Re: Run a remailer, go to jail?
In message [EMAIL PROTECTED], James M Galvin writes: No way. The phrase flatly ban is overstating the words in the actual bills. They both require that the use of such technologies be for the purpose of committing a crime. Law enforcement would still have to show intent, which is as it should be. ... Maybe states are colluding to outlaw encryption? Now that would be creative on the part of whoever started this bill process. The question is more complicated than that. The full text of the Texas bill is at http://www.capitol.state.tx.us/data/docmodel/78r/billtext/pdf/HB02121I.PDF (I haven't found the Mass. version). It is far from clear to me that intent to commit a crime is needed. Section 2 of the billl, which does contain the phrase with the intent to harm or defraud a communication service, bars theft of service. (I'm speaking loosely here; read it for yourself.) Section 3 and 4 also contain that phrase; they bar possession of devices for defrauding providers. (The language is rather broad, and seems to bar possession even a computer or modem if you have evil intent.) The ban on concealing origin or destination is in Sections 5 and 6. That section does *not* have the intent to harm phrase. Given that the bill is amending three consecutive sections of the state penal code (31.12, 31.13, and 31.14), and given that the first two sections have that language but the third doesn't, it's hard for me to see that evil intent is required by the proposed statute. But it's worse than that: the bill bars concealment of existence or place of origin or destination of any communication from any lawful authority. In other words, it would appear to outlaw many forms of cryptography or steganography. What's unclear to me is who is behind this. Felten thinks it's content providers trying for state-level DMCA; I think it's broadband ISPs who are afraid of 802.11 hotspots. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Who's afraid of Mallory Wolf?
That's using a questionable measuring stick. The damages paid out in a civil suit may be very different (either higher, or lower) than the true cost of the misconduct. Remember, the courts are not intended to be a remedy for all harms, nor could they ever be. The courts shouldn't be a replacement for our independent judgement. Let me quote what the (U.S.) 2nd Circuit Court of Appeals said in the T.J. Hooper case (60 F.2d 737, 1932): Indeed in most cases reasonable prudence is in face common prudence; but strictly it is never its measure; a whole calling may have unduly lagged in the adoption of new and available devices. It may never set its own tests, however persuasive be its usages. Courts must in the end say what is required; there are precautions so imperative that even their universal disregard will not excuse their omission But here there was no custom at all as to receiving sets; some had them, some did not; the most that can be urged is that they had not yet become general. Certainly in such a case we need not pause; when some have thought a device necessary, at least we may say that they were right, and the others too slack. Given that there were published warnings of *practical* MITM attacks (my papers, Radia Perlman's dissertation on secure routing, Lawrence Joncheray's paper on TCP hijacking, etc.), I have no doubt whatsoever what a (U.S.) court would have ruled if there had ever been a real attack. Given that MITM attacks have happened, I have just about as little doubt that they would have been used to steal credit card numbers if SSL had no protection. Look at it this way -- we've already had passowrd-eavesdropping (vintage 1993), off-the-shelf TCP hijacking code (Dug Song's package), and moderate-scale hacked machines for credit card number and account number theft (Internet cafes in Japan, about a month ago -- I'm on the train, and don't have the precise citation handy.) Given all that, do you doubt that the hackers would have combined the easily-available pieces into a MITM attack? I don't. The real issue in the original post seems to be the cost of a trusted certificate. I submit that there are other ways to solve that problem than abandoning a very necessary protection. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Who's afraid of Mallory Wolf?
In message [EMAIL PROTECTED], Ian Grigg writes: Who's afraid of Mallory Wolf? Even worse, there's not been any known MITM of any aggresive form. The only cases known are a bunch of demos, under laboratory conditions. They don't count, and MITM remains a theoretical attack, more the subject of learnings and design exercises than the domain of business or crypto engineering. Sorry, that's flat-out false. If nothing else, there was a large-scale MITM attack on the conference 802.11 net at the 2001 Usenix Security Symposium. Spammers are hijacking BGP prefixes; see http://www.merit.edu/mail.archives/nanog/2002-10/msg00068.html for one such incident. Eugene Kashpureff was pleaded guilty to domain-name hijacking; used very slightly differently, that's a MITM attack. See http://www.usdoj.gov/criminal/cybercrime/kashpurepr.htm for details. I warned of the possibility of hijacking via routing attacks in 1989, and via DNS attacks in 1995. (See the 'papers' directory on my Web site.) Given that the attacks were demonstrably feasible, Netscape would have been negligent not to design for it. Given that such attacks or their near cousins have actually occurred, I'd say they were right. And yes, you're probably right that no one has stolen credit card numbers that way. Of course, since the defense was in place before people had an opportunity to try, one can quite plausibly argue that Netscape prevented the attack - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Bodo Moeller bodo@openssl.org] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption
I'm struck by the similarity of this attack to Matt Blaze's master key paper. In each case, you're guessing at one position at a time, and using the response of the security system as an oracle. What's crucial in both cases is the one-at-a-time aspect -- that's what makes the attack linear instead of exponential. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Columbia crypto box
In message [EMAIL PROTECTED] m, Trei, Peter writes: If I recall correctly (dee3: Can you help?) WEP is actually derived from the encryption system used in the Apple Mobile Messaging System, a PCMCIA paging card made for the Newton in the mid-90s. This used 40 bit RC4. Though only a few years have passed, it's difficult to remember now what an encumberance the ITAR export regulations were. Essentially, there was a (very short) list of ciphers and modes you could export. 40-bit RC4 was relatively easy to export. Anything better,or anything which had not been already approved by the NSA, faced a bureaucratic nightmare and huge delays if it was approved at all. The 40-bit issue is orthogonal to the other problems with WEP. Look at IBM's Commercial Data Masking Facility (CDMF), a way to degrade the strength of DES from 56 bits to 40 bits, while still ensuring that they didn't enable any less-expensive attack. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Columbia crypto box
In message [EMAIL PROTECTED], Pete Chown writes: Bill Stewart wrote: These days nobody *has* a better cryptosystem than you do They might have a cheaper one or a faster one, but for ten years the public's been able to get free planet-sized-computer-proof crypto ... I seem to remember that the Nazis said the same thing about Enigma. Even when evidence began to filter back that it had been broken, they ignored it because they were so confident that a break was impossible. It's true that protocol and programming problems account for the huge majority of security holes. The WEP break, though, was one notable exception. They were using an established cryptosystem (RC4) with a planet sized key (128 bits). However, a weakness in RC4 itself let them down. Actually, that's missing the point. Yes, the cryptanalytic attack on RC4, especially as it's used in WEP, was impressive. But that attack was the least important problem with WEP -- the more serious problems were protocol issues. First, there was no key management. This means that loss of a single unit -- a stolen laptop or a disgruntled (ex-)employee would do -- compromises the entire network, since it's impossible to rekey everything at once in an organization of any size. For most real-world deployments, this is the most serious weakness. Furthermore, if there were real key management, the next two problems couldn't have happened. This was clearly avoidable. The second most serious problem was the set of problems documented by Borisov et al. at Berkeley. These mostly relied on the inappropriate use of a stream cipher, especially with too short an IV. Note that if it were possible to rekey before 2^24 packets were sent under any one key, the attacks mostly wouldn't be possible. The cryptanalytic attack did exploit an unforeseen weakness in RC4. But the attack was a related-key attack, and it required a noticeable amount of traffic. If rekeying had taken place, or if the IV were properly mixed with the seed key, there wouldn't have been a problem here. To be sure, Enigma was largely broken because it wasn't being used properly. As you say, protocol issues are the leading cause of crypto holes. (And, as you note, programming bugs account for *far* more real-world security problems.) --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Columbia crypto box
In message [EMAIL PROTECTED], bear writ es: It's one of those things, like re-using a pad. Actually, it is re-using a pad, exactly. It's just a pseudorandom pad (stream cipher) instead of a one-time pad. And while WEP had problems, it didn't have that particular problem. New messages with the same key would use a later chunk of the cipherstream pad under WEP. That's not correct. Each packet is encrypted with a key consisting of basekey,IV, where IV is a 24-bit counter. It does not use a later part of the stream; each packet starts from the beginning. Note that with a 24-bit key, plus the difficulty of changing the key, there *will* be reuse. It's compounded because (a) everyone has the same key, so there's lots of traffic; (b) both directions use the same key; and (c) some units, when power-cycled, always start the IV at 0, making collisions in that space more likely. Read the Borisov et al. paper for more details on all of these points and more. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Columbia crypto box
In message b295ds$l66$[EMAIL PROTECTED], David Wagner writes: Trei, Peter wrote: The weird thing about WEP was its choice of cipher. It used RC4, a stream cipher, and re-keyed for every block. . RC4 is not really intended for this application. Today we'd have used a block cipher with varying IVs if neccessary I suspect that RC4 was chosen for other reasons - ease of export, smallness of code, or something like that. It runs fast, but rekeying every block loses most of that advantage. It's hard to believe that RC4 was chosen for technical reasons. The huge cost of key setup per packet (equivalent to generating 256 bytes of keystream and then throwing it away) should dominate the other potential advantages of RC4. I'm not sure you're right. While 40-50% of packets are about 40 bytes long -- see http://www.nlanr.net/NA/Learn/packetsizes.html for some older statistics -- most *bytes* are carried by larger packets. From that same site, about 75% of the bytes are carried by packets over 500 bytes long. A quick awk script suggests that given that packet size distribution, the total workload to use WEP-style encryption is about double the number of bytes. The overhead is thus substantial -- but RC4's cost per byte is quite low, so it was probably a net win. Other studies suggest that LAN packet size distribution is somewhat different, with more large packets; that would lower the overhead. Note that the traffic mix on the Internet has shifted since that data was collected. Audio and video files are large, and hence will use more large packets; that again would lower the overhead. What's unclear is to what extent wireless device traffic differs. Given the increasing deployment of 802.11 in the home, I suspect that there's a lot of big files going to wireless endpoints. In any case, WEP would clearly look very different if it had been designed by cryptographers, and it almost certainly wouldn't use RC4. Look at CCMP, for instance: it is 802.11i's chosen successor to, and re-design of, WEP. CCMP uses AES, not RC4, and I think that was a smart move. A block cipher is clearly a better choice here. But there were some rational reasons for selecting RC4 (even though I think that on balance, the choice was very wrong). --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Columbia crypto box
In message v03110708ba6df9a4efb3@[192.168.1.5], Bill Frantz writes: At 4:29 PM -0800 2/10/03, Steven M. Bellovin wrote: In message v03110705ba6dec92ddb0@[192.168.1.5], Bill Frantz writes: * Fast key setup (Forget tossing the 256 bytes of key stream. The designers weren't crypto engineers. Personally, I'd toss the first 1024.) ... There may be a cryptographically sound reason to discard that much, but it's not without cost. The reason I would discard so much is that when I did some statistics on RC4 output, I kept getting distribution lumps out to about 1024. They made me worry about what someone who knew what were doing could do. That's a good reason... (At that point, even with older hardware, AES might be better -- and of course, using a block cipher solves lots of other problems, too...) --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Columbia crypto box
In message [EMAIL PROTECTED], Paul A.S. Ward writes: Is it really fair to blame WEP for not using AES when AES wasn't around when WEP was being created? Of course they couldn't have used AES. But there are other block ciphers they could have used. They could have used key management. They could have added a MAC. They could have used a longer IV field, with a random starting point mandated by the spec. Or they could have put a big warning on saying this doesn't protect you from very much. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Columbia crypto box
In message [EMAIL PROTECTED], Faust writes: Apparently some folks skipped class the day Kerchhoffs' Principle was covered. While this is obvious to the oldtimers, I had to look Kerkhoffs principle ( and found that it is the old injunction against security by obscurity ). You can find Kerchhoffs' original work at http://www.cl.cam.ac.uk/~fapp2/kerckhoffs , in French and English. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: question about rsa encryption
In message [EMAIL PROTECTED], Scott G. Kelly writes: I have a question regarding RSA encryption - forgive me if this seems amateur-ish -, but 'm still a beginner. I seem to recall reading somewhere that there is some issue with directly encrypting data with an RSA public key, perhaps some vulnerability, but I can't find any reference after a cursory look. Does anyone know of any issue with using RSA encryption to encrypt a symmetric key under the target's public key if the encrypted value is public (e.g. sent over a network)? Transmitting a private key under RSA encryption can have subtle failure modes. I suggest that you use a published standard such as OAEP, from PKCS #1. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DeCSS, crypto, law, and economics
In message [EMAIL PROTECTED], Perry E. Metzger writes: I don't know anyone who trades video files -- they're pretty big and bulky. A song takes moments to download, but a movie takes many many hours even on a high speed link. I have yet to meet someone who pirates films -- but I know lots of hardened criminals who watch DVDs on Linux and BSD. I'm one of these criminals. I'm 100% certain it's happening, today. And -- dare I suggest that the industry is being farsighted in anticipating higher bandwidth, and wants to close the barn door *before* the horse's image is stolen? --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Did you *really* zeroize that key?
In message [EMAIL PROTECTED], Peter Gutmann writes : [Moderator's note: FYI: no pragma is needed. This is what C's volatile keyword is for. No it isn't. This was done to death on vuln-dev, see the list archives for the discussion. [Moderator's note: I'd be curious to hear a summary -- it appears to work fine on the compilers I've tested. --Perry] Regardless of whether one uses volatile or a pragma, the basic point remains: cryptographic application writers have to be aware of what a clever compiler can do, so that they know to take countermeasures. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Windows 2000 declared secure
In message [EMAIL PROTECTED], Jonathan S. Shapi ro writes: I disagree. The problem is even more fundamental than that. The problem today is the absence of liability for the consequences of bad software. Once liability goes into place, CC becomes the industry-accepted standard of diligent practice. Until then it's just a way of killing trees. Hmm -- let me point folks at http://law.shu.edu/ilstsymp/ilst_details.pdf (registration at http://law.shu.edu/ilstsymp/index.htm) --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: What email encryption is actually in use?
In message [EMAIL PROTECTED], John Saylor writes: Hi ( 02.10.02 12:50 -0500 ) Jeremey Barrett: but it's always better to encrypt than not, even if no additional trust is gained. While I generally am on board with this, I can see a situation where the encryption overhead [and complexity] may be excessive [underpowered mail servers administered by beginners] compared to the gains. The primary use of STARTLS for SMTP is for mail *submission*, not relaying. That is, when clients (like Eudora) generate mail, they submit it to an ISP or organizational SMTP server. If this server is accessible from the Internet, it should require some sort of authentication, to avoid becoming an open spam relay. This is sometimes done by a password over a TLS-protected session. In other words, this isn't opportunistic encryption, and doesn't run into the problem of random smtp server has a self-signed cert. The client should be configured to know what cert to expect. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Optical analog computing?
In message [EMAIL PROTECTED], Greg Rose writes : At 01:30 AM 10/2/2002 -0400, John S. Denker wrote: R. A. Hettinga wrote: ... the first computer to crack enigma was optical 1) Bletchley Park used optical sensors, which were (and still are) the best way to read paper tape at high speed. You can read about it in the standard accounts, e.g. http://www.picotech.com/applications/colossus.html But Colossus was not for Enigma. The bombes used for Enigma were electro-mechanical. I'm not aware of any application of optical techniques to Enigma, unless they were done in the US and are still classified. And clearly, the first bulk breaks of Enigma were done by the bombes, so I guess it depends whether you count bombes as computers or not, whether this statement has any credibility at all. If memory serves (my references are at home), the Bletchley Park crew used holes punch in large grids. They'd overlap many sheets and see where the light made it through; that would be a good key (or candidate key). I don't know if you'd call that a computer, but it was an interesting optical device. I'm sure there have been many later applications of similar principles -- see Shamir's TWINKLE, for example, which relied on detecting aggregate brightness over many LEDs. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
In message [EMAIL PROTECTED], [EMAIL PROTECTED] .cmu.edu writes: Perry E. Metzger wrote: An idea from some folks at MIT apparently where a physical token consisting of a bunch of spheres embedded in epoxy is used as an access device by shining a laser through it. I can't dig up the memory, but I think I heard of a similar idea -- random structure in transparent solid, difficult to copy -- used in some kind of tag or seal for nuclear security. Can anyone remind me what this might have been? A fair number of years ago, I saw something like this proposed for non-proliferation seals on nuclear reactors. The scheme then (I believe I saw it in Science News) was that International Atomic Engergy Agency inspectors would use a length of randomly-twisted multi-strand fiber optic cable and use it to seal a door that they opened to verify that the reactor in question wasn't being used to build weapons. They then shine a light in one end, and photograph the other. When they come back, the repeat the photographic process, so that they can see if anyone has removed their seal -- say, to get at the irradiated, plutonium-containing fuel rods. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOJ proposes US data-rentention law.
In message [EMAIL PROTECTED], David G. Koontz writes: Trei, Peter wrote: - start quote - Cyber Security Plan Contemplates U.S. Data Retention Law http://online.securityfocus.com/news/486 Internet service providers may be forced into wholesale spying on their customers as part of the White House's strategy for securing cyberspace. By Kevin Poulsen, Jun 18 2002 3:46PM An early draft of the White House's National Strategy to Secure Cyberspace envisions the same kind of mandatory customer data collection and retention by U.S. Internet service providers as was recently enacted in Europe, according to sources who have reviewed portions of the plan. ... If the U.S. wasn't in an undeclared 'war', this would be considered an unfunded mandate. Does anyone realize the cost involved? Think of all the spam that needs to be recorded for posterity. ISPs don't currently record the type of information that this is talking about. What customer data backup is being performed by ISPs is by and large done by disk mirroring and is not kept permanently. This isn't clear. The proposals I've seen call for recording transaction data -- i.e., the SMTP envelope information, plus maybe the From: line. It does not call for retention of content. Apart from practicality, there are constitutional issues. Envelope data is given to the ISP in typical client/server email scenarios, while content is end-to-end, in that it's not processed by the ISP. A different type of warrant is therefore needed to retrieve the latter. The former falls under the pen register law (as amended by the Patriot Act), and requires a really cheap warrant. Email content is considered a full-fledged wiretap, and requires a hard-to-get court order, with lots of notice requirements, etc. Mandating that a third party record email in this situation, in the absence of a pre-existing warrant citing probable cause, would be very chancy. I don't think even the current Supreme Court would buy it. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Gartner supports HK smart ID card use
Folks on this list might be interested in a National Research Council report on nationwide identity systems: http://books.nap.edu/html/id_questions/ --Steve Bellovin, http://www.research.att.com/~smb Full text of Firewalls book now at http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: password-cracking by journalists... (long, sorry)
Another point -- the law protects encryption research, not cryptographic research. Watermarking or DRM systems do not appear to be covered by the statute's definition of encryption. --Steve Bellovin, http://www.research.att.com/~smb Full text of Firewalls book now at http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: password-cracking by journalists...
In message v0421010cb86ca9bc4254@[192.168.0.2], Arnold G. Reinhold writes: At 9:15 AM -0500 1/16/02, Steve Bellovin wrote: A couple of months ago, a Wall Street Journal reporter bought two abandoned al Qaeda computers from a looter in Kabul. Some of the files on those machines were encrypted. But they're dealing with that problem: The unsigned report, protected by a complex password, was created on Aug. 19, according to the Kabul computer's internal record. The Wall Street Journal commissioned an array of high-speed computers programmed to crack passwords. They took five days to access the file. Does anyone have any technical details on this? (I assume that it's a standard password-guessing approach, but it it would be nice to know for certain. If nothing else, are Arabic passwords easier or harder to guess than, say, English ones?) Outside of the good possibility that they might be quotations from Islamic religious texts, why would you think Arabic passwords are any easier to guess? I didn't say that they would be easier; I asked... As for why I asked -- while I don't know much about Arabic, I do know some Hebrew, and the languages are related. Some aspects of Hebrew would certainly impact a guessing program. For one thing, in Hebrew (and, I think, Arabic) vowels are not normally written. Hebrew vowels look like dots or lines surrounding the letters, which are all consonants; printed Hebrew material aimed at Israeli adults omits the vowels. Also, there are a few Hebrew letters which have different forms when they're the final letter in a word -- my understanding is that there are more Arabic letters that have a different final form, and that some have up to four forms: one initial, two middle, and one final. Finally, Hebrew (and, as someone else mentioned, Arabic) verbs have a three-letter root form; many nouns are derived from this root. Do these matter? I think so, though I suspect they'd make the problem harder. But I don't know, and I'd like to learn from someone who has paid more attention to the problem of password-cracking in other languages and alphabets. --Steve Bellovin, http://www.research.att.com/~smb Full text of Firewalls book now at http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: (A)RC4 state leakage
In message [EMAIL PROTECTED], Damien Miller writes: The common wisdom when using (A)RC4 as a PRNG seems to be to discard the first few bytes of keystream it generates as it may be correlated to the keying material. Does anyone have a reference that describes this in more detail? Or am I confused :) Seee http://www.wisdom.weizmann.ac.il/~itsik/RC4/rc4.html for lots of references on RC4 and attacks on it. --Steve Bellovin, http://www.research.att.com/~smb Full text of Firewalls book now at http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [DailyRotten] FBI requests worm-built password log
In message Pine.GSO.3.96.1011217132546.27456B-10@crypto, Jay D. Dyson w rites: On Mon, 17 Dec 2001, Will Rodger wrote: But the interplay with MagicLantern and PatriotAct issues is thought-provoking... Actually, this is nothing new. The boys at the Bureau have a long history of requesting data to which they have no genuine legal right of access. Their original requests -- with few exceptions -- bank on ignorance of due process. Why is anyone surprised law enforcement would want this data? In order to investigate the crime in the first place, law enforcement needs to know what the crackers stole. I guess you can consider me puzzled as to this claim. The FBI isn't interested in what was stolen. The forensic analyses of the worm's functions will tell you in a generic sense the answer to that question. What the boys at the Bureau want is the lump sum of victims' stolen information. To use an analogy[1], if a neighborhood burglar makes off with my videocamera, all the LEAs and their LEOs need to know is the description and serial number of the product so it can be identified as mine. They don't need to know the contents of the tape in the videocamera in order to demonstrate that criminal action occurred in the taking of said camera. Well, recovered stolen property is generally considered evidence. Looking at that file provides evidence that the worm *did* steal passwords, and not just that it was capable of doing so according to some complex analysis. (For many worms, there is often considerable uncertainly about exactly what they can and cannot do. Besides, do you want to try to explain decompiling to a jury?) Perhaps more on target, possession of those passwords does *not*, as far as I can tell, change the FBI's legal ability to, for example, read someone's email. They'd still need a court order under your favorite statute. At most, I suspect that they could use information in that file as evidence of improper possession of a password by one of the worm's victims. Not good if you're the improper possessor -- but also not an extension of the FBI's abilities or authority. The implication of the original claim was that the FBI wanted these passwords so that they could surreptiously read email without bothering with Magic Lantern or Carnivore. Maybe -- but doing so without authorization is just as illegal with passwords as via a tailored Trojan horse. (Well, maybe the latter would constitute a violation of 18 USC 1030, the Computer Fraud and Abuse Act. I think the former would, too, plus it would violate 18 USC 1029: use of a counterfeit access device.) The only thing these passwords would do is make the entry easier. --Steve Bellovin, http://www.research.att.com/~smb Full text of Firewalls book now at http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Proving security protocols
Also see the National Research Council report Trust in Cyberspace (I served on that committee). The section on formal methods can be found at http://www.nap.edu/readingroom/books/trust/trust-3.htm#Page 95 (yes, there's a blank in the URL...) --Steve Bellovin, http://www.research.att.com/~smb Full text of Firewalls book now at http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Scarfo keylogger, PGP
In message 9qftr6$23i$[EMAIL PROTECTED], David Wagner writes: It seems the FBI hopes the law will make a distinction between software that talks directly to the modem and software that doesn't. They note that PGP falls into the latter category, and thus -- they argue -- they should be permitted to snoop on PGP without needing a wiretap warrant. However, if you're using PGP to encrypt email before sending, this reasoning sounds a little hard to swallow. It's hard to see how such a use of PGP could be differentiated from use of a mail client; neither of them talk directly to the modem, but both are indirectly a part of the communications path. Maybe there's something I'm missing. The problem is that you're thinking like a computer scientist instead of like a lawyer... Definitions are important in the law. The wiretap statute (18 USC 2510 et seq, http://www4.law.cornell.edu/uscode/18/2510.html) defines an electronic communication as any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include - (A) any wire or oral communication... (Wire communications refers to telephone calls.) Interception of such transmissions is one of the things governed by the wiretap statute; the procedure for getting an authorization for a tap is very cumbersome, and is subject to numerous restrictions in both the statute and DoJ regulations. Access to *stored communications* -- things that aren't actually traveling over a wire -- are governed by 18 USC 2701 et seq., which was added to the wiretap statute in 1986. (That's when electronic communications were added as well.) The rules for access there are much simpler. But that section was written on the assumption that email would only be stored on your service bureau's machine! In this case, it would appear that we're back to the ordinary search and seizure statutes governing any computer records owned by an individual. *But* -- if they're *in the process of being sent* -- 2511 would apply, it would be a wiretap, and it would be hard to do. The FBI agents who wrote that keystroke logger are well aware of this distinction, and apparently tried to finesse the point by ensuring that no communications (within the meaning of the statute) were taking place when their package was operating. I suppose that someone could make an argument to a judge that email being composed is intended for transmission, and that it should therefore be covered by 2511. The government's counter will be to cite 2703, which provides for simpler access to some email, as evidence that Congress did not intend the same protections for email not actually in transit. I'd have to reread the ruling in the Steve Jackson Games case to carry my analysis any further, but I'll leave that to the real lawyers. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Security Research (Was: Scarfo keylogger, PGP )
In message [EMAIL PROTECTED], Ben Laurie writes: Trei, Peter wrote: Windows XP at least checks for drivers not signed by MS, but whose security this promotes is an open question. Errr ... surely this promotes MS's bottom line and no-one's security? It is also a major pain if you happen to want to write a device driver, of course. Microsoft? See their view of how to deal with security at http://www.newsbytes.com/news/01/171173.html -- I wonder if they think it should apply to crypto research, too? Of course, why should I be surprised at this? Some crypto research is already banned by the DMCA; why not ban even more? --Steve Bellovin, http://www.research.att.com/~smb Full text of Firewalls book now at http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [FYI] Antiques man guilty of Enigma charge
In message [EMAIL PROTECTED] m, Trei, Peter writes: Axel H Horns[SMTP:[EMAIL PROTECTED]] http://news.bbc.co.uk/hi/english/uk/england/newsid_1564000/1564878.stm -- CUT - Wednesday, 26 September, 2001, 15:25 GMT 16:25 UK Antiques man guilty of Enigma charge The machine was one of only three in the world An antiques dealer has admitted handling a stolen code-breaking Enigma machine, worth £100,000. [...] Only 3 in the world? I don't think so. At the last RSA conference, the NSA had a historical 'museum', including an enigma. The woman running it said there were at least 40 still around. I know one firm which has two of them, along with various other historical crypto HW. They're rare, but not *that* rare. The toughest part in keeping them going is getting the odd little lightbulbs which indicate the output. The machine in question is an Abwehr Enigma, a variant of the basic design. (There were a fair number of variants, in fact.) --Steve Bellovin, http://www.research.att.com/~smb http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [FYI] Did Encryption Empower These Terrorists?
In message v03110706b7d555f61a45@[165.247.220.34], Bill Frantz writes: At 10:11 AM -0700 9/24/01, [EMAIL PROTECTED] wrote: as mentioned in the various previous references ... what is at risk ... effectively proportional to the aggregate of the account credit limits ... for all accounts that happened to have been stored in any account master file ... is significantly larger than any particular merchant may have directly at risk because of a security breach. in the security proportional to risk theory the entity that has the risk should have control over the security measures, those security measures should be proportional to what they have at risk, and the cost of those security measures should also be proportional to the risk. It seems to me that because of the $50 liability limit under US law, most of the risk is carried by the credit card issuers. They are also in a position to require proper security by contract with the merchant. Actually, I believe it's by the merchants. Internet transactions generally count as card not present transactions, which means that the merchants take the risk. --Steve Bellovin, http://www.research.att.com/~smb http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Op-ed on encryption: Privacy is no longer an argument
In message [EMAIL PROTECTED], Declan McCullagh writes: http://www.wartimeliberty.com/article.pl?sid=01/09/21/0450203 Crypto Op-Ed: Privacy No Longer an Argument posted by admin on Thursday September 20, @11:39PM M. W. Guzy has a provocative and not entirely coherent essay in Wednesday's St. Louis Post-Dispatch. Excerpt: (Then-Senator John) Ashcroft wrote that mandating deciphering tools was tantamount to requiring 'individuals to surrender the keys to their house... to the FBI just in case they are someday suspected of breaking the law.' Somehow, that argument rings a little hollow when viewed through the smoldering ruins of the World Trade Center... Now, the landscape has changed. National sovereignty is at stake, and defeat is not an option... Note that Guzy's essay is part condemnation of modern capitalism, part criticism of business for its support of market liberalism, and entirely inspired by wartime rhetoric. Apart from anything else, Guzy misses the technical argument: that key escrow will likely make things worse. In a recent (post-attack) interview, I asked the reporter what would happen to escrowed keys if Robert Hansen were still at large. As for but lives aren't at stake -- that's far from clear. What if an attacker takes out the power grid or gas pipelines in the middle of winter? (According to the Russian Interior ministry, a hacker took control of Gazprom's pipelines last year. Gazprom is the largest natural gas producer in the world.) For that matter, a few days ago the New York Times reported on a proposal to add remote piloting features to planes, as an anti-hijacking measure. How are those links to be secured? --Steve Bellovin, http://www.research.att.com/~smb http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Senate votes to permit warrantless Net-wiretaps, Carnivore use
In message [EMAIL PROTECTED], Declan McCullagh writes: May be relevant, given the new focus in DC on restricting privacy and crypto.. . Text of the Hatch-Feinstein Combating Terrorism Act of 2001: http://www.politechbot.com/docs/cta.091401.html Discussion of the CTA: http://www.fas.org/sgp/congress/2001/s091301.html -Declan http://www.wired.com/news/politics/0,1283,46852,00.html Senate OKs FBI Net Spying By Declan McCullagh ([EMAIL PROTECTED]) 12:55 p.m. Sep. 14, 2001 PDT WASHINGTON -- FBI agents soon may be able to spy on Internet users legally without a court order. On Thursday evening, two days after the worst terrorist attack in U.S. history, the Senate approved the Combating Terrorism Act of 2001, which enhances police wiretap powers and permits monitoring in more situations. The measure, proposed by Orrin Hatch (R-Utah) and Dianne Feinstein (D-California), says any U.S. attorney or state attorney general can order the installation of the FBI's Carnivore surveillance system. Previously, there were stiffer restrictions on Carnivore and other Internet surveillance techniques. This is seriously misleading. Although there are a fair number of objectionable items in the bill (the worst of which are likely unconstitutional, though you'd have to explain protocol layering to a judge to make that point clear), the bill is concerned with pen registers and trap-and-trace devices. It does not legalize warrantless wiretaps. And yes, Carnivore can be used more freely under this bill, but only in its pen register mode. There's a lot to worry about; we do ourselves a disservice by attacking the wrong things. --Steve Bellovin, http://www.research.att.com/~smb http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Criminalizing crypto criticism
In message [EMAIL PROTECTED], Declan McCullagh writes: One of those -- and you can thank groups like ACM for this, if my legislative memory is correct -- explicitly permits encryption research. You can argue fairly persuasively that it's not broad enough, and certainly 2600 found in the DeCSS case that the judge wasn't convinced by their arguments, but at least it's a shield of sorts. See below. It's certainly not broad enough -- it protects encryption research, and the definition of encryption in the law is meant to cover just that, not cryptography. And the good-faith effort to get permission is really an invitation to harrassment, since you don't have to actually get permission, merely seek it. --Steve Bellovin, http://www.research.att.com/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]