Re: patent free(?) anonymous credential system pre-print
(Re: my paper at http://eprint.iacr.org/2002/151/ ) Let me first point out that Dr. Stefan Brands noted an insecurity in my system which would allow malicious users to obtain issuer signatures on arbitrary documents. This is due to the fact that users aren't prevented from using the (bitwise) same document for each element but one in the cut and choose protocol and making the remaining document malicious. If the malicious document isn't selected for inspection, dividing out the signatures on the (n/2)-1 identical documents is trivial, leaving a signature on the malicious value. The credential IDs described in section 4.1 of my paper were designed to thwart this attack, (and the session random values to thwart similar attacks over multiple issuing sessions), and do appear to succeed with the additional requirement that each credential ID be different from the others. This requirement will be added to the next update to the pre-print. This requirement is analogous to the variable i in the preimage of y_i in the Chaum/Fiat/Naor system. It ensures that each candidate is different, and therefore that the values of the elements signed will be unpredictable. On Thu, 31 Oct 2002, Adam Back wrote: > Some comments on this paper comparing efficiency, and functionality > with Camenisch, Chaum, Brands. Thanks for your feedback! [...] > - efficiency > > The non-interactive cut and choose protocol results in quite big > messages in the issuing and showing protcols to attain good security. [...] > ... a single credential would be order of 10KB. Similar for the showing > protocol. Indeed, as section 6 points out, a set of 3 credentials could be a megabyte in size and require half a megabyte of network traffic. Efficiency is /not/ a major selling point of this system. :) [...] > - functionality [pulling up from later on in Adam's post] > > Most of these short-falls stem from the analogous short-falls in the > Wagner blinding method they are based on. Of course (and the point of > the paper) the credentials do offer over the base Wagner credentials > (a restrictive) form of selective disclosure which the base > credentials do not. I'm glad that was clear in my text. This isn't a do-everything system like Brands' - rather, it has 2 aims. 1: show how to do simple selective disclosure in a Chaum/Fiat/Naor-like system using X.509v3 credentials as a base, and 2: show how to link credentials from multiple issuers to the same identity without compromising anonymity. The feature comparison is appreciated, though; it may be useful for an expansion of the related work section, and in terms of features to add in the future. [...] > The credentials can be replayed (as there is no credential private > key, a trace of a credential show offers no defense against replay). > Brands credentials have a private key so they can defend against this. > (Chaum's credentials have the same problem). Section 4.3 specifies that Alice should create a keypair and store the public key as a selective disclosure field, allowing her to prove ownership as you describe. > > The credentials unavoidably leave the verifier with a transferable > signed trace of the transaction. Brands credentials offer a > zero-knowledge option where the verifier can not transfer any > information about what he was shown. Good point. > The credentials support selective disclosure of attributes, but only > in a restricted sense. Attributes can be disclosed with AND > connectives. However other connectives (OR, +, -, negation, and > formulae) are not directly possible. Brands supports all of these. Also true. I point this out in paragraphs 1 and 2 of section 2. > > The credentials do not support lending deterence (there is no option > to have a secret associated with a credential that must necessarily be > revealed to lend the credential as with Brands). This could be added to my system. To be honest, I don't consider Brands' implementation of lending deterrence to be a worthwhile feature. Having embarassing information in a credential could be a deterrence against lending to an untrusted party, but comes at the cost of an equal liability if the credential is stolen. It also doesn't prevent the rightful holder from providing the response to the challenge on that field when the lendee uses the credential (in real time). Lending is a problem which I don't believe can be solved purely mathematically (which Brands also points out, as I recall). Thus I prefer to avoid the topic rather than give it unavoidably insufficient treatment. > > The credentials are not suitable for offline use because they offer no > possibility for a secret (such as user identity, account number etc) > to be revealed if the user spends more times than allowed. My credentials aren't designed to do limited-show, although I do point out in section 4.4.1 that cre
"patent free(?) anonymous credential system pre-print" - a simpleattack and other problems
The paper shows some promise but, apart from being insecure, has other drawbacks that should be addressed: - The system is subject to a simple attack. The problem lies with the multiplication of the hashes. Let's take the Chaum blinding as an example, something similar work for the "Laurie" protocol. The simple idea is to take X1 = [ \prod hash(bogus_att, salt_i) ] \times [hash(correct_att, salt)]^{-n/2} modulo pq X2 = X3 = ... = Xn = hash(correct_att, salt) Submit the blinded Xi's. Assuming X1 will not have to be opened (prob = 1/2 or 1, depending on whether or not protocol is interactive), one obains X1^d modulo pq from the signer, which contains consistently all the bogus attributes. Here is a suggestion for a "fix" to repair this total break. Make sure to that the signer, in additional to the consistency check for the opened blinded candidates, also checks that the opened blinded candidates have _different_ values. Of course, serious analysis needs to be done to ensure that this is enough to guarantee security. I do not have the time to look into this, but my gut feeling is that variations of the attack based on the same principle will still work, but with lower success probability; this will have to be compensated for by making n bigger, which makes the protocol even more inefficient. My advice is to the author is to analyze the proposed fix, and explore other possible fixes, before distributing an updated version. - My work certainly does provide for "revocable anonymity" and "pooling" prevention. For pooling protection, see paragraph 2 on page 193, section 5.11 page 210 paragraph 2, and section 5.5.2 on page 211. For not needing separate signing exponents for each attribute, see page 266 last paragraph on the page. For recovable anonymity, see the e-cash references on page 264/5. - The proposed hashing technique for selective disclosure was introduced by myself in 1999. Quoting from page 27 of my MIT Press book titled "Rethinking Public Key Infrastructures": "Another attempt to protect privacy is for the CA to digitally sign (salted) oneway hashes of attributes, instead of (the concatenation of) the attributes themselves. When transacting or communicating with a verifier, the certificate holder can selectively disclose only those attributes needed.22 {22 Lamport [244] proposed this hashing construct in the context of one-time signatures. When there are many attributes, they can be organized in a hash tree to improve efficiency, following Merkle [267].} This generalizes the dual signature technique applied in SET [257]." Since this technique is merely at the level of an observation, and because it is a simple generalization of the SET technique, I in fact decided at the time to put the entire paragraph under section header 1.2.2 of my book, titled "Previous privacy-protection efforts and their shortcomings". - More seriously, the simple hash technique has numerous drawbacks, as I explain on page page 27 of my MIT Press book, in the very same paragraph: "Although certificate holders now have some control over which attributes they reveal to verifiers, they are forced to leave behind digital signatures. Furthermore, they are seriously restricted in the properties they can demonstrate about their attributes; Boolean formulae, for instance, are out of the question. Worse, nothing prevents the CA and others from tracing and linking all the communications and transactions of each certificate holder." Other techniques, such as lending prevention and limited-show, do not work either. It was for these and other reasons that I was motivated to work on the more sophisticated selective disclosure in the first place. - In addition to various other drawbacks pointed out by of Dr. Adam Back (see [EMAIL PROTECTED]/msg02752.html), the proposal does not offer a wallet-with-observer mode, discarding protection, anonymous recertification / updating, multi-application certificates, etcetera. Hope this helps, Stefan Brands - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
IKE Libaries?
here is a stupid question: is there any IPSEC IKE library out there (in C, C++, Java, Perl, etc)? or people just rewrite their own versions and hope they are all compatible with each other? __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: IKE Libaries?
On Tue, Nov 05, 2002 at 01:39:16PM -0800, crypto novice wrote: > is there any IPSEC IKE library out there (in C, C++, > Java, Perl, etc)? or people just rewrite their own > versions and hope they are all compatible with each > other? I'll assume you mean free :-) You can take a look at OpenBSD's isakmpd (written in C), which comes with a BSD license. My strong suspicion is that many "proprietary" devices out there use this code as a basis for their implementations. There are also the BSD licensed Kame (http://www.kame.net) and the GPL'd FreeS/Wan non-RFC-compliant implementation (http://www.freeswan.org) to look at. Just take a peek at the source yourself: OpenBSD isakmpd: http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/ Kame racoon: http://orange.kame.net/dev/cvsweb.cgi/kame/kame/kame/racoon/ FreeS/Wan: ftp://ftp.xs4all.nl/pub/crypto/freeswan/ -Ryan -- Ryan T. McBride, CISSP - [EMAIL PROTECTED] Countersiege Systems Corporation - http://www.countersiege.com PGP key fingerprint = 8BA0 A58C 5038 9157 59C3 F9E6 6DDA 6611 BF4C 776B - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
The FBI Has Bugged Our Public Libraries
>From Interesting-People --- Begin Message --- From: Richard Forno <[EMAIL PROTECTED]> Subject: The FBI Has Bugged Our Public Libraries To: Dave Farber <[EMAIL PROTECTED]> Date: Tue, 05 Nov 2002 16:40:41 -0500 The FBI Has Bugged Our Public Libraries November 3, 2002 http://www.ctnow.com/features/lifestyle/hc-privacy1103.artnov03col.story Some reports say the FBI is snooping in the libraries. Is that really happening? Yes. I have uncovered information that persuades me that the Federal Bureau of Investigation has bugged the computers at the Hartford Public Library. And it's probable that other libraries around the state have also been bugged. It's an effort by the FBI to obtain leads that it believes may lead them to terrorists. Many members of the public regularly use computers in libraries to access the Internet for research purposes or to locate information about particular interests. It's also not uncommon for students and others to communicate with friends and relatives through e-mail from there. The FBI system apparently involves the installation of special software on the computers that lets the FBI copy a person's use of the Internet and their e-mail messages. (Don't ask me how I know about this because I can't reveal how I was able to collect the information.) Members of the public who use the library have not been informed that the government is watching their activities. It's not just the computers. Circulation lists that show which books someone borrowed are also accessible to the government. What are the Hartford librarians saying? "I can't disclose that we were presented with anything," said Louise Blalock, Hartford's head librarian. I asked Mary W. Billings, the library's technical services manager, if the FBI had given her a subpoena or a court order for library information. Her response: "I cannot answer that question." http://www.ctnow.com/features/lifestyle/hc-privacy1103.artnov03col.story -- --- End Message --- -- Perry E. Metzger[EMAIL PROTECTED]
Re: patent free(?) anonymous credential system pre-print
Stefan Brands writes regarding http://eprint.iacr.org/2002/151/: > The paper shows some promise but, apart from being insecure, has other > drawbacks that should be addressed: > > ... My work... introduced by myself... my MIT press book... > > In addition to various other drawbacks pointed out by of Dr. Adam Back > (see [EMAIL PROTECTED]/msg02752.html), > the proposal does not offer a wallet-with-observer mode, discarding > protection, anonymous recertification / updating, multi-application > certificates, etcetera. And balanced against all these numerous shortcomings, there is one inescapable, overwhelming fact: THE AUTHORS ARE MAKING THE FRUITS OF THEIR LABOR AVAILABLE FREELY FOR THE WORLD TO USE. With all of your patents, and your writings, and your self-promotion, how many people are using your certificates in the real world? Think how much you could have accomplished, how much of a difference you could have made, if you had been willing to sacrifice the hope of great riches. Instead you have followed in the footsteps of your mentor Chaum, and both of you have withheld your talent from the world. What is it about cash and credential systems that everyone who works in the area thinks they should patent their results? All you have accomplished is to make sure that no implementations exist! What good are your great ideas if no one can use them? Look at Chaum! Is that where you want to be in 20 years? Bitter and barren? Cut off from the cryptographic community? Reduced to publishing via the government patent office? That's no life for a great mind. Creativity demands interaction with an active and vital intellectual community. You have to give in order to take. Building walls around your intellectual property shuts others out even as you shut yourself in. If you really want to accomplish something meaningful, rather than continuing to hype and shill for a system which no one can use without entering into delicate financial negotiations, why not make it available on some basis for people to experiment with? Maybe a non-commercial, open-source GPL implementation could be a starting point. There is considerable interest in reputation systems among the P2P community and credentials could be a part of that. You can still protect your commercial interests while letting people get familiar with the technology by making a non-commercial library available. That's just one possibility. The point is, your ideas are going nowhere using your present strategy. Either this technology won't be used at all, or inferior but unrestricted implementations will be explored, as in the recent work. If you want things to happen differently, you must change your strategy. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: patent free(?) anonymous credential system pre-print
On Tue, 5 Nov 2002, Nomen Nescio wrote: >That's just one possibility. The point is, your ideas are going nowhere >using your present strategy. Either this technology won't be used at >all, or inferior but unrestricted implementations will be explored, >as in the recent work. If you want things to happen differently, you >must change your strategy. There is a possibility that you have neglected. And, evidently, so have most of the patent-filers. Twenty years is not so long. Patents expire. It's not terribly helpful for someone to lock up an idea for twenty years, but honestly it may be at least that long before the legal and cultural infrastructure is ready to fully take advantage of it anyway. You, like most engineers, are thinking of technical barriers only; it's entirely reasonable to suppose that you could deploy the technical stuff in two to five years and rake in money on your patents for the next fifteen to eighteen. That's a valid model with computer hardware, because its value to business is intrinsic. Bluntly, it enables you to do things differently and derive value within your own company regardless of what anyone else is doing. But here we are talking about something whose value is extrinsic; it affects the way mutually suspicious parties interact. For changes in that arena to happen, they have to be supported by the legal system, by precedent, by custom, by tradition, etc. These are barriers that will take a *hell* of a lot longer to overcome than the mere technical barriers. The fights over liability alone will take that long, and until those fights are settled we are not talking about something that a profit-motivated business will risk anything valuable on. I remember having exactly your reaction (plus issues about patenting math and the USPTO being subject to coercion/collusion from the NSA and influence-peddling and so on...) when the RSA patent issued - but RSA is free now, and RSA security has not made that much money on the cipher itself. And frankly, I don't think that having it be free much earlier, given the infrastructure and implementation issues, would really have made that much of a difference. Note that there are *still* a lot of important court decisions about asymmetric encryption that haven't happened yet, and it was only profitable (due to e-commerce) for the last couple years of the patent's run. These patents are being filed in an industry and application which is NOT part of how the world does business today. They may or may not turn out to be enabling items, but the world will have to learn to do business in a different way before they become relevant. That's not going to happen in time for the dog-in-the-manger crowd to make any money off the patents they're filing, so unless they can mobilize *BILLIONS* of dollars for infrastructure replacement, education, marketing, lobbying, court cases about legal validity for their digital signatures and credentials, etc, etc, etc, there is no chance of them withholding anything of value from the public domain. It will take twenty years or more just for the *legal* system to adjust to the point where a credential system or "non-repudiation property" might possibly become useful to business. Add another five or ten years at least for acceptance and custom to grow up around it. Another five or ten years for court cases and precedent and decisions about liability to get settled so that it can become standard business practice. By that time the patents will be long gone. Check history. There is a long list of companies that made cipher machines or invented ciphers, patented them, and went broke. It isn't a coincidence, nor a recent development. Bear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: "patent free(?) anonymous credential system pre-print" - a simpleattack and other problems
(Re: my paper at http://eprint.iacr.org/2002/151/ ) Stefan Brands wrote: > - The system is subject to a simple attack. The problem lies with the > multiplication of the hashes. Let's take the Chaum blinding as an [...] (For our readers at home, that was the vulnerability I mentioned in my response to Adam). [...] > - My work certainly does provide for "revocable anonymity" and "pooling" > prevention. For pooling protection, see paragraph 2 on page 193, > section 5.11 page 210 paragraph 2, and section 5.5.2 on page 211. For [...] When I speak of pooling credentials, I'm talking about Alice presenting her student ID along with the senior-citizen ID Bob loaned her (or for which Bob is answering clandestine-ly), as if they both belonged to her, in order to get both discounts on her movie tickets. In my system, you get your credentials issued in a set associated with a single identity, and it's hard for Alice to get Bob's credentials included in one of her own sets. It works even if the CAs don't trust each other. Page 211 of your book talks about discouraging lending, which doesn't help in the case when Bob answers in Alice's behalf when she shows his credentials. In any case, section 5.5.2 only adds liability to pooling - it doesn't prevent it mathematically. (As to lending in general, I think you're right that discouragement may be the best we can do). Page 193 and 210 do talk about having an identifying value encoded in the credentials which the holder can prove is or isn't the same as in other credentials. However, the discussion on page 193 is with respect to building digital pseudonyms, and the discussion on page 210 seems to be about showing that values are *not* the same, following a scenario in which a pseudonym holder has been identified as a misbehaver. I can think of ways in which this feature might be leveraged to create otherwise-unlinkable sets of credentials from different (distrusting) CAs, but it's never addressed directly that I can see, and would need some specifics filled in. Nonetheless, I'll point out in my paper that it's a possibility in your system. > - The proposed hashing technique for selective disclosure was introduced > by myself in 1999. Quoting from page 27 of my MIT Press book titled [...] Pages 27 and 184 of your book are now both referenced in my section on selective disclosure. > - More seriously, the simple hash technique has numerous drawbacks, as I > explain on page page 27 of my MIT Press book, in the very same > paragraph: "Although certificate holders now have some control over > which attributes they reveal to verifiers, they are forced to leave > behind digital signatures. ... [...] What do you mean by "forced to leave behind digital signatures"? > ... Worse, nothing prevents the CA and others from tracing and linking all > the communications and transactions of each certificate holder." ... [...] This is of course overcome in my system with blinding and cut-and-choose. > [ > Snipped discussion of features which Brands' system has and my system > doesn't: boolean formulae, lending prevention, limited show, > wallet-with-observer, discarding protection, anonymous recertification / > updating, multi-application certificates, etc. > ] From my response to Adam Back: I'm glad that was clear in my text. This isn't a do-everything system like Brands' - rather, it has 2 aims. 1: show how to do simple selective disclosure in a Chaum/Fiat/Naor-like system using X.509v3 credentials as a base, and 2: show how to link credentials from multiple issuers to the same identity without compromising anonymity. And actually, I forgot to mention the original goal of my paper, which was to create a system not encumbered by your patents or Chaum's. I'll expand my related work section to point out that your system and others have lots of features which my system doesn't attempt to provide. My apologies if my terse treatment mischaracterized your work. -J - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
NSA CELEBRATES ITS FIFTIETH ANNIVERSARY
>From Dave Farber's "Interesting People" list. --- Begin Message --- -- Forwarded Message From: "Aftergood, Steven" <[EMAIL PROTECTED]> Date: Mon, 04 Nov 2002 15:43:19 -0500 To: [EMAIL PROTECTED] Subject: Secrecy News -- 11/04/02 NSA CELEBRATES ITS FIFTIETH ANNIVERSARY The National Security Agency observed its fiftieth anniversary last weekend in a characteristically low key manner. ("How you can tell an extrovert from an introvert at NSA? In the elevators, the extroverts look at the OTHER guy's shoes." Or rather, the NSA extroverts are the ones that were telling that joke last weekend.) NSA, the nation's codemaking, codebreaking and signals intelligence organization, was established on October 24, 1952 by President Harry S. Truman in a top secret, 8-page presidential memorandum. Formal announcement of the new agency was delayed until November 4, 1952 -- Election Day -- in order to keep the creation of the Agency out of the news, according to NSA. Speaking at a November 1 anniversary ceremony at NSA headquarters at Fort Meade, Maryland, historian David Kahn offered his thoughts on "the death of cryptanalysis." Kahn, author of The Codebreakers and other pioneering histories of cryptography, noted the technological challenges confronting NSA and observed that it is far from the omniscient, omnipotent entity that outsiders sometimes imagine. "NSA doesn't know or control everything, as shown by public-key cryptography and the beating NSA took on key escrow and the fact that U.S. Navy submarines use Microsoft Windows," he said. See David Kahn's invited remarks here: http://www.fas.org/irp/eprint/kahn.html President Truman's 1952 memorandum establishing the NSA is available on the website of the National Security Archive here: http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/02-01.htm A January 2001 Congressional Research Service report entitled "The National Security Agency: Issues for Congress" by Richard A. Best Jr. may be found here: http://www.fas.org/irp/crs/RL30740.pdf ___ Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists. --- End Message ---
Re: patent free(?) anonymous credential system pre-print
At 5:15 PM -0800 11/5/02, bear wrote: >It's not terribly helpful for someone to lock up an idea for twenty >years, but honestly it may be at least that long before the legal and >cultural infrastructure is ready to fully take advantage of it anyway. The classic example is Arthur C. Clarke's invention of the communication satellite, published in Wireless World in 1945. Never mind that the rockets to launch such satellites were not available until the 1960s. Cheers - Bill - Bill Frantz | The principal effect of| Periwinkle -- Consulting (408)356-8506 | DMCA/SDMI is to prevent| 16345 Englewood Ave. [EMAIL PROTECTED] | fair use. | Los Gatos, CA 95032, USA - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]