RE: "Cloak", or Cloaca? :-)

[Trei, Peter]

> Ben Laurie[SMTP:[EMAIL PROTECTED]]
> 
> 
> Keyring and Strip are both programs that provide secure DBs on Palms.
> Keyring, at least, is free and open source.
> 
> However, since Palms have no MMU, there's no security against hostile
> other apps, which makes them pretty useless devices for this kind of
> purpose.
> 
I'm coming into this a bit late, but the security situation on PalmOS is not
quite as dire as you make out (at least thru OS 3.5, maybe later). The
reason
is that the OS is single-threaded, and does not have preemptive
multitasking.
The OS sends the current app a message, saying, essentially 'Shut down
now and let something else happen'. The app can take it's sweet time about
this, and delay things long enough to zeroize or encrypt any sensitive data.

Peter Trei

> The right answer, IMO, is EROS on an MMUed handheld device (not sure
> about the biometric aspect - as I've stated at tedious length before, I
> like my appendages and don't want to give people incentive to steal
> them), such as that thing that runs Linux whose name temporarily escapes
> me, or the new Sharp gadget. Or a Jornada if they ever make one small
> enough.
> We have the technology. All we need is someone to finance it.
> Cheers,
> Ben.
> 
> 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[FYI] Encryption in Company Networks Foiled

[Axel H Horns]

http://www.heise.de/english/newsticker/data/anw-26.02.02-007/

 CUT -

Encryption in Company Networks Foiled  

The encrypting of e-mails in company networks is foiled if it is done 
in a Microsoft Exchange/Outlook 9x/200x environment. In a POP3/IMAP4 
environment this is not the case. In answer to a question by heise 
online Microsoft confirmed that appended files encrypted with crypto 
plug-ins are transmitted in an unencrypted form from client to server 
even when the encryption function of the plug-in has been activated.  

[...]  

 CUT -



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: theory: unconditional security

[Lucky Green]

Carl wrote:
> I suspect you find little written about OTP work because people have
> always assumed the keys were impractical to distribute, store and
> use.

While distribution of OTP's has become feasible amongst tightly-knit groups
of non-governmental actors, the rate at which OTP's can be generated has
fallen behind the rate at which data needs to be communicated between the
nodes. To give an example, creating  OTP's  to encrypt messages along the
lines of "the attack will take place at dawn on Thursday" was easy with WWII
technology and is even easier now. However, the sheer volume of data
transmitted between even small nodes today requires vastly larger OTP's than
was required for military or diplomatic communications in the past.

I am not aware of any RNG design in the open literature that would even come
close to generating the sheer volume of random numbers required by current
civilian communication patterns. I trust that I don't need to elucidate on
this list as to why a "solution" that would require the sender to limit the
use of OTPs to sending critical data while other data would be encrypted
using a different system will invariably lead to COMSEC failures.

--Lucky




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Cringely Gives KnowNow Some Unbelievable Free Press... (fwd)

[Lucky Green]

Philip,
If we can at all fit it into the schedule, IFCA will attempt to offer a
colloquium on this topic at FC. Based on the countless calls inquiring about
this issue that I received just in the last few days, the customers of
financial cryptography are quite concerned about the Bernstein paper, albeit
the paper raises a number of open issues that still would need to be
investigated before one should assert that the sky is falling.

See you all at FC,

--Lucky, IFCA President

- Original Message -
From: "Phillip H. Zakas" <[EMAIL PROTECTED]>
To: "'bear'" <[EMAIL PROTECTED]>
Cc: "'Eugene Leitl'" <[EMAIL PROTECTED]>; "'Cryptography
List'" <[EMAIL PROTECTED]>
Sent: Monday, February 25, 2002 12:25 PM
Subject: RE: Cringely Gives KnowNow Some Unbelievable Free Press... (fwd)


> > -Original Message-
> > From: bear [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, February 25, 2002 2:49 PM
> >
> > On Thu, 21 Feb 2002, Phillip H. Zakas wrote:
> >
> > >> >On Tue, 5 Feb 2002, Eugene Leitl wrote:
> >
> > >> >But at Crypto last August, Dan Bernstein announced a new design
> for a
> > >> >machine dedicated to NFS using asymptotically fast algorithms and
> > >> >optimising memory, CPU power and amount of parallelism to minimize
> > >>
> > > Bear Responds:
> > >> I really want to read this paper; if we don't get to see the
> > >> actual mathematics, claims like this look incredibly like
> > >> someone is spreading FUD. Is it available anywhere?
> > >>
> > >
> > >The paper is located here: http://cr.yp.to/papers.html
> > >I've not evaluated yet but I'm interested in hearing if he received
> his
> > >grant to try it out.
> >
> > Holy shit.  The math works.  Bernstein has found ways of
> > using additional hardware to eliminate redundancies and
> > inefficiencies which appear in any linear implementation of the
> > Number Field Sieve.  We just never noticed that they were
> > inefficiencies and redundancies because we kept thinking in
> > terms of linear implementations.  This is probably the biggest
> > news in crypto in the last decade.  I'm astonished that it
> > hasn't been louder.
>
> It does seem doable and for not very much money. Is anyone attending the
> Intl. Financial Cryptography Association meeting in Bermuda from March
> 11-15th?  Perhaps we could arrange an informal get-together for this
> list.
> Phillip
>
>
>
> -
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
[EMAIL PROTECTED]
>


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

FC: David Chaum's new project: Voting booths with secure receipts

[R. A. Hettinga]

--- begin forwarded text


Status:  U
Date: Tue, 26 Feb 2002 23:49:25 -0500
To: [EMAIL PROTECTED]
From: Declan McCullagh <[EMAIL PROTECTED]>
Subject: FC: David Chaum's new project: Voting booths with secure receipts
Cc: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

[David Chaum is a remarkable fellow who pioneered digital cash. He's
recently been working on secure voting projects. See www.chaum.com and
Steven Levy's _Crypto_ book. --Declan]

---

Date: Fri, 22 Feb 2002 15:36:24 -0800
To: Declan McCullagh <[EMAIL PROTECTED]>
From: David Chaum <[EMAIL PROTECTED]>
Subject: Breakthrough allows first receipts from voting booths!

FOR IMMEDIATE  RELEASE
Breakthrough allows receipts from voting booths:
First-ever legal receipts are surprisingly powerful
-- and may be just in time!

Los Angles, CA - Receipts showing exactly who you voted for, just what
people want and expect these days, are generally outlawed to protect
against vote selling and other abuses; a scientist has, however, come up
with the first receipt that cannot be used for any such abuse and yet can
ensure that your vote is actually included in the final tally.
The new type of receipt, which can be printed by a modified version of
familiar receipt printers, contains your vote -- but in a coded form. You
can read it clearly in the booth, when it is still printed on two layers.
When the layers are separated, either one you choose to take has the vote
information you saw coded in it, but it cannot be read (except by computers
run by election officials).
When the votes have to be added up for the final tally, the actual
receipts posted on an official public website are the input to the process.
The results of the process are then subject to a public audit. A lotto-like
draw selects which items must be decrypted, but never enough to compromise
privacy. Anyone with a pc can then check all the decryptions published on
the website and thereby verify that the final tally must be correct. The
audit is so strong that it cannot be fooled by breaking any code or
malicious software running on voting machines.
The cryptographer, Dr. David Chaum, known for inventing eCash and his
pioneering company DigiCash, who came up with the receipt system said "The
more you look into how elections are actually run, even in this country,
the clearer the gap becomes between the way it is done and what we could
and really should be doing". Chaum also said "Today's trusted black-box
mentality has led to very high costs, meaning computerized voting mainly
for rich counties, an utter lack of real control and no way to re-deploy
the hardware for schools and libraries."
At a time when the House has passed the first ever federal subsidy, at
$2.65b, and a similar bill is on the Senate floor with a $3.5b price tag,
one has to wonder: Will receipts and other new solutions have a chance, or
will the subsides backfire and put currently-certified computerized systems
in place on such a scale that major change will be a very long way off?
There is a complex interlocking of state and federal laws, agencies, and
quasi-governmental bodies that has erected a set of design specifications
and time-consuming steps that only new systems must navigate, first at the
federal level and then for most states separately. "When this was all first
set up more than a decade ago" Chaum quipped, "the rationale was to keep
unscrupulous vendors out, now it may just keep innovation out."

Contact: David Chaum, SureVote:
(818) 512-1024 (cellular/voicemail) [EMAIL PROTECTED]
Jim Dolbear, Larkin Associates:
(310) 621-3580 (cellular/voicemail) [EMAIL PROTECTED]




-
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Cringely Gives KnowNow Some Unbelievable Free Press... (fwd)

[Bram Cohen]

Arnold G. Reinhold wrote:

> At 11:49 AM -0800 2/25/02, bear wrote:
> >...
> >The "secure forever" level of difficulty that we used to believe
> >we got from 2kbit keys in RSA is apparently a property of 6kbit
> >keys and higher, barring further highly-unexpected discoveries.
> 
> Highly-unexpected?   All of public key cryptography is build on 
> unproven mathematical assumptions. Why should this be the last 
> breakthrough? If you plot the curve of what key length was considered 
> long enough as a function of time, it doesn't look very good.

Indeed, the only PK primitive I *really* trust is secure hash based
signatures -

http://bitconjurer.org/CheapSignaturesBeta.py

Going one step below that, most of the practical breaks we've had have
been from protocol screwups rather than key length problems, and I've
never seen a list purporting to be definitive of all the gotchas in RSA,
so the only fancy math primitive I feel confident to design a protocol
with is diffie-hellman.

So there you have it - the only really confidence-inspiring piece of
public key cryptography was the first one ever invented.

-Bram Cohen

"Markets can remain irrational longer than you can remain solvent"
-- John Maynard Keynes


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Can the World Be Copyrighted?

[R. A. Hettinga]

http://www.wired.com/news/print/0,1294,50658,00.html



Can the World Be Copyrighted?
By Brad King

2:00 a.m. Feb. 26, 2002 PST
Two treaties taking effect this spring would expand the reach of
controversial American legislation designed to regulate the Internet.

The World Intellectual Property Organization, an international body of
government representatives that globalizes laws, announced new guidelines
to crack down on digital piracy. The WIPO Copyright Treaty and the WIPO
Performance and Phonograms Treaty, which go into effect over the next three
months, extend copyright protection to computer programs, movies and music.



The treaties, hammered out in 1996, give a general framework for countries
to develop standard copyright laws.

However, it took several years for each to be ratified by 30 countries, the
minimum required before they can formally take effect. In the interim, the
agreements became the basis for America's Digital Millennium Copyright Act,
the first legislation designed to protect intellectual property on the
Internet.

Several watchdog organizations believe the DMCA, which domestic media
companies touted as the treaties' best practical application, give media
conglomerates and copyright holders too much control over digital
distribution.

The Electronic Frontier Foundation's (EFF) primary beef with the DMCA is
the legalization of rights management that gives copyright holders the
ability to dictate how people can listen, read and watch digital files. Two
prominent legal disputes drew the battle lines between the watchdog
organization and media companies.

2600 Magazine, a hacker publication, was barred from posting links to Jon
Johansen's DeCSS decryption application, which allows computer users to
watch DVDs on their PCs. The software breaks the digital security on the
disks, an act that violates the DMCA's anti-circumvention provisions.
Johansen, a Norwegian teenager, was charged with violating his country's
copyright laws and faces two years in prison.

Russian programmer Dimitri Sklyarov faced 25 years in prison after being
arrested in Las Vegas last July. He was released six months later after
being charged with distributing software that broke the copy protection on
electronic books, an act that violated America's DMCA but not his own
country's laws.

The EFF has fought to dismantle the DMCA and now the group is taking the
fight abroad, said Fred von Lohmann, EFF senior staff attorney.

"There are some people that argue that American laws were already compliant
with that law," von Lohmann said. "If you need to crack copy protected
work, you need to make a copy of it first and those reproduction rights
were already protected. But (DMCA author) Bruce Lehman and the other folks
expanded the copyright owner's protections to make the U.S. the banner
carrier for intellectual property.

"The DMCA satisfies the WTC treaty and then goes way beyond its scope. The
U.S. actually adopted the DMCA long before we were required to by
international law and now we're going overseas and telling people they need
to enact a DMCA-like law."

The EFF hopes to head off legislation in other countries since the treaties
offer a general framework that individual countries use to craft national
laws. The EFF has teamed with Electronic Frontier Canada, filed comments in
New Zealand, and worked with England's Eurorights.org as well as with
German groups.

Though 30 countries ratified the treaty, some of the world's biggest
economies are not on board. The European Union (comprising 15 countries,
including Germany and Italy) Japan and China haven't agreed to adopt the
framework.

The large, international, media companies, however, urge that the treaties
not only be ratified but also enforced.

Companies, such as Japan's Sony and Germany's Bertelsmann, have a growing
concern with the international flavor that these lawsuits have taken, said
Neil Turkewitz, the Recording Industry Association of America's executive
vice president and the music industry's representation at the WIPO
gathering in Geneva six years ago.

"Right now, copyright is national," Turkewitz said. "There is no such thing
as international copyright law. It's a little oversimplified, but these
treaties help harmonize the laws and the protections as much as possible.
It will take away the reasons for these companies to be moving around
because there will be a consistent level. The Internet is only as strong as
its weakest link."

Sklyarov wasn't arrested until he came to America, but that could change if
Russia adopts the two treaties. Then, copyright organizations in that
country could go after a programmer like Sklyarov.

The agreements would also make it easier to hunt down country hoppers such
as Niklas Zennstrom, the Dutch entrepreneur who licensed decentralized,
file-trading software to United States companies and later sold his company
Kazaa to an Australian investment firm.

Zennstrom faces separate lawsuits in the Netherlands and the Un

Bernstein's fast factorization

[Sidney Markowitz]

Someone on another mailing list pointed me to this posting by Dan
Bernstein on sci.crypt newsgroup:

http://groups.google.com/groups?hl=en&selm=2002Jan1608.53.39.5497%40cr.yp.to

[begin quote]

 From: D. J. Bernstein ([EMAIL PROTECTED])
 Subject: Re: Strength of PGP vs SSL
 Newsgroups: comp.security.pgp.discuss, sci.crypt, alt.security.pgp
 Date: 2002-01-16 01:00:11 PST

Protecting against the http://cr.yp.to/papers.html#nfscircuit speedup
means switching from n-bit keys to f(n)-bit keys. I'd like to emphasize
that, at this point, very little is known about the function f. It's
clear that f(n) is approximately (3.009...)n for _very large_ sizes n,
but I don't know whether f(n) is larger than n for _useful_ sizes n.

I'd also like to emphasize that special-purpose hardware is useful for
much more than factorization. In fact, it's much easier to reduce cost
this way for secret-key cryptanalysis or elliptic-curve discrete log
than for factorization.

[end quote]

 -- sidney



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Cringely Gives KnowNow Some Unbelievable Free Press... (fwd)

[Berke Durak]

On Tue, Feb 26, 2002 at 08:40:40AM -0800, bear wrote:
> >I'm not completely comfortable with Elliptic-Curve systems. The
> >mathematics is relatively young and has seen a lot of progress.
> 
> Right.  I'm not very comfortable with Elliptic-Curve yet, either.
> I haven't been able to work out exactly how, but I have a gut
> feeling that there may be some translation or transformation of
> the Elliptic-Curve problem that simplifies to integer factoring,
[...]

Plus, I'd remind everyone that no-one managed to prove that breaking
RSA is as hard as factoring (cf. ``Breaking RSA may be easier than
factoring'' D.Boneh & R.Venkatesan, where they show that if you manage
to show that breaking RSA is algebraically as hard as factoring,
then you've got for free a factoring algorithm).
-- 
Berke Durak

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Cringely Gives KnowNow Some Unbelievable Free Press... (fwd)

[Mike Brodhead]

> Isn't Elliptic-Curve patent-encumbered?

I think we went through this a few weeks ago.  Nope.  Fortunately, ECC
per-se is not patent encumbered.  Scott Vanstone makes much of that
in his ECC dog and pony show.  

Of course, free ECC does not mean some nice optimizations aren't
patented.  

--mkb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Cringely Gives KnowNow Some Unbelievable Free Press... (fwd)

[Paul Crowley]

"Enzo Michelangeli" <[EMAIL PROTECTED]> writes:
> Well, a nice characteristic that RSA doesn't have is the ability of using as
> secret key a hash of the passphrase, which avoids the need of a secret
> keyring

All PK algorithms have this property; seed a CSPRNG with the
passphrase and use the CSPRNG as the source of randomness in key
generation. 

> and the relative vulnerability to dictionary attacks.

The protection against dictionary attacks seems to be that checking
whether a given passphrase is the correct one is slow, because you
have to check it against the public key.  However, the minimum time to
check passphrase validity can be made arbitrarily slow whatever PK
algorithm is used, with techniques such as key stretching.

http://www.counterpane.com/low-entropy.html

Your proposal makes a system *more* vulnerable to dictionary attacks,
since the attack can be mounted without the need to seize the secret
keyring.
-- 
  __  Paul Crowley
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.ciphergoth.org/

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]