 1d] was caused by certificates
for a whole range of major sites being replaced by new ones from a Dutch
trusted root CA called Diginotar (the suggestion to check for suspicious
certificate issuance for high-value sites dating from the last CA compromise
had been ignored).

This CA, which already had a long history of compromises by different hacker
groups in different countries going back over two years [REF: 2d], was
compromised in the current breach in around June 2011 [REF: 2f] with 283 rogue
certificates issued on 10 July and another 124 issued on 18 July
[REF: 2e].  Diginotar finally realised that there was a problem on 19 July
[REF: 2b], possibly after the attacker(s) left a note on Diginotar's site
informing them of this [REF: 2a][XREF: 2d] since they hadn't been aware of the
previous several years' worth of breaches.  In response to this the CA then
tried to revoke the rogue certificates and thought that they'd succeeded, but
an independent check carried out at that point couldn't find any evidence of
this, with the investigator concluding that "I'd love to see the
\\\*dozens\\\* of revocations [...] but I simply cannot find them" [REF: 2e].
In the meantime more rogue certificates were being issued, and Diginotar again
tried to revoke them [REF: 2c], again without much apparent effect (despite
the hacker activity at Diginotar ceasing on 22 July, new rogue certificates
were still being discovered as late as September [REF: 2f]).

The Dignotar breach was a fairly serious one since the attacker(s) were able
to issue not only generic web-server certificates but also high-value EV
certificates, European Qualified Certificates (these are discussed in
"X.509 in Practice" on page !), and Dutch government (PKIoverheid)
certificates.  The latter group included certificates for use by Dutch
notaries, which could be used to notarise high-value transactions like house
sales, after which they were transferred to an automated central government
registry.  While the Dutch government initially believed Diginotar when they
said that they'd got the situation under control [REF: 6c], a claim that was
backed up by an audit by the Dutch CERT GovCERT, a second evaluation by
security company Fox-IT [REF: 4a], combined with the appearance of further
rogue certificates as well as OCSP responder queries for even further
yet-to-be-discovered certificates, including high-value Qualified Certificates
and PKIoverheid certificates [REF: 2f] indicated that the problem hadn't
actually been fixed.

After an all-night crisis meeting, the Dutch government discontinued all use
of Diginotar certificates [REF: 6a], leaving all government sites that had
used Diginotar with invalid certificates until they could buy new ones from
other CAs [REF: 6a].  In all a total of 58,000 certificates had to be
replaced, a problem so massive that the Dutch government went so far as to ask
browser vendors to postpone taking any action because of the disruption that
it would cause.  The replacement process itself required extensive
coordination with users "to prevent the total collapse of all M2M
[machine-to-machine] communication" [REF: 6e].  Shortly afterwards the Dutch
government took over the administration of Diginotar [REF: 6b], prevented them
from issuing further high-value certificates like Qualified Certificates, and
had them revoke all (known) existing ones [REF: 6f].

A catastrophe on this scale was something that even the browser vendors
couldn't ignore.  Diginotar had issued a vanishingly small number of
general-purpose public certificates (its cash cow was the highly lucrative
business of selling to the Dutch government and government users, not to the
general public), totalling a mere 700-odd certificates [REF: 3a], of which
only 29 featured in the Alexa top million sites, all of them in the
Netherlands [REF: 3b].  Up against this were at least 531 known rogue
certificates (and an unknown number of further ones that hadn't been
discovered), including 124 that were issued after Diginotar detected the
compromise, indicating that there were further compromised systems or that the
supposedly re-secur

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[Benjamin Kreuter]

On Sun, 26 Feb 2012 08:48:05 -0500
d...@geer.org wrote:

> 
> Well put, James.  Warren Buffet's arguments are, to my eye,
> aligned with yours.  He argues that gold has no intrinsic
> value, unlike farmland or a company like Coca Cola.  In that
> way, his evaluation is as instrumentalist as is yours, to the
> extent that I understand the both of you.  His discussion of
> gold, per se, is getting some press.  See
> 
> 2011 shareholder letter
> www.berkshirehathaway.com/letters/2011ltr.pdf
> 
> What I would add to your analysis of fiat currency is to agree
> that nails, moonshine liquor, and antibiotics are replacements
> for fiat currency, but I must also note that the modern economy
> is all but totally dependent on large enterprises which, because
> of their largeness alone, simply cannot engage in barter.

It is not just about big business, it is also about maintaining a
functioning government.  There is too much specialization in society
for courts to assign damages in terms of nails, whiskey, cattle, rice,
or whatever else.  How does the government assess a fine in terms of
barter?

Money and government go hand in hand.  Governments need money in order
to manage taxes, fees, fines, and so forth; yet money becomes valuable
because of the legal structure that surrounds it, which is as true for
gold as it is for fiat currency.  Even if you could become completely
self sufficient, to the point of not have to trade with anyone, you
would still need to pay taxes and fees (property taxes, hunting license
fees, etc.), and you will need to make those payments in a manner that
is accepted by the government (i.e. the money issued by the
government).  Barter systems, de facto currencies and so forth only
work on small scales.

-- Ben



-- 
Benjamin R Kreuter
UVA Computer Science
brk...@virginia.edu
KK4FJZ

--

"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell


signature.asc
Description: PGP signature
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[Benjamin Kreuter]

On Sun, 26 Feb 2012 17:57:14 +1000
"James A. Donald"  wrote:

>  > On 2012-02-26 1:18 AM, Benjamin Kreuter wrote: The demand
>  > for Bitcoin as a currency is driven by its properties as a
>  > digital cash system; people still need to get their
>  > nation's currency at some point
> 
> Frau Eisenmenger writes in her 1919 diary:

I am not denying that when governments mismanage currencies, crises and
failures ensue.  This is true of all things governments manage:  when
mistakes are made, large numbers of people wind up suffering.  However,
the failure of some countries' currencies does not mean that people are
going to switch from their nation's currency to Bitcoin.  If the US
Dollar were to fail, Bitcoin would be the last thing on anyone's mind;
we would probably wind up switching to some other government's currency
while we sorted out the mess (Yuan perhaps), or we would just spend our
time killing each other and not worrying too much about money.

Perhaps you just need a short list of reasons why Bitcoin is not
going to replace government issued currencies:

1. No offline transactions, which makes Bitcoin useless for a large
   class of transactions.
2. Fixed upper bound on the number of currency units, which creates
   deflationary trends as economies and populations grow.
3. No governments allow tax payments made using Bitcoin, and there is
   no incentive for them to do so.  Even if everyone used Bitcoin for
   day-to-day trades, they would still have to pay property taxes or
   face arrests, property seizures, etc.  When the government becomes
   too ineffective to enforce its own laws, then Bitcoin might have a
   chance, but only as a way to manage trade in some foreign nations'
   currencies (who will still want to trade with people in the region
   where the government failed), and that is assuming that online
   transactions can even happen in such a situation.

Now, I will grant you this:  there is a very, very, very remote
possibility that every fiat currency in the entire world will fail
simultaneously, and that instead of shooting each other people will
continue to engage in trade (and that the Internet survives the mess).
Even in that case, there will need to be some currency for offline
transactions, and so even then Bitcoin will be relegated to second
place.

-- Ben



-- 
Benjamin R Kreuter
UVA Computer Science
brk...@virginia.edu
KK4FJZ

--

"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell


signature.asc
Description: PGP signature
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] trustwave admits issuing corporate mitm certs

[Andy Steingruebl]

On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray  wrote:

>
> Still it might be worth pointing that if Wells Fargo really wanted to
> forbid a Trustwave network-level MitM, SSL/TLS provides the capability to
> enforce that policy at the protocol level. They could configure their web
> app to require a client cert (either installed in the browser or from a
> smart card).
>
>
Maybe though you meant this specific type of "non-malicious" MiTM and the
problem is we don't have a name for that right now.

If you meant all MiTM though, your solution only only stops attackers who
wants to make it look like you're interacting with the real site, not one
who merely wishes to steal your data.  In that case they don't have to talk
to the real wells-fargo website :)

This is exactly why some people are pushing so hard for protocols that get
"exclusion" including things like CA-Pinning in Chrome, CAA, etc...

- Andy
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[Bill St. Clair]

On Sun, Feb 26, 2012 at 10:08 AM, Benjamin Kreuter  wrote:
> On Sun, 26 Feb 2012 08:48:05 -0500
> d...@geer.org wrote:

> Money and government go hand in hand.  Governments need money in order
> to manage taxes, fees, fines, and so forth; yet money becomes valuable
> because of the legal structure that surrounds it, which is as true for
> gold as it is for fiat currency.  Even if you could become completely
> self sufficient, to the point of not have to trade with anyone, you
> would still need to pay taxes and fees (property taxes, hunting license
> fees, etc.), and you will need to make those payments in a manner that
> is accepted by the government (i.e. the money issued by the
> government).  Barter systems, de facto currencies and so forth only
> work on small scales.

You've just made a very good argument for eliminating money, at least
government issued money. Yes, governments just love to assess taxes,
fees, and fines. No, I have no need of any of that.

-Bill
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[Benjamin Kreuter]

On Sun, 26 Feb 2012 11:00:15 -0500
"Bill St. Clair"  wrote:

> On Sun, Feb 26, 2012 at 10:08 AM, Benjamin Kreuter
>  wrote:
> > On Sun, 26 Feb 2012 08:48:05 -0500
> > d...@geer.org wrote:
> 
> > Money and government go hand in hand.  Governments need money in
> > order to manage taxes, fees, fines, and so forth; yet money becomes
> > valuable because of the legal structure that surrounds it, which is
> > as true for gold as it is for fiat currency.  Even if you could
> > become completely self sufficient, to the point of not have to
> > trade with anyone, you would still need to pay taxes and fees
> > (property taxes, hunting license fees, etc.), and you will need to
> > make those payments in a manner that is accepted by the government
> > (i.e. the money issued by the government).  Barter systems, de
> > facto currencies and so forth only work on small scales.
> 
> You've just made a very good argument for eliminating money, at least
> government issued money. Yes, governments just love to assess taxes,
> fees, and fines. No, I have no need of any of that.

I do not follow your argument -- how does eliminating government issued
money stop governments from collecting taxes and fees?  Governments
whose currencies fail sometimes switch to the currencies issued by
other governments; there are quite a few nations that use US Dollars
instead of issuing their own money.

You may not like the idea of fines or fees, but how would you propose
courts manage disputes between people?  Suppose I fail to maintain my
house, and a piece of it falls off and damages your house -- should you
have to pay for my negligence?  If I raise cattle and you write
software, what should I give you -- a cow perhaps?  Perhaps I should
pay for a repairman to come and fix things -- but what if you do not
like the person I choose?  We have judges and courts to help us resolve
these sorts of disputes, and money is a great way to ease these sorts
of disputes.

You may disagree with the taxes you pay, the fines that are issued, and
so forth -- but would you really want to have a tax collector come and
rate the quality of your work, and then take the products of that work
as a form of tax payment?  Do you want to see people imprisoned,
enslaved, tortured, etc. instead of paying fines?  I also disagree with
the laws in this country, but the solution is not "do away with money"
or "switch to Bitcoin."

-- Ben



-- 
Benjamin R Kreuter
UVA Computer Science
brk...@virginia.edu
KK4FJZ

--

"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell


signature.asc
Description: PGP signature
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[Bill St. Clair]

On Sun, Feb 26, 2012 at 11:40 AM, Benjamin Kreuter  wrote:
> On Sun, 26 Feb 2012 11:00:15 -0500
> "Bill St. Clair"  wrote:
>
>> On Sun, Feb 26, 2012 at 10:08 AM, Benjamin Kreuter

> I do not follow your argument -- how does eliminating government issued
> money stop governments from collecting taxes and fees?  Governments
> whose currencies fail sometimes switch to the currencies issued by
> other governments; there are quite a few nations that use US Dollars
> instead of issuing their own money.

You're right, of course. Governments will continue to behave as if
they own us, money or not. But you missed my point. I want no
government at all. Anywhere. I'm not proposing a system to replace the
current one, because I don't want it to be replaced. With what do you
replace cancer, except good health because the cancer is gone? Yes,
there will still be disagreements, and we'll invent ways to deal with
them, thousands of different ways, without giving anybody monopoly
power over anything.

But… way off topic.

One day I'll learn the crypto details of Bitcoin, if only to integrate
it with Truledger.

-Bill
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Explaining crypto to engineers

[Ondrej Mikle]

On 02/26/2012 04:47 AM, Kevin W. Wall wrote:
> On Sat, Feb 25, 2012 at 2:22 PM, Ondrej Mikle  wrote:
> 
>> Estimating RSA key size: it's more an educated guess/magic given how the 
>> sizes
>> are derived than anything else. And if you base your estimate for given time
>> window on Lenstra or ECRYPT II keysize recommendations you might get 
>> reprimanded
>> for suggesting too conservative values :-)
> 
> When someone asks, I first generally point them to http://www.keylength.com/
> and once they've read that, I tell them we can talk. At least that way,
> they aren't arguing with me. :)

That ECRYPT II 2011 report on keysizes and algorithms
(http://www.ecrypt.eu.org/documents/D.SPA.17.pdf) is one of the sources for the
values listed on http://www.keylength.com/.

However, keylength.com is not that useful when determining lower bound on
keysize when the key is expected to last 90 days (usual ZSK rollover period, but
I have a TODO to check how often does it really happen; you know, lazy admins,
understaffed teams and such :-) ). Thus reading the original source reports and
papers they reference is necessary.

While Jakob's suggestion to use ECDSA is probably the best one in the DNSSEC ZSK
case, following were my arguments for raising 1024-bit RSA ZSK lower bound to
1280-bit (just a "rounded" version of 1248-bit) in upcoming year or two:

- with the upcoming TLSA record in DNS, if an attacker can crack 1024-bit RSA
ZSK signing that TLSA record, he can forge TLSA record and does not have to
attack stronger long-lived key in X.509 TLS certificate of the server in order
to MitM TLS stream
- it's obvious that state-level attacker has to be expected (cf. Iran and their
CA-breaching shenenigans)
- RFC 4359 (written in 2006) gives 1024-bit RSA key 1 year lifetime
- RFC 3766 (written in 2004) gives 80-bit symmetric key 1 year lifetime
(equivalent of ~1200-1248-bit RSA)
- the ECRYPT report pdf page 37 cites worst case scenario that 1024-bit RSA
could have been already factored by now (just not publicly) and references RFC
3766 on pdf page 38
- chapter 7 in ECRYPT report gives _at most_ few months for 1024-bit RSA key
(~73-bit symmetric) against state-level attacker (more precisely: at most few
months for equivalent of 84-bit symmetric key against intelligence agency with
$300M budget)

It would still be grateful if somebody could explain to me what is wrong with
the above argumentation (except being conservative). Paul Hoffman referred back
to RFC 3766 and even though Paul has tons of experience, in my understanding the
ECRYPT II 2011 report "supersedes" RFC 3766, doesn't it?

(Paul's argumentation can be found in the link I posted before:
http://lists.opendnssec.org/pipermail/opendnssec-user/2012-January/001619.html)

>> There was even better article from Matasano that showed the Vaudenay's attack
>> nicely step-by-step, included commentary about IV selection (can't find it
>> right now).
> 
> If you do find it, please let me know. Usually I just point developers at
> the YouTube video by Duong and Rizzo using POET to crack ASP.NET's
> encryption and that convinces most of them.

I googled hard, still no luck. It's possible that it wasn't written by Matasano.
Every step was accompanied by a table showing the bytes sent, received,
important bytes highlighted and explaining the error side-channel. But I'll keep
looking.

>> Few days ago I've shown the Syllable /dev/random code
>> (http://syllable.cvs.sourceforge.net/viewvc/syllable/syllable/system/sys/kernel/drivers/misc/random/random.c?revision=1.4&view=markup)
>> to about 10-15 SW/HW guys and asked them to find the mistake in random_read.
>> One guy got it right (a crypto enthusiast), one was totally lost, third was
>> arguing that it was ok, because kernel rand() uses Mersenne Twister instead 
>> of
>> the age-old LCG rand(), but didn't catch that the seed has really low entropy
>> (seconds since last boot). Rest of them probably didn't care or it wasn't
>> interesting enough.
> 
> I thought most *nix kernels with /dev/random save some entropy when they
> shutdown and reinitialize from that upon booting. Not so?

OK, but what happens if the device is booted for the first time? And that's
exactly when the predictable primes were generated by those embedded devices.

> 
> But if I could put to something that was about 5-8 pages about something
> like "Ten Things Every Developer Should Know About Cryptography", that
> would be great for starters. Does such a thing exist? Maybe it can't
> distilled to only 10, but you get my point.

That's what I was aiming for :-)

Ondrej
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

[Jon Callas]

On Feb 25, 2012, at 3:18 PM, Kevin W. Wall wrote:

> On Sat, Feb 25, 2012 at 2:50 AM, Jon Callas  wrote:
> 
> [snip]
> 
>> But to get to the specifics here, I've spoken to law enforcement and
>> border control people in a country that is not the US, who told me
>> that yeah, they know all about TrueCrypt and their assumption is
>> that *everyone* who has TrueCrypt has a hidden volume and if they
>> find TrueCrypt they just get straight to getting the second password.
>> They said, "We know about that trick, and we're not stupid."
> 
> Well, they'd be wrong with that assumption then.

Only from your point of view. From their point of view, the user is the one 
with wrong assumptions.

Remember what I said -- they're law enforcement and border control. In their 
world, Truecrypt is the same thing as a suitcase with a hidden compartment. 
When someone crosses a border (or they get to perform a search), hidden 
compartments aren't exempt. They get to search them. 

Also to them, Truecrypt is a suitcase that advertises a hidden compartment, and 
that's pretty useless, in their world.

> 
>> I asked them about the case where someone has TrueCrypt but doesn't
>> have a hidden volume, what would happen to someone doesn't have one?
>> Their response was, "Why would you do a dumb thing like that? The whole
>> point of TrueCrypt is to have a hidden volume, and I suppose if you
>> don't have one, you'll be sitting in a room by yourself for a long
>> time. We're not *stupid*."
> 
> That's good to know then. I never had anything *that* secret to protect,
> so never bothered to create a hidden volume. I just wanted a good, cheap
> encrypted volume solution where I could keep my tax records and other
> sensitive personal info. And if law enforcement ever requested the password
> for that, I wouldn't hesitate to hand it over if they had the proper
> subpoena / court order. But I'd be SOL when then went looking for a second
> hidden volume simply because one doesn't exist. Guess if I ever go out of
> the country with my laptop, I'd just better securely wipe that partion.

Or just put something in it that you can show. 

Jon

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

[Harald Hanche-Olsen]

[Jon Callas  (2012-02-26 17:35:55 UTC)]

> On Feb 25, 2012, at 3:18 PM, Kevin W. Wall wrote:
> > But I'd be SOL when then went looking for a second
> > hidden volume simply because one doesn't exist. Guess if I ever go out of
> > the country with my laptop, I'd just better securely wipe that partion.
> 
> Or just put something in it that you can show. 

I know nothing about TrueCrypt, but I imagine a technical solution to
this kind of problem exists: Just give TrueCrypt the ability to have a
virtually unlimited number of hidden volumes. Now you can reveal them,
one after the other, in increasing order of embarrasment value and
perhaps a modest level of illegality, after which you say, that's it,
there are no more secrets here.

- Harald
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[Jeffrey Walton]

On Sun, Feb 26, 2012 at 10:08 AM, Benjamin Kreuter  wrote:
> On Sun, 26 Feb 2012 08:48:05 -0500
> d...@geer.org wrote:
>
>>
>> Well put, James.  Warren Buffet's arguments are, to my eye,
>> aligned with yours.  He argues that gold has no intrinsic
>> value, unlike farmland or a company like Coca Cola.  In that
>> way, his evaluation is as instrumentalist as is yours, to the
>> extent that I understand the both of you.  His discussion of
>> gold, per se, is getting some press.  See
>>
>> 2011 shareholder letter
>> www.berkshirehathaway.com/letters/2011ltr.pdf
>>
>> What I would add to your analysis of fiat currency is to agree
>> that nails, moonshine liquor, and antibiotics are replacements
>> for fiat currency, but I must also note that the modern economy
>> is all but totally dependent on large enterprises which, because
>> of their largeness alone, simply cannot engage in barter.
>
> It is not just about big business, it is also about maintaining a
> functioning government.  There is too much specialization in society
> for courts to assign damages in terms of nails, whiskey, cattle, rice,
> or whatever else.  How does the government assess a fine in terms of
> barter?
>
> Money and government go hand in hand.  Governments need money in order
> to manage taxes, fees, fines, and so forth; yet money becomes valuable
> because of the legal structure that surrounds it, which is as true for
> gold as it is for fiat currency.  Even if you could become completely
> self sufficient, to the point of not have to trade with anyone, you
> would still need to pay taxes and fees (property taxes, hunting license
> fees, etc.), and you will need to make those payments in a manner that
> is accepted by the government (i.e. the money issued by the
> government).  Barter systems, de facto currencies and so forth only
> work on small scales.
Its interesting to note the government does not always accept its own
money: http://cnews.canoe.ca/CNEWS/WeirdNews/2010/07/15/14723646.html.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

[Marsh Ray]

On 02/26/2012 11:35 AM, Jon Callas wrote:


On Feb 25, 2012, at 3:18 PM, Kevin W. Wall wrote:


On Sat, Feb 25, 2012 at 2:50 AM, Jon Callas
wrote:

I asked them about the case where someone has TrueCrypt but
doesn't have a hidden volume, what would happen to someone
doesn't have one? Their response was, "Why would you do a dumb
thing like that? The whole point of TrueCrypt is to have a hidden
volume, and I suppose if you don't have one, you'll be sitting in
a room by yourself for a long time. We're not *stupid*."


That's good to know then. I never had anything *that* secret to
protect, so never bothered to create a hidden volume. I just wanted
a good, cheap encrypted volume solution where I could keep my tax
records and other sensitive personal info. And if law enforcement
ever requested the password for that, I wouldn't hesitate to hand
it over if they had the proper subpoena / court order. But I'd be
SOL when then went looking for a second hidden volume simply
because one doesn't exist. Guess if I ever go out of the country
with my laptop, I'd just better securely wipe that partion.


Or just put something in it that you can show.


So everyone who now has a hidden 2nd Truecrypt partition with 
incriminating things in it needs to make it their hidden 3rd partition 
and in the hidden 2nd partition instead store things which are merely 
embarrassing.


Except that as it is stipulated that the captors are "not stupid", we 
must assume they are perfectly rational actors who will have worked out 
this strategy too.


I bet there could be an interesting paper with a game-theoretic analysis 
of this "traveler's dilemma". Maybe it's been written?


On each round, a traveler with hidden encrypted volumes which he prefers 
not to disclose must cross a border in which he passes through a "civil 
rights-free zone", placing himself under the control of a jailer. At the 
beginning of each round, the traveler selects the number of hidden 
volumes he will carry from some set of predefined 4-tuples: (cost/payoff 
to traveler if disclosed/not disclosed, cost/payoff to jailer if not 
disclosed/disclosed)


The round proceeds in turns. On each turn, the jailer may elect to pay a 
cost to imprison the traveler for another turn, or let the traveler go 
free. On each turn, the traveler selects to disclose some (or none) of 
any undisclosed volumes he has remaining. The round ends when the 
traveler goes free.


What is the optimal strategy for the jailer? For the traveler?

How does it make sense to set up the initial costs?

- Marsh
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Explaining crypto to engineers (was: Duplicate primes in lots of RSA moduli)

[Jeffrey Walton]

On Sun, Feb 26, 2012 at 1:46 AM, Jeffrey Walton  wrote:
> On Sat, Feb 25, 2012 at 10:47 PM, Kevin W. Wall  
> wrote:
>>
>> [SNIP]
>>
>> Thanks for the link. It took me a LONG time to convince the ESAPI team
>> of this because I was the newb to them and I came in and said we
>> need to at least need to add a MAC over the IV+ciphertext. But it
>> took me a really long time to convince them because I could not remember
>> Vaudenay's name (so sorry if you are out there reading this!) and neither
>> could I recall the details of how it was done. I finally stumbled upon
>> it while Googling for cryptographic attacks against IPSec, which I remembered
>> was one of the things originally affected.
> Also of interest is Wagner and Schneier's "Analysis of the SSL 3.0
> protocol" from 1996 or so (www.schneier.com/paper-ssl.pdf). The Horton
> Principal (Semantic Authentication) tells us to validate the IV and
> Ciphertext. From the contrapositive: if there's no need to validate
> the IV or ciphertext, then there is no need to send it because it has
> no value. I often use the contrapositive to flush out useless junk in
> a protocol.
Here's a perfect example of a violation of Wagner and Schneier's
Horton Principal: Support of Non-Canonicalized Messages in EAX' (used
in the US Smart Grid) [1]:

Hardware non-support of canonicalized messages: Some
modem chips such as many of those for IEEE 802.15.4
provide hardware support for CCM-mode transmission
and reception when the message to be CCM-authenticated
consists exactly of the message Cleartext and plaintext, in
that order, that is to be sent or that was received. However,
ANSI C12.22 requires that the authenticated message use
canonical forms of ApTitles, and exclude the
 (the ApTitle of the message
originator) when it was added by a proxy C12.22 Relay. The
resultant software-based sequencing of invocations of the
underlying hardware block cipher (e.g. AES-128)
implementation is equivalent to that required for EAX.

Either  has value and it gets MAC'd; or it
has no value and it is not even sent. Here, ANSI finds refuge in a
bastard world where it claims  has value but
it is not MAC'd. This means  will be forged
in the field by the attacker.

Jeff

[1] 
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax-prime/eax-prime-spec.pdf
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Explaining crypto to engineers

[Ondrej Mikle]

On 02/26/2012 04:47 AM, Kevin W. Wall wrote:
> On Sat, Feb 25, 2012 at 2:22 PM, Ondrej Mikle  wrote:
> 
>>> 5) They don't know what padding is, or when/why to use it.
>>
>> I vaguely remember some past attacks on (I think) PKCS#1 padding, it was long
>> time ago (I'm guessing it's fixed in PKCS#1-1.5, right?). What about OAEP? I
>> also have vague notion of a past paper that appeared to poke holes in it 
>> (maybe
>> I'm confusing it with something else?)
> 
> IIRC, there were some attacks on PKCS#1 padding with RSA. I generally
> just say if you are using padding with asymmetric encryption, use
> OAEPWithSHA-256AndMGF1Padding. Not sure that is valid with ciphers
> other than RSA though. Is it safe for others too?

I've just found an article about the OAEP padding oracle (that I couldn't recall
before):

http://ritter.vg/blog-mangers_oracle.html

Reportedly there is no major implementation that would suffer from error
side-channel, although there is an interesting experiment with timing 
side-channel.

Ondrej
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

[Jon Callas]

On Feb 25, 2012, at 6:35 PM, James A. Donald wrote:

> Jon Callas  writes:
> > > I've spoken to law enforcement and border control people
> > > in a country that is not the US, who told me that yeah,
> > > they know all about TrueCrypt and their assumption is that
> > > *everyone* who has TrueCrypt has a hidden volume and if
> > > they find TrueCrypt they just get straight to getting the
> > > second password. They said, "We know about that trick, and
> > > we're not stupid."
> 
> They may assume that - but they cannot prove it.

You're assuming that they operate with the same security model that you do.

Your security model presupposes US law, to start with. I can see that in the 
glib comment asking if I'd ever heard of "innocent until proven guilty" -- 
which is a US principle. It is one that I not only have heard of, but think is 
is pretty darn good idea, too!

Nonetheless, it does not exist everywhere in the world, and I said this was not 
the US. In fact the very reason I said it wasn't the US was because I wanted to 
point out that objections to the story based upon US law are irrelevant. 
Moreover, innocent until proven guilty is interpreted differently depending on 
what sort of case there is. The term *proven* is context-dependent. There are 
different ways they prove, different burdens of proof. "Beyond reasonable 
doubt" and "clear and convincing evidence" are two used in criminal cases in 
the US. "Preponderance of evidence" is usually used in civil cases.

None of these are "plausible deniability." As I said before, this is a term of 
spycraft and statecraft. Usually it's used to describe how a powerful entity 
like a nation state can defend itself against attacks by less-powerful 
entities. There are forms of torture that are popular because they leave no 
marks on the victim and therefore give the state plausible deniability. 
Bureaucracies also use this technique to spread blame or leave the blame with 
some other person. 

In a number of cases involving spectacularly failed companies, the CEO has 
tried to stick someone else with the blame through plausible denial. Or perhaps 
the family and associates of a fraudster use a form of plausible denial to 
avoid conviction or trial. (I am not saying that using plausible means you're 
guilty -- it only means you don't have a better defense.) It works sometimes 
and doesn't work others. It didn't work for Bernie Ebbers, for example. 
Plausible denial combined with a lack of evidence works really well, but it's 
not a legal principle at all.

Most people who use the term "plausible denial," particularly us crypto people, 
would be better served to say "reasonable doubt." It's a better marketing term 
at the very least.

But anyway, back to deniable encryption and what is a language-theoretic issue.

If your security model includes technical issues and policy issues, but your 
attacker has different policies, then your security might fail for 
language-theoretic reasons.

To a border control person (and that's who I was talking about), Truecrypt is 
the same thing as a suitcase with a false bottom. Technically, we'd say that it 
is a container that (assuming it works correctly) *might* have a secret 
compartment and that one that does have secret compartment is 
information-theoretcially indistinguishable from one that has a secret 
compartment. But if you read the previous sentence to a border control person, 
they might hear, "...it is a container ... that ... has a secret compartment." 

The difference is policy, not technical. If their security model includes the 
policy that there's no reason to have a suitcase with a false bottom except to 
put something in it, then how you make a denial becomes everything.

If your denial is "don't be ridiculous, I *know* you guys can spot hidden 
volumes and that's why I'd never use one -- I use it because I'm cheap" then 
you're doing well. If your denial is, "you can't prove there's a hidden volume 
there" then you're not doing so well.

My point is that there are security models out there that know about hidden 
volumes and have their own defenses against them. I used the word "defenses" 
intentionally. They are border control people. Their model considers a hidden 
volume to be an attack, not a defense. They have developed their own defenses 
against smuggling that take hidden volumes into account.

> Evidently in the case of
> http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf They
> were totally unable to get information out of John Doe
> 
> For the entire case turned on the fact that John Doe never
> admitted the existence of the hidden drive, and forensics were
> entirely unable to prove the existence of the hidden drive.
> 
> Customs may have the authority to search through your stuff,
> but if they cannot find what they are looking for, they have
> no authority to make you tell them that it exists and where
> it is.
> 
> But if you *do* tell them that it exists, then they can make
> you te

Re: [cryptography] trustwave admits issuing corporate mitm certs

[Marsh Ray]

On 02/26/2012 09:34 AM, Andy Steingruebl wrote:

On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray mailto:ma...@extendedsubset.com>> wrote:


Still it might be worth pointing that if Wells Fargo really wanted
to forbid a Trustwave network-level MitM, SSL/TLS provides the
capability to enforce that policy at the protocol level. They could
configure their web app to require a client cert (either installed
in the browser or from a smart card).

Maybe though you meant this specific type of "non-malicious" MiTM
and the problem is we don't have a name for that right now.

If you meant all MiTM though,


I think I meant to say "Trustwave-like", but yes I did mean all MitM
because I was thinking about the network protocol level at which there's
no distinction between "malicious" and "non-malicious" impersonation.


your solution only only stops attackers who wants to make it look
like you're interacting with the real site, not one who merely
wishes to steal your data.  In that case they don't have to talk to
the real wells-fargo website :)


So there are several issues here, and they all have to be right for
everybody to obtain that elusive "security". I believe you're referring
to a phishing attack, where the bad guy impersonates the site to the
user generally in order to trick the user into disclosing their login
credentials.

A. The site must authenticate the user.

This nearly always revolves around a password (with sometimes a few
other factors thrown in for good measure). The password is something the
user is expected to keep totally secret, except when he is required, on
demand. to transmit it securely to the legitmate site.

Which means in order for this authentication to be secure ...

B. The user must reliably authenticate the site. This is quite a
challenge for anyone, let alone the non-expert user.

The identity the user has in mind is something like "The Wells Fargo 
website where I access my online banking", if the user hovers the mouse 
in Firefox, what they see in the absence of an attacker is:



You are connected to wellsfargo.com which is run by (unknown)
Verified by: VeriSign Trust Network [lock icon] Your connection to
this website is encrypted to prevent eavesdropping. [More
information...] Website Identity Website: www.wellsfargo.com Owner:
This website does not supply ownership information. Verified by
VeriSign Trust Network [blah blah] Technical Details Connection
Encrypted: High-grade Encryption (RC4, 128 bit keys) [blah blah] It
is therefore very unlikely that anyone read this page as it traveled
across the network.


What they see in the presence of an attacker is:

You are connected to wel1sfargo.com which is run by (unknown)
Verified by: IntegriTrust Trust Network [lock icon] Your connection to
this website is encrypted to prevent eavesdropping. [More
information...] Website Identity Website: www.wel1sfargo.com Owner:
This website does not supply ownership information. Verified by
IntegriTrust Trust Network [blah blah] Technical Details Connection
Encrypted: High-grade Encryption (RC4, 128 bit keys) [blah blah] It
is therefore very unlikely that anyone read this page as it traveled
across the network.


Obviously this is going to be a challenge. (Hint: look closely at the 
ells in 'wells').


At first glance, this issue would appear to be a problem at a higher 
level than TLS can help with, because TLS just authenticates short 
strings (like hostnames) against x509 certificates.


Assuming the username/password box on their home page does what it says, 
Wells Fargo is not authenticating their user to modern cryptographic 
standards. Instead they are using plaintext passwords, which are 
forwardable, replayable, low-entropy credentials. In fact, the security 
of the system the bank deployed relies on the bank customers to perform 
the cryptographic authentication! How messed up is that?


So this raises another principle:

C. The site-to-user authentication and user-to-site authentications
should be cryptographically bound to provide true mututal authentication 
rather than two independent bidirectional authentications.


With mutual authentication, the legitimate site that issued the client 
credentials has the ability to prove the absence of a MitM. 
Bidirectional authentication tends to have failure modes that true 
mutual authentication does not and phishing for passwords is probably a 
good example.


So if the online banking site required TLS client authentication with 
smart cards with on-chip RSA, the situation would be much different. A 
MitM who succeeded in impersonating the site to the user would be unable 
to replay or forward the user's credentials. In theory, the user could 
not be socially engineered out of his credentials (short of physically 
handing over his smart card).


Now of course client certs and smart cards don't solve every problem and 
certainly more than one once-starry-eyed organization ends up wishing 
they'd never heard of them (*cough* DigiNotar PKIoverheid)

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[ianG]

On 27/02/12 03:00 AM, Bill St. Clair wrote:


You've just made a very good argument for eliminating money, at least
government issued money. Yes, governments just love to assess taxes,
fees, and fines. No, I have no need of any of that.



Maybe, maybe not.  The princes, bandits argument is not only theoretical:

https://bitcointalk.org/index.php?topic=16457.0

http://ulf-m.blogspot.com.au/

iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Explaining crypto to engineers

[ianG]

On 26/02/12 14:47 PM, Kevin W. Wall wrote:


But if I could put to something that was about 5-8 pages about something
like "Ten Things Every Developer Should Know About Cryptography", that
would be great for starters. Does such a thing exist? Maybe it can't
distilled to only 10, but you get my point.



At a higher level, I wrote Hypotheses in Secure Protocol Design:

http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html

It's meant for the DIY engineer, to distil current understandings, not 
to be their only source, but to be a sort of "avoid these traps" list 
after they have done some study.


Not everyone agrees...

iang

PS: if I wrote it again I'd drop the 7.  I'm 3 times over the current 
journalistic trend of "5 things you must know in order to achieve 
happiness in all things."

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[James A. Donald]

d...@geer.org wrote:
> Warren Buffet's arguments are, to my eye, aligned with
> yours.  He argues that gold has no intrinsic value, unlike
> farmland or a company like Coca Cola.  In that way, his
> evaluation is as instrumentalist as is yours, to the extent
> that I understand the both of you.  His discussion of gold,
> per se, is getting some press.  See
>
> 2011 shareholder letter
> www.berkshirehathaway.com/letters/2011ltr.pdf

Warren Buffet writes:

What motivates most gold purchasers is their belief
that the ranks of the fearful will grow.

Rather, what motivates most gold purchasers (and thus most
bitcoin purchasers) is their belief that their fears might
well prove correct, that without gold, they might find
themselves penniless refugees, or, worse, without even the
ability to become penniless refugees, because they lack the
funding to leave a collapsing society.

Gold is an end of the world investment, insurance against
total institutional collapse.  We tend to underestimate fat
tail risks such as total collapse, since the English speaking
world has never had a total institutional collapse since the
battle of Hastings in 1068.

This however, is survivorship bias.  In the rest of the
world, total institutional collapse has been rather common.

Warren Buffet correctly argues that gold will, on average,
lose value.  However there is a significant risk that
everything except gold will lose value.

Warren Buffet continues:
A century from now the 400 million acres of farmland
will  have produced staggering amounts of corn,
wheat, cotton, and  other crops – and will continue
to produce that valuable  bounty, whatever the
currency may be. Exxon Mobil will  probably have
delivered trillions of dollars in dividends to  its
owners and will also hold assets worth many more
trillions (and, remember, you get 16 Exxons)

Now let us apply this reasoning to Russian croplands in 1903.  A 
situation is all too easily imaginable where investing in American 
cropland will not get you corn, but a one way ticket to the gulag.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[James A. Donald]

See 2011 shareholder letter

www.berkshirehathaway.com/letters/2011ltr.pdf


Warren Buffet's argument leads to the conclusion that had Roman in the 
time of Caesar invested a talent in land, or deposited some money with 
the money lenders to earn interest, his descendents would now be worth 
10^67 talents, or about one trillion trillion trillion trillion trillion 
trillion dollars, whereas had he buried a talent of gold in the ground, 
that Roman's descendents would now be worth about one talent, which is a 
few hundred dollars.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[James A. Donald]

On 2012-02-27 1:28 AM, Benjamin Kreuter wrote:

If the US
Dollar were to fail, Bitcoin would be the last thing on anyone's mind;
we would probably wind up switching to some other government's currency
while we sorted out the mess (Yuan perhaps), or we would just spend our
time killing each other and not worrying too much about money.


There has never been a time when we were too busy killing each other to 
worry about money.


Even before the bronze age there were a curiously large number of 
carefully made stone axe heads that were never used for chopping anything.



Perhaps you just need a short list of reasons why Bitcoin is not
going to replace government issued currencies:

1. No offline transactions, which makes Bitcoin useless for a large
class of transactions.


Smartphones.


2. Fixed upper bound on the number of currency units, which creates
deflationary trends as economies and populations grow.


Deflation, oh the horror, the horror.  How did we ever survive during 
the several hundred years when deflation was normal?



3. No governments allow tax payments made using Bitcoin


Oh the horror.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[James A. Donald]

On 2012-02-27 1:28 AM, Benjamin Kreuter wrote:
> If the US Dollar were to fail, Bitcoin would be the last
> thing on anyone's mind; we would probably wind up switching
> to some other government's currency while we sorted out the
> mess (Yuan perhaps), or we would just spend our time
> killing each other and not worrying too much about money.

There has never been a time when we were too busy killing
each other to worry about money.

> Perhaps you just need a short list of reasons why Bitcoin
> is not going to replace government issued currencies:
>
> 1. No offline transactions, which makes Bitcoin useless for
> a large class of transactions.

Smartphones.

> 2. Fixed upper bound on the number of currency units, which
> creates deflationary trends as economies and populations grow.

Deflation! Oh the horror, the horror.  How did we ever
survive during the several hundred years when deflation was
normal?

> 3. No governments allow tax payments made using Bitcoin

Oh the horror.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

[James A. Donald]

On 2012-02-27 3:35 AM, Jon Callas wrote:
> Remember what I said -- they're law enforcement and border
> control. In their world, Truecrypt is the same thing as a
> suitcase with a hidden compartment. When someone crosses a
> border (or they get to perform a search), hidden
> compartments aren't exempt. They get to search them.

Hidden compartment?  What hidden compartment?  If I have one,
you are welcome to search it.  Go knock yourselves out.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

[James A. Donald]

On 2012-02-27 4:29 AM, Harald Hanche-Olsen wrote:

I know nothing about TrueCrypt, but I imagine a technical solution to
this kind of problem exists: Just give TrueCrypt the ability to have a
virtually unlimited number of hidden volumes. Now you can reveal them,
one after the other, in increasing order of embarrasment value and
perhaps a modest level of illegality, after which you say, that's it,
there are no more secrets here.


In the case on which the ruling was issued, John Doe had five terabytes 
of TrueCrypt drive, and absolutely nothing on the outermost TrueCrypt drive.


I am pretty sure that if he had something moderately embarrassing or a 
little bit illegal on the outer drive with the easily broken password, 
he would not have had to appeal all the way up.


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

[James A. Donald]

On 2012-02-27 5:09 AM, Marsh Ray wrote:

So everyone who now has a hidden 2nd Truecrypt partition with
incriminating things in it needs to make it their hidden 3rd partition
and in the hidden 2nd partition instead store things which are merely
embarrassing.

Except that as it is stipulated that the captors are "not stupid", we
must assume they are perfectly rational actors who will have worked out
this strategy too.


If everyone goes for a third partition - but in practice, some people 
will have only one, some people two with the good stuff on the second, 
some people three with the good stuff on the third, some four, some five ..


Rationality can easily be defeated by deliberate randomness and 
intentional irrationality


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

[Kevin W. Wall]

On Sun, Feb 26, 2012 at 8:36 PM, James A. Donald  wrote:
> On 2012-02-27 3:35 AM, Jon Callas wrote:
>> Remember what I said -- they're law enforcement and border
>> control. In their world, Truecrypt is the same thing as a
>> suitcase with a hidden compartment. When someone crosses a
>> border (or they get to perform a search), hidden
>> compartments aren't exempt. They get to search them.
>
> Hidden compartment?  What hidden compartment?  If I have one,
> you are welcome to search it.  Go knock yourselves out.

Well, we're already considerably OT, but since the moderator seems to
be letting this thread play itself out, I use that to segue to a related topic
on a new proposed Ohio law and hidden compartments.

[I just literally finished posting this to my G+ account moments ago, but
will repost here rather than making all you you go to GooglePlus.]

Ohio Gov. John Kasich is advocating a law that would make it a 4th-degree
felony to own any vehicle equipped with hidden compartments. Conviction
under this proposed law could mean up to 18 months in jail and a
potential $5,000 fine.

So someone please tell me why the ACLU is not jumping all over this? I
just don't see how this law is a good thing. It seems to me that this
could trap a lot of innocent people. Imagine the following scenario:

A drug dealer whose car has a secret compartment decides to
get some new wheels so he trades in is old car for a hot new
one to some legitimate auto dealer. The auto dealer does not
know this person is a drug dealer so they have no reason to
suspect anything. Sometime later, the car dealer sells the
car to someone. That "someone" then happens to get in an accident
where they get rear ended. The ensuing damage reveals a hidden
compartment such as that described in the Columbus Dispatch
article (see below). The officer on the scene of the accident
notices the secret compartment, and even though there are no
drugs present, decides to arrest the driver of the damaged car
solely because she or he can observe the secret compartment.
Thereby some innocent person is charged with a fourth degree
felony and at least has to go through a bunch of legal hoops
to clear his or her name.

Now how is this a _good_ thing? So much for the presumed innocent until
proven guilty.

The original Columbus Dispatch article is here in case anyone wishes
to read it:


-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[Randall Webmail]

From: "James A. Donald" 

>Warren Buffet correctly argues that gold will, on average,
>lose value.  However there is a significant risk that
>everything except gold will lose value.

There is no risk that potable water or salt or (properly maintained) rifles 
with ammunition will lose value.   Gold, however, you can't eat or drink and 
it's a real bitch to try to kill dinner with it.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

[Peter Gutmann]

Marsh Ray  writes:

>Except that as it is stipulated that the captors are "not stupid", we must 
>assume they are perfectly rational actors who will have worked out this 
>strategy too.

It's not an exercise in game theory, it's standard police work. If they've 
watched you downloading child porn for six months, with enough evidence to get 
a warrant, and all they find is an encrypted partition and no trace of the 
pr0n anywhere else, then it doesn't take Sherlock Holmes to figure out where 
it most likely went.

(Talking to e-crime investigators is always illuminating. When they say 
they're "not stupid" they don't mean they have PhDs in game theory, they mean 
that they're (usually) going to come in with enough evidence and expertise to 
have a good chance of a successful prosecution. Being able to hide something 
with FDE is a very, very rare exception, generally one where evidence was very 
flimsy anyway).

Peter.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"

[Jonathan Thornburg]

Someone whose name has overflowed my nested-quoting stack wrote
> Perhaps you just need a short list of reasons why Bitcoin
> is not going to replace government issued currencies:
>
> 1. No offline transactions, which makes Bitcoin useless for
> a large class of transactions.

On Mon, 27 Feb 2012, James A. Donald wrote:
> Smartphones.

The implicit assumptions here, namely that
* everyone who wants to make financial transactions carries a smartphone
* smartphones never break down
* smartphone batteries never run down
* smartphones always have network connectivity
don't always hold.

Regarding this last point, perhaps I'm a bit sensitive based on my
isit last week to Victoria, Canada (population ~350,000), where I was
frequently in no-cellphone-reception areas in residential neighborhoods
within 15 minutes walk of the university campus.  (Victoria is very
hilly, and these areas are on hillsides sloping down to the Pacific
ocean.)

There are good reasons for financial systems (including the crypto
which might underlie them) to allow offline transactions.



[Another key bitcoin flaw is that it's not particularly anonymous
in the face of NSA-level network surveillance.  Cash *is* (remains)
under these conditions.]

-- 
-- "Jonathan Thornburg [remove -animal to reply]" 

   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
  -- quote by Freire / poster by Oxfam
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Explaining crypto to engineers

[Peter Gutmann]

Ondrej Mikle  writes:

>I've just found an article about the OAEP padding oracle (that I couldn't 
>recall before):

There's another one that was published about a year ago that looks at things 
like side-channel attacks via the integer-to-octet-string conversion 
primitives and other really low-bandwidth channels, I think it was "Manger's
Attack Revisited".  At the time I was thinking of doing a writeup on generalised
defences (via randomisation) against this sort of thing because as Revisited
points out, you're always going to get timing channels somewhere if you look
hard enough and a generalised defence would be better than the penetrate-and-
patch approah to stopping timing channels.

Peter.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

[Marsh Ray]

On 02/26/2012 09:08 PM, Peter Gutmann wrote:

Marsh Ray  writes:


Except that as it is stipulated that the captors are "not stupid", we must
assume they are perfectly rational actors who will have worked out this
strategy too.


It's not an exercise in game theory, it's standard police work.


My post had about as much to do with standard police work as the 
traveling salesman problem has to do with actual salesmen, or the 
prisoner's dilemma has to do with actual prisoners.


I thought the situation might be amenable to a simple model, and it 
seemed like an interesting way to try to nudge the conversation back to 
discussing crypto, or comp sci at least.



If they've watched you downloading child porn for six months,


I know that this is a terribly common scenario that todays computer 
crime investigators have to deal with on a daily basis, but isn't there 
some variant of Godwin's law I can invoke here?


- Marsh
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

[Peter Gutmann]

"James A. Donald"  writes:

>Hidden compartment? What hidden compartment? If I have one, you are welcome 
>to search it. Go knock yourselves out.

James, meet Bertha.  Sorry about her cold hands, just give her a minute to get
the gloves on.  In the meantime if you'll drop your trousers...

Peter.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography