Re: On the road to truth and madness
We were somewhere around Barstow on the edge of the desert when the drugs began to take hold. The following was my variant on this from a few years ago, representing the 56th IETF PKIX meeting minutes. Note that this is from the book form, not the film version of the text: -- Snip -- We were somewhere in San Francisco on the edge of the 56th IETF when the drugs began to take hold. I remember saying something like I feel a bit lightheaded; maybe you should take notes And suddenly there was a terrible roar all around us and the sky was full of what looked like huge OIDs, all swooping and screeching and diving around the RFC, which was about a hundred pages long. And a voice was screaming: Holy Jesus! Where are these goddamn business cases? Then it was quiet again. My attorney had taken his shirt off and was pouring beer into his mouth, to facilitate the PKI standards-creation process. What the hell are you yelling about? he muttered, staring up at the neon lights with his eyes closed and covered with wraparound Spanish sunglasses. Never mind, I said. It.s your turn to figure out the interop requirements. I hit the brakes and dropped the Great Pile of Paperwork at the side of the room. No point mentioning those OIDs, I thought. The poor bastard will see them soon enough. We had two bags of X.509 standards, seventy-five pages of PKIX mailing list printouts, five sheets of high-powered constraints, a saltshaker half-full of vendor hype, and a whole galaxy of requirements, restrictions, promises, threats... Also, a quart of OSI, a quart of LDAP, a case of XML, a pint of raw X.500, and two dozen PGPs. Not that we needed all that for the trip, but once you get into a serious PKI RFC binge, the tendency is to push it as far as you can. The only thing that really worried me was the X.500. There is nothing in the world more helpless and irresponsible and depraved than a man in the depths of an X.500 binge, and I knew we'd get into that rotten stuff pretty soon. -- Snip -- Peter.
I'll show you mine if you show me, er, mine
http://www.theregister.co.uk/2005/02/21/crypto_wireless/print.html The Register Biting the hand that feeds IT The Register » Security » Identity » Original URL: http://www.theregister.co.uk/2005/02/21/crypto_wireless/ I'll show you mine if you show me, er, mine By Lucy Sherriff (lucy.sherriff at theregister.co.uk) Published Monday 21st February 2005 17:11 GMT Security researchers have developed a new cryptographic technique they say will prevent so-called stealth attacks against networks. A stealth attack is one where the attacker acts remotely, is very hard to trace, and where the victim may not even know he was attacked. The researchers say this kind of attack is particularly easy to mount against a wireless network. The so-called delayed password disclosure protocol was developed by Jakobsson and Steve Myers of Indiana University. The protocol allows two devices or network nodes to identify themselves to each other without ever divulging passwords. The protocol could help secure wireless networks against fraud and identity theft, and protect sensitive user data. The technique will be particularly useful in ad-hoc networks, where two or more devices or network nodes need to verify each others' identity simultaneously. Briefly, it works like this: point A transmits an encrypted message to point B. Point B can decrypt this, if it knows the password. The decrypted text is then sent back to point A, which can verify the decryption, and confirm that point B really does know point A's password. Point A then sends the password to point B to confirm that it really is point A, and knows its own password. The researchers say that this will prevent consumers connecting to fake wireless hubs at airports, or in coffee shops. It could also be used to notify a user about phishing attacks, scam emails that try to trick a user into handing over their account details and passwords to faked sites, provide authentication between two wireless devices, and make it more difficult for criminals to launder money through large numbers of online bank accounts. Jakobsson is hoping to have beta code available for Windows and Mac by the spring, and code for common mobile phone platforms later in 2005. More info available here (http://www.stealth-attacks.info). ® Related stories Hotspot paranoia: try to stay calm (http://www.theregister.co.uk/2005/01/24/wi_fi_hotspot_security/) Crypto researchers break SHA-1 (http://www.theregister.co.uk/2005/02/17/sha1_hashing_broken/) Cyberpunk authors get the girls (http://www.theregister.co.uk/2005/02/17/cyberpunk/) © Copyright 2005 -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
As Gonzo in Life as in His Work
http://www.opinionjournal.com/forms/printThis.html?id=110006325 OpinionJournal - LEISURE ARTS As Gonzo in Life as in His Work Hunter S. Thompson died as he lived. BY TOM WOLFE Tuesday, February 22, 2005 12:01 a.m. Hunter S. Thompson was one of those rare writers who come as advertised. The Addams-family eyebrows in Stephen King's book jacket photos combined with the heeby-jeeby horrors of his stories always made me think of Dracula. When I finally met Mr. King, he was in Miami playing, along with Amy Tan, in a jook-house band called the Remainders. He was Sunshine itself, a laugh and a half, the very picture of innocent fun, a Count Dracula who in real life was Peter Pan. Carl Hiaasen, the genius who has written such zany antic novels as Striptease, Sick Puppy, and Skinny Dip is in person as intelligent, thoughtful, sober, courteous, even courtly, a Southern gentleman as you could ask for (and I ask for them all the time and never find them). But the gonzo--Hunter's coinage--madness of Hunter Thompson's Fear and Loathing in Las Vegas (1971) and his Rolling Stone classics such as The Kentucky Derby is Decadent and Depraved (1970) was what you got in the flesh too. You didn't have lunch or dinner with Hunter Thompson. You attended an event at mealtime. I had never met Hunter when the book that established him as a literary figure, The Hell's Angels, a Strange and Terrible Saga, was published in 1967. It was brilliant investigative journalism of the hazardous sort, written in a style and a voice no one had ever seen or heard before. The book revealed that he had been present at a party for the Hell's Angels given by Ken Kesey and his hippie--at the time the term was not hippie' but acid-head--commune, the Merry Pranksters. The party would be a key scene in a book I was writing, (The Electric Kool-Aid Acid Test). I cold-called Hunter in California, and he generously gave me not only his recollections but also the audiotapes he had recorded at that first famous alliance of the hippies and outlaw motorcycle gangs, a strange and terrible saga in itself, culminating in the Rolling Stones band hiring the Angels as security guards for a concert in Altamont, Calif., and the security guards beating a spectator to death with pool cues. By way of a thank you for his help, I invited Hunter to lunch the next time he was in New York. It was one bright spring day in 1969. He proved to be one of those tall, rawboned, rangy young men with alarmingly bright eyes, who more than any other sort of human, in my experience, are prone to manic explosions. Hunter didn't so much have a conversation with you as speak in explosive salvos of words on a related subject. We were walking along West 46th Street toward a restaurant, The Brazilian Coffee House, when we passed Goldberg Marine Supply. Hunter stopped, ducked into the store and emerged holding a tiny brown paper bag. A sixth sense, probably activated by the alarming eyes and the six-inch rise and fall of his Adam's apple, told me not to ask what was inside. In the restaurant he kept it on top of the table as we ate. Finally, the fool in me became so curious, he had to go and ask, What's in the bag, Hunter? I've got something in there that would clear out this restaurant in 20 seconds, said Hunter. He began opening the bag. His eyes had rheostated up to 300 watts. No, never mind, I said. I believe you! Show me later! From the bag he produced what looked like a small travel-size can of shaving foam, uncapped the top and pressed down on it. There ensued the most violently brain-piercing sound I had ever heard. It didn't clear out The Brazilian Coffee House. It froze it. The place became so quiet, you could hear an old-fashioned timer clock ticking in the kitchen. Chunks of churasco gaucho remained impaled on forks in mid-air. A bartender mixing a sidecar became a statue holding a shaker with both hands just below his chin. Hunter was slipping the little can back into the paper bag. It was a marine distress signaling device, audible for 20 miles over water. The next time I saw Hunter was in June of 1976 at the Aspen Design Conference in Aspen, Colo. By now Hunter had bought a large farm near Aspen where he seemed to raise mainly vicious dogs and deadly weapons, such as the .357 magnum. He publicized them constantly as a warning to those, Hell's Angels presumably, who had been sending him death threats. I invited him to dinner at a swell restaurant in Aspen and a performance at the Big Tent, where the conference was held. My soon-to-be wife, Sheila, and I gave the waitress our dinner orders. Hunter ordered two banana daiquiris and two banana splits. Once he had finished them off, he summoned the waitress, looped his forefinger in the air and said, Do it again. Without a moment's hesitation he downed his third and fourth banana daiquiris and his third and fourth banana splits, and departed with a glass of Wild Turkey bourbon in his hand. When we reached the tent, the
Re: I'll show you mine if you show me, er, mine
R.A. Hettinga [EMAIL PROTECTED] forwarded: Briefly, it works like this: point A transmits an encrypted message to point B. Point B can decrypt this, if it knows the password. The decrypted text is then sent back to point A, which can verify the decryption, and confirm that point B really does know point A's password. Point A then sends the password to point B to confirm that it really is point A, and knows its own password. Isn't this a Crypto 101 mutual authentication mechanism (or at least a somewhat broken reinvention of such)? If the exchange to prove knowledge of the PW has already been performed, why does A need to send the PW to B in the last step? You either use timestamps to prove freshness or add an extra message to exchange a nonce and then there's no need to send the PW. Also in the above B is acting as an oracle for password-guessing attacks, so you don't send back the decrypted text but a recognisable-by-A encrypted response, or garbage if you can't decrypt it, taking care to take the same time whether you get a valid or invalid message to avoid timing attacks. Blah blah Kerberos blah blah done twenty years ago blah blah a'om bomb blah blah. (Either this is a really bad idea or the details have been mangled by the Register). Peter.
Re: Code name Killer Rabbit: New Sub Can Tap Undersea Cables
DWDM certainly makes it more complicated. Of course, that same technology allows them to send much more back. (Regarding the single OC-3 mentioned previously.) Well, DISTANCE makes it more complicated first of all. You need undersea repeaters and/or OFAs in order to get traffic from most parts of the ocean back to land, and the NSA will in many cases not want nor be able to use the host service providers' OFAs. This would mean they'd have to install their own, and I doubt they're going to just plop on their own regeneration site on the outside of a civilian cable. Hum. In some parts of the ocean they must almost certainly have their own cable and then couple stolen traffic into it. I'd bet there also must exist some mini-Echelons on some Islands somewhere (like Majorca or the Azores) where they do some grooming and listening. -TD
Delivery Status Notification
- These recipients of your message have been processed by the mail server: [EMAIL PROTECTED]; Failed; 5.1.1 (bad destination mailbox address) Remote MTA 66.28.189.160: SMTP diagnostic: 551 [EMAIL PROTECTED] is a deactivated mailbox Reporting-MTA: dns; C9mailgw08.amadis.com Received-from-MTA: dns; ctmail.com (10.9.0.1) Arrival-Date: Wed, 23 Feb 2005 07:07:50 -0800 Final-Recipient: rfc822; james003@mail2world.com Action: Failed Status: 5.1.1 (bad destination mailbox address) Remote-MTA: dns; 66.28.189.160 Diagnostic-Code: smtp; 551 james003@mail2world.com is a deactivated mailbox Return-Path: cypherpunks@minder.net Received: from ctmail.com (10.9.0.1) by C9mailgw08.amadis.com (NPlex 6.5.029) id 4219FB1400821D59 for [EMAIL PROTECTED]; Wed, 23 Feb 2005 07:07:50 -0800 Message-ID: [EMAIL PROTECTED] (added by [EMAIL PROTECTED]) X-Commtouch-Loop:3 Received: FROM [70.21.143.49] By c9diamond04.diamond.amadis.com ; Wed, 23 Feb 2005 07:07:44 -0800 From: cypherpunks@minder.net To: [EMAIL PROTECTED] Subject: Re: Old photos Date: Wed, 23 Feb 2005 10:07:22 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0016=_NextPart_000_0016 X-Priority: 3 X-MSMail-Priority: Normal
Rapid Prototyping of Courseware
Title: Rapid Prototyping of Courseware Rapid Prototyping of CoursewareE-Learning Return On Investment (ROI) Web Seminar SeriesDear Subscriber,The major factor underlying the considerable initial costs of e-learning development is the time required of programmers, instructional designers, authors, and subject matter experts. The subject matter expert occupies a critical role in the success or failure of any instructional design project. Ideally the subject matter expert can save the developers vital production time by providing annotated and structured documentation that captures how concepts and skills fit together in a given piece of curriculum. Recognizing that subject area knowledge acquisition has long been recognized as the "long pole in the tent" during development of courseware, the process for collecting the vital content data has been based primarily on unstructured interviews and focus groups which often result in unclearly specified requirements. The E-Learning Return On Investment (ROI) Web Seminar Series will present new methods to accomplish rapid courseware prototyping that will reduce the time required of programmers, instructional designers, authors, and subject matter experts, while making that time spent more focused and useful for the courseware design and development process. The session will be broadcast live on March 1st, 2005 at 2:00 PM EDT. The seminar will be approximately 1 hour in duration and there is no charge to participate in these events. If you have previously registered for any of our E-Learning Return On Investment (ROI) Web Seminar Series events at http://www.beducated.com, your existing user account will be automatically enrolled in this event. Register NowClick here to register Knowledge Management Solutions, Inc. 839 Elkridge Landing Road Suite 205 Linthicum,MD21090 Phone: (866) 501-5674 Fax: (410) 859-3414 Web site: http://www.kmsi.us E-mail: [EMAIL PROTECTED] Powered by List BuilderClick here to change or remove your subscription image/gif
subscribe cypherpunks
subscribe cypherpunks
Re: I'll show you mine if you show me, er, mine
-- On 24 Feb 2005 at 2:29, Peter Gutmann wrote: Isn't this a Crypto 101 mutual authentication mechanism (or at least a somewhat broken reinvention of such)? If the exchange to prove knowledge of the PW has already been performed, why does A need to send the PW to B in the last step? You either use timestamps to prove freshness or add an extra message to exchange a nonce and then there's no need to send the PW. Also in the above B is acting as an oracle for password-guessing attacks, so you don't send back the decrypted text but a recognisable-by-A encrypted response, or garbage if you can't decrypt it, taking care to take the same time whether you get a valid or invalid message to avoid timing attacks. Blah blah Kerberos blah blah done twenty years ago blah blah a'om bomb blah blah. (Either this is a really bad idea or the details have been mangled by the Register). It is a badly bungled implementation of a really old idea. An idea, which however, was never implemented on a large scale, resulting in the mass use of phishing attacks. Mutual authentication and password management should have been designed into SSH/PKI from the beginning, but instead they designed it to rely wholly on everyone registering themselves with a centralized authority, which of course failed. SSH/PKI is dead in the water, and causing a major crisis on internet transactions. Needs fixing - needs to be fixed by implementing cryptographic procedures that are so old that they are in danger of being forgetten. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG Dn3N69hcbr+mL/HUTw8OhGtKmD9rHYOMN4NTBkIY 47AOCXrb7e35xm5QBsHbFVr/jfm+XwTUvzdiytKpG
Re: I'll show you mine if you show me, er, mine
Markus Jakobsson is a really smart guy who's done some cool stuff, so I think this is probably better than it sounds in the article. His web site is http://www.informatics.indiana.edu/markus/ but I don't see any papers there that sound like what the article describes. I tried to reverse engineer the protocol from the article, and the results are below. But first let me put this into context. The security property seems to be that you send something to the server, and it sends you back something that proves that it knows your password. But neither a passive eavesdropper nor a MITM can learn anything about your password from observing or influencing the exchange. The best an attacker can do is to try to brute force your password by guessing it repeatedly and trying each guess out at the server. And this can be easily prevented by having the server refuse to answer more than a few bad password attempts. Note that this is different from simple PK based authentication, because the secret is human memorizable. And it's different from, say, having the server respond with a keyed hash of your passphrase, because an eavesdropper could then do an offline brute force search. The key feature is that the only attack is online brute forcing. There are already a lot of protocols in the literature which do this, often performing key agreement at the same time. The original one and most famous was SPEKE. There is a long list of such protocols at http://grouper.ieee.org/groups/1363/passwdPK/submissions.html. I don't know what properties this new protocol has that the old ones don't. Maybe it does have some and I am missing the point. Or there might be some patent issues that it is trying to work around. Anyway, here's my attempt at mimicking the protocol, based on the description of envelopes and carbon paper. You have a password, and so does the site you will login to. (Or, maybe the site has a salted hash of your password; you could use that instead.) You set up a homomorphic encryption system. This is one where you can send an encrypted value to someone else, and he can do certain operations on the encrypted value, like multiplying it by a constant. In this case I think we only need to encrypt the value 1, and let the other guy multiply by his constant, which makes it simpler. I think ElGamal could work: you encrypt 1 as (g^k, y^k), where you'd make up a key y = g^x on the spot. You send this to the other guy who picks a random power j and raises both elements to that power, then multiplies the 2nd one by c: (g^(k*j), y^(k*j) * c), and sends it back to you. This is now a valid ElGamal encryption of c. But an observer can't tell what c is. For a first cut at this protocol, you take each bit of the password (or salted hash) and create two encryptions of m = 1. It would look like this: E(1) E(1) E(1) E(1) E(1) ... E(1) E(1) E(1) E(1) E(1) ... You send all these to the server. The server knows your password (or salted hash) and, for each pair of encrypted values, multiplies the one corresponding to password bit b_i by some constant c_i. The other one of the pair, corresponding to !b_i, it multiplies by a random r_i. The server sets it up so that the sum of all the c_i is zero. Then it sends all of them back to you. If your passphrase started 01101... it would be: E(c_1) E(r_2) E(r_3) E(c_4) E(r_5) ... E(r_1) E(c_2) E(c_3) E(r_4) E(c_5) ... Now, you decrypt just the ones corresponding to the bits b_i and add up the decrypted plaintexts, giving you sum of c_i. If the result is zero, you know the server knew your password (or salted hash). Actually this is not quite right, because the article says that you are not supposed to be able to decrypt both ciphertext values in the pair that corresponds to a password bit. Otherwise an imposter might be able to figure out your passphrase by doing one interaction with the server, then finding an element from each pair such that they all sum to zero. This is kind of knapsacky and it might not be that hard, I'm not sure. So I think what you could do is to send a valid ElGamal encryption of 1, and a bogus value which is not an ElGamal encryption of anything. But the remote party wants to be sure that you can't decrypt them both. One way to achieve this is to arrange that the first members of each pair, g^k in the good encryption, multiply to some fixed value F for which the discrete log is not known. Maybe it's the hash of I don't know if this will work. You can't know the DL of that hash, so you can't find two g^k values which multiply to that hash. That means that if you have a pair of ElGamal ciphertexts which have this property, only one is a real, valid ElGamal ciphertext and so only one is decryptable (I think!). So you would send, in the example above: (g^k0, y^k0)(F/g^k1, junk) (F/g^k2, junk) (g^k3, y^k3) ... (F/g^k0, junk) (g^k1, y^k1)(g^k2, y^k2) (F/g^k3, junk) ... When the server did
Re: SHA-1 results available
* Jack Lloyd: http://theory.csail.mit.edu/~yiqun/shanote.pdf Thanks for the pointer. No real details, just collisions for 80 round SHA-0 (which I just confirmed) and 58 round SHA-1 (which I haven't bothered with), plus the now famous work factor estimate of 2^69 for full SHA-1. As usual, Technical details will be provided in a forthcoming paper. I'm not holding my breath. In addition, there's no trace of the second-preimage attack some persons recently alluded to.
Re: Code name Killer Rabbit: New Sub Can Tap Undersea Cables
No! Undersea? Do you take a copy of EVERYTHING and send it back? That might have been more feasible in the old days, but when a single fiber can run 64 wavelength optically amplified 10 Gig traffic, I really really doubt it. Or at least, this would require an undertaking large enough that I doubt they could hide it. If they select some traffic then we have to ask, how do they select the traffic? Even there the mind boggles thinking about the kinds of gear necessary. I suspect it's a combination of all sorts of stuff...remember too that all that traffic has to land somewhere, so theoretically they can access a good deal of it terrestrially. What you might see, therefore, is a sheath coming out of, say Iran, is tapped for fibers that proceed on to other unfriendly nations, and a copy of the traffic pulled back to some nearby land-based station in a friendly country (so that lots of amplifiers aren't needed). I'd bet you do see the occasional Variola suitcase, though, requiring a sub visit once in a while. But I bet they avoid this kind of thing as much as possible, given the traffic volumes. -TD From: Matt Crawford [EMAIL PROTECTED] To: crypto cryptography@metzdowd.com CC: osint@yahoogroups.com, [EMAIL PROTECTED] Subject: Re: Code name Killer Rabbit: New Sub Can Tap Undersea Cables Date: Tue, 22 Feb 2005 12:33:56 -0600 On Feb 18, 2005, at 19:47, R.A. Hettinga wrote: It does continue to be something of a puzzle as to how they get this stuff back to home base, said John Pike, a military expert at GlobalSecurity.org. I should think that in many cases, they can simply lease a fiber in the same cable. What could be simpler?
Re: On the road to truth and madness
We were somewhere around Barstow on the edge of the desert when the drugs began to take hold. The following was my variant on this from a few years ago, representing the 56th IETF PKIX meeting minutes. Note that this is from the book form, not the film version of the text: -- Snip -- We were somewhere in San Francisco on the edge of the 56th IETF when the drugs began to take hold. I remember saying something like I feel a bit lightheaded; maybe you should take notes And suddenly there was a terrible roar all around us and the sky was full of what looked like huge OIDs, all swooping and screeching and diving around the RFC, which was about a hundred pages long. And a voice was screaming: Holy Jesus! Where are these goddamn business cases? Then it was quiet again. My attorney had taken his shirt off and was pouring beer into his mouth, to facilitate the PKI standards-creation process. What the hell are you yelling about? he muttered, staring up at the neon lights with his eyes closed and covered with wraparound Spanish sunglasses. Never mind, I said. It.s your turn to figure out the interop requirements. I hit the brakes and dropped the Great Pile of Paperwork at the side of the room. No point mentioning those OIDs, I thought. The poor bastard will see them soon enough. We had two bags of X.509 standards, seventy-five pages of PKIX mailing list printouts, five sheets of high-powered constraints, a saltshaker half-full of vendor hype, and a whole galaxy of requirements, restrictions, promises, threats... Also, a quart of OSI, a quart of LDAP, a case of XML, a pint of raw X.500, and two dozen PGPs. Not that we needed all that for the trip, but once you get into a serious PKI RFC binge, the tendency is to push it as far as you can. The only thing that really worried me was the X.500. There is nothing in the world more helpless and irresponsible and depraved than a man in the depths of an X.500 binge, and I knew we'd get into that rotten stuff pretty soon. -- Snip -- Peter.
Re: Code name Killer Rabbit: New Sub Can Tap Undersea Cables
On Tue, 22 Feb 2005 17:01:05 -0500, Tyler Durden [EMAIL PROTECTED] wrote: ... Do you take a copy of EVERYTHING and send it back? That might have been more feasible in the old days, but when a single fiber can run 64 wavelength optically amplified 10 Gig traffic, I really really doubt it. Or at least, this would require an undertaking large enough that I doubt they could hide it. DWDM certainly makes it more complicated. Of course, that same technology allows them to send much more back. (Regarding the single OC-3 mentioned previously.) How they process and return the information is indeed the BIG SECRET. The old USSR taps used pods attached to the cables for recording and were serviced periodically to pick up the collected data. See also: http://cryptome.org/nsa-fibertap.htm ... I suspect it's a combination of all sorts of stuff...remember too that all that traffic has to land somewhere, so theoretically they can access a good deal of it terrestrially. If you look at the landing sites for various oceanic fiber cables you will see that a great many of them are on friendly territory. You can be sure that these lines are tapped. (Which brings up the issue someone else mentioned a while ago. We make a big deal about ECHELON monitoring satellites, yet no one really cares about the tapping of landing sites that carry many times more information? Silly humans) I presume the fiber tapping submarine is interested mainly in those cables which don't land on friendly territory or the sections landed between unfriendly sites. (E.g. not all data goes through all sites) What you might see, therefore, is a sheath coming out of, say Iran, is tapped for fibers that proceed on to other unfriendly nations, and a copy of the traffic pulled back to some nearby land-based station in a friendly country (so that lots of amplifiers aren't needed). This would be a reasonable assumption. But so would a number of other possible techniques. The great mystery continues... Best regards,
Re: I'll show you mine if you show me, er, mine
R.A. Hettinga [EMAIL PROTECTED] forwarded: Briefly, it works like this: point A transmits an encrypted message to point B. Point B can decrypt this, if it knows the password. The decrypted text is then sent back to point A, which can verify the decryption, and confirm that point B really does know point A's password. Point A then sends the password to point B to confirm that it really is point A, and knows its own password. Isn't this a Crypto 101 mutual authentication mechanism (or at least a somewhat broken reinvention of such)? If the exchange to prove knowledge of the PW has already been performed, why does A need to send the PW to B in the last step? You either use timestamps to prove freshness or add an extra message to exchange a nonce and then there's no need to send the PW. Also in the above B is acting as an oracle for password-guessing attacks, so you don't send back the decrypted text but a recognisable-by-A encrypted response, or garbage if you can't decrypt it, taking care to take the same time whether you get a valid or invalid message to avoid timing attacks. Blah blah Kerberos blah blah done twenty years ago blah blah a'om bomb blah blah. (Either this is a really bad idea or the details have been mangled by the Register). Peter.
Re: Code name Killer Rabbit: New Sub Can Tap Undersea Cables
DWDM certainly makes it more complicated. Of course, that same technology allows them to send much more back. (Regarding the single OC-3 mentioned previously.) Well, DISTANCE makes it more complicated first of all. You need undersea repeaters and/or OFAs in order to get traffic from most parts of the ocean back to land, and the NSA will in many cases not want nor be able to use the host service providers' OFAs. This would mean they'd have to install their own, and I doubt they're going to just plop on their own regeneration site on the outside of a civilian cable. Hum. In some parts of the ocean they must almost certainly have their own cable and then couple stolen traffic into it. I'd bet there also must exist some mini-Echelons on some Islands somewhere (like Majorca or the Azores) where they do some grooming and listening. -TD
I'll show you mine if you show me, er, mine
http://www.theregister.co.uk/2005/02/21/crypto_wireless/print.html The Register Biting the hand that feeds IT The Register » Security » Identity » Original URL: http://www.theregister.co.uk/2005/02/21/crypto_wireless/ I'll show you mine if you show me, er, mine By Lucy Sherriff (lucy.sherriff at theregister.co.uk) Published Monday 21st February 2005 17:11 GMT Security researchers have developed a new cryptographic technique they say will prevent so-called stealth attacks against networks. A stealth attack is one where the attacker acts remotely, is very hard to trace, and where the victim may not even know he was attacked. The researchers say this kind of attack is particularly easy to mount against a wireless network. The so-called delayed password disclosure protocol was developed by Jakobsson and Steve Myers of Indiana University. The protocol allows two devices or network nodes to identify themselves to each other without ever divulging passwords. The protocol could help secure wireless networks against fraud and identity theft, and protect sensitive user data. The technique will be particularly useful in ad-hoc networks, where two or more devices or network nodes need to verify each others' identity simultaneously. Briefly, it works like this: point A transmits an encrypted message to point B. Point B can decrypt this, if it knows the password. The decrypted text is then sent back to point A, which can verify the decryption, and confirm that point B really does know point A's password. Point A then sends the password to point B to confirm that it really is point A, and knows its own password. The researchers say that this will prevent consumers connecting to fake wireless hubs at airports, or in coffee shops. It could also be used to notify a user about phishing attacks, scam emails that try to trick a user into handing over their account details and passwords to faked sites, provide authentication between two wireless devices, and make it more difficult for criminals to launder money through large numbers of online bank accounts. Jakobsson is hoping to have beta code available for Windows and Mac by the spring, and code for common mobile phone platforms later in 2005. More info available here (http://www.stealth-attacks.info). ® Related stories Hotspot paranoia: try to stay calm (http://www.theregister.co.uk/2005/01/24/wi_fi_hotspot_security/) Crypto researchers break SHA-1 (http://www.theregister.co.uk/2005/02/17/sha1_hashing_broken/) Cyberpunk authors get the girls (http://www.theregister.co.uk/2005/02/17/cyberpunk/) © Copyright 2005 -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: I'll show you mine if you show me, er, mine
-- On 24 Feb 2005 at 2:29, Peter Gutmann wrote: Isn't this a Crypto 101 mutual authentication mechanism (or at least a somewhat broken reinvention of such)? If the exchange to prove knowledge of the PW has already been performed, why does A need to send the PW to B in the last step? You either use timestamps to prove freshness or add an extra message to exchange a nonce and then there's no need to send the PW. Also in the above B is acting as an oracle for password-guessing attacks, so you don't send back the decrypted text but a recognisable-by-A encrypted response, or garbage if you can't decrypt it, taking care to take the same time whether you get a valid or invalid message to avoid timing attacks. Blah blah Kerberos blah blah done twenty years ago blah blah a'om bomb blah blah. (Either this is a really bad idea or the details have been mangled by the Register). It is a badly bungled implementation of a really old idea. An idea, which however, was never implemented on a large scale, resulting in the mass use of phishing attacks. Mutual authentication and password management should have been designed into SSH/PKI from the beginning, but instead they designed it to rely wholly on everyone registering themselves with a centralized authority, which of course failed. SSH/PKI is dead in the water, and causing a major crisis on internet transactions. Needs fixing - needs to be fixed by implementing cryptographic procedures that are so old that they are in danger of being forgetten. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG Dn3N69hcbr+mL/HUTw8OhGtKmD9rHYOMN4NTBkIY 47AOCXrb7e35xm5QBsHbFVr/jfm+XwTUvzdiytKpG