Cryptography and Encryption Blog

On Mar 30, 2008, at 3:12 PM, Leichter, Jerry wrote:
> How would that help?

Unless I'm misunderstanding Zooko's writeup, he's worried about an
attacker going from a partially-known plaintext (e.g. a form bank
letter) to a completely-known plaintext by repeating the following
process:

1. take partially known plaintext
2. make a guess, randomly or more intelligently where possible,
about the unknown parts
3. take the current integrated partial+guessed plaintext, hash
to obtain convergence key
4. verify whether that key exists in the storage index
5. if yes, you've found the full plaintext. if not, repeat from '2'.

That's a brute force search. If your convergence key, instead of being
a simple file hash, is obtained through a deterministic but
computationally expensive function such as PBKDF2 (or the OpenBSD
bcrypt, etc), then step 3 makes an exhaustive search prohibitive in
most cases while not interfering with normal filesystem operation.
What am I missing?

Cheers,

–
Ivan Krstić <krstic@solarsail.hcs.harvard.edu> | http://radian.org

———————————————————————
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

| > They extended the confirmation-of-a-file attack into the
| > learn-partial-information attack. In this new attack, the
| > attacker learns some information from the file. This is done by
| > trying possible values for unknown parts of a file and then
| > checking whether the result matches the observed ciphertext.
|
| How is this conceptually different from classic dictionary attacks,
| and why does e.g. running the file through PBKDF2 and using the result
| for convergence not address your concern(s)?
How would that help?

Both the ability of convergent encryption to eliminate duplicates,
and this attack, depend on there being a deterministic algorithm
that computes a key from the file contents. Sure, if you use a
different salt for each file, the attack goes away – but so does
the de-duplication. If you don't care about de-duplication, there
are simpler, cheaper ways to choose a key.
– Jerry

| –
| Ivan Krsti? <krstic@solarsail.hcs.harvard.edu> | http://radian.org
|
| ———————————————————————
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
|
|

On Mar 20, 2008, at 3:42 PM, zooko wrote:
> They extended the confirmation-of-a-file attack into the
> learn-partial-information attack. In this new attack, the
> attacker learns some information from the file. This is done by
> trying possible values for unknown parts of a file and then
> checking whether the result matches the observed ciphertext.

How is this conceptually different from classic dictionary attacks,
and why does e.g. running the file through PBKDF2 and using the result
for convergence not address your concern(s)?

–
Ivan Krstić <krstic@solarsail.hcs.harvard.edu> | http://radian.org

———————————————————————
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

On Mar 28, 2008, at 5:48 PM, travis+ml-cryptography@subspacefield.org
wrote:
> I've got two presentations I've given on encrypted storage
> technologies

On a similar note, list readers might enjoy the detailed writeup of
Tahoe, the secure distributed erasure-coded filesystem built by Zooko
and the folks at allmydata.org:

<http://allmydata.org/~warner/pycon-tahoe.html>

Perry forwarded the Tahoe 0.9 announcement to the list, but it didn't
include a link to this writeup, which might not have existed at the
time. As an unrelated bonus and since it doesn't merit a separate
post, here's a (well-sung!) crypto take on Harry Belafonte's Banana
Boat Song:

<http://www.catonmat.net/blog/musical-geek-friday-crypto/>

Cheers,

–
Ivan Krstić <krstic@solarsail.hcs.harvard.edu> | http://radian.org

———————————————————————
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

Hi Bernard,

Without beating a dead horse or dissecting a frog twice, I think
your answer covers most issues. No system is perfect, but it
seems like a fair amount of thought went into this. With luck
this will be reviewed from time to time to adjust it to changing
threat models and newer technology.

Sorry if I misread what was intended as a joke to be something
serious, but it is often that a throwaway line reveals not so
obvious truths. As a result I have learned to ask about
potentially questionable comments.

Now, to move totally away from your comments, it's too bad we
can't get roughly the same type of rational response as yours to
the 50,000 plus pages of code and private letters the IRS holds.

Thank you for the prompt, cogent and revealing response.

Allen

Owens Bernard B wrote:
> — Allen <netsecurity@sound-by-design.com> wrote:
>
>> Hi Bernard,
>>
>> Based on your posts I'm sure that you are an honorable person;
>> however, it concerns me when you say, "They don't care enough to be
>> torture-proof."
>>
>> To me this could result in events like are occurring at the US State
>> Department Passport office where people are pawing through files and
>> records they have no legitimate business reading.
>>
>> I'm not in favor of excessive secrecy as that is to the detriment of
>> society as a whole, I think. I do think that people will take and blow
>> rumors up all out of proportion to the reality behind them and that
>> correcting the record can be real tough to almost impossible.
>>
>> My question to you is, are these agents ethical enough to prevent this
>> kind of disinformation from damaging the citizenry?
>
> Interesting. The line in question was, essentially, tossed off as a
> humorous observation on our privacy priorities. I need to be careful
> about that considering how easily such statements can be misinterpreted.
>
> I don't know who said that analyzing humor was like dissecting a frog
> (no one enjoys it and the frog dies) but I guess it's time for me to
> break out the scalpel.
>
> Our Agents, Officers, Special Agents and others who do field work or are
> trusted with sensitive data are taught certain priorities within an
> ethical framework. The notion that someone would torture one of our
> people to get at the information on their laptop is mostly ridiculous
> but if it did happen, I would expect them to immediately reveal their
> passwords. Our Officers endure the highest level of day-to-day danger;
> when I did that job, I was attacked more than once. They are taught
> that their life is worth more than their "stuff." An Officers
> Commission (their ID), for example, is a powerful little thing in many
> circumstances. Yet if we get mugged while in the field, we are to give
> it up with no hesitation. Our ethics, as reinforced in extensive
> training, hold that the life or safety of an employee is worth far more
> than their ID, their equipment, or even the information on their
> computer. If it's a choice between being tortured or giving up their
> passwords, we expect them to start talking. Many resources will
> subsequently be devoted to finding and prosecuting the perpetrators.
>
> So, as a matter of policy, our employees are not *supposed* to care
> enough to be torture proof. Our employees are more important than our
> information.
>
> Now, moving from the nearly-unthinkably silly (I say "nearly" because we
> do have some on-point training and policies for employees who travel to
> certain parts of the world) to the day-to-day, I want to make it clear
> that the "not caring enough" attitude that is appropriate when faced
> with torture does not apply when it comes to day-to-day data security.
>
> In fact, our people are held to very high standards. The case you cite
> of pawing through passport records is a great example. That sort of
> thing is very unlikely at the IRS. We do ongoing data matching on our
> people and their accesses to computerized records. Any access to an
> IDRS (Integrated Data Retrieval System) record is run across the
> personal profile of the employee to find matches or patterns of unusual
> accesses. If an employee, for example, accesses the files of a neighbor
> (even someone they don't know in any way), an investigation is
> automatically triggered. Geographic data is part of the data matching
> used to make sure unauthorized accesses do not happen. Additional
> matching, against things like family members, assigned casework, etc.,
> is also done. Employees just don't look at tax records unless they need
> them to do a job.
>
> As the prominence of customers goes up, so do the precautions. The
> files of famous people are flagged and accesses are not just screened
> but reviewed by a case worker. At the very top, if, pursuant to an
> audit, you have occasion to handle the tax returns of a President, past
> or present, you can expect to have a very intimidating Special Agent
> with the Secret Service standing next to you the whole time. There will
> also be a Special Agent with the IRS next to you (and probably a small
> squad of others somewhere nearby, drinking coffee and waiting to move on
> to the next processing point.) Literally, if you turn a page and read
> something you don't need to do your job, you'll be instantly arrested.
>
> Yes, I know this from first-hand experience.
>
> Our track record for ethical treatment of taxpayer records was,
> admittedly, forced on us. Without going into too much detail, President
> Nixon severely misused the agency for nefarious purposes. As a result,
> Congress passed a number of oversight measures. Our data security is
> certainly not perfect but considering our size and the sensitivity of
> our data, we are well out in front on these issues. We had about a
> 20-year head start compared to most organizations and are *far* more
> sensitive to privacy and security issues than most people realize. The
> way Congress beat up on us, post-Nixon, put us on a path toward the
> practical respect of private citizen data a very long time ago; today,
> we view being put on that path so early as a blessing.
>
>>From a technical perspective, a number of practical procedural and
> technical solutions are in place. All laptops (technically, all
> computers that leave IRS-controlled space) are encrypted unless they are
> going to a jurisdiction where importing encryption is illegal. All
> removable media (CDs, USB keys, even floppies) are encrypted for people
> in identified user groups; that will apply to everyone, by default, in
> the near future. All desktop workstations will be fully encrypted by
> this summer. Data on paper is kept very secure. There is a culture of
> data protection here that leads people to, for example, automatically
> turn documents face down when you walk up to their desk. Nobody makes a
> big deal about it; it's just the way we work.
>
> Of course we're not perfect. We've hired extensively over the last few
> years and some of the kids we've hired didn't "get it" quite quickly
> enough. Some unauthorized accesses have happened and there's been an
> uptick in people fired for that reason. That doesn't concern me; it
> actually means we're finding the people who screw up.
>
> Over the course of my career, I've seen about a person a decade
> perp-walked out of a building in handcuffs for selling data. It's rare
> enough that it sticks in the memory. It's certainly not common.
>
> So, to address your specific question (and I'm not perfectly sure I
> understood the question, so I apologize in advance if I've
> misinterpreted) – No, I don't think what I said is fodder for any
> rumors. I don't accept that it qualifies as disinformation because we
> certainly don't expect our people to hold their passwords secure in the
> face of torture. We do expect them to be ethical enough to protect
> sensitive data adequately and consistently in accordance with policy;
> that expectation is rarely wrong. When it is, harsh penalties are
> imposed and everything that contributed to the lapse (training,
> technology, procedures, everything) is examined under a microscope and
> changes, if needed, are made.
>
> Actually, I'm pretty proud of our record and our dedication to data
> security.
>
> Is the frog dead yet?
>
> Bernard Owens
> USTreas/IRS
>
> _______________________________________________
> FDE mailing list
> FDE@www.xml-dev.com
> http://www.xml-dev.com/mailman/listinfo/fde
>
_______________________________________________
FDE mailing list
FDE@www.xml-dev.com
http://www.xml-dev.com/mailman/listinfo/fde

— Allen <netsecurity@sound-by-design.com> wrote:

> Hi Bernard,
>
> Based on your posts I'm sure that you are an honorable person;
> however, it concerns me when you say, "They don't care enough to be
> torture-proof."
>
> To me this could result in events like are occurring at the US State
> Department Passport office where people are pawing through files and
> records they have no legitimate business reading.
>
> I'm not in favor of excessive secrecy as that is to the detriment of
> society as a whole, I think. I do think that people will take and blow

> rumors up all out of proportion to the reality behind them and that
> correcting the record can be real tough to almost impossible.
>
> My question to you is, are these agents ethical enough to prevent this

> kind of disinformation from damaging the
> citzenary>

Interesting. The line in question was, essentially, tossed off as a
humorous observation on our privacy priorities. I need to be careful
about that considering how easily such statements can be misinterpreted.

I don't know who said that analyzing humor was like dissecting a frog
(no one enjoys it and the frog dies) but I guess it's time for me to
break out the scalpel.

Our Agents, Officers, Special Agents and others who do field work or are
trusted with sensitive data are taught certain priorities within an
ethical framework. The notion that someone would torture one of our
people to get at the information on their laptop is mostly ridiculous
but if it did happen, I would expect them to immediately reveal their
passwords. Our Officers endure the highest level of day-to-day danger;
when I did that job, I was attacked more than once. They are taught
that their life is worth more than their "stuff." An Officers
Commission (their ID), for example, is a powerful little thing in many
circumstances. Yet if we get mugged while in the field, we are to give
it up with no hesitation. Our ethics, as reinforced in extensive
training, hold that the life or safety of an employee is worth far more
than their ID, their equipment, or even the information on their
computer. If it's a choice between being tortured or giving up their
passwords, we expect them to start talking. Many resources will
subsequently be devoted to finding and prosecuting the perpetrators.

So, as a matter of policy, our employees are not *supposed* to care
enough to be torture proof. Our employees are more important than our
information.

Now, moving from the nearly-unthinkably silly (I say "nearly" because we
do have some on-point training and policies for employees who travel to
certain parts of the world) to the day-to-day, I want to make it clear
that the "not caring enough" attitude that is appropriate when faced
with torture does not apply when it comes to day-to-day data security.

In fact, our people are held to very high standards. The case you cite
of pawing through passport records is a great example. That sort of
thing is very unlikely at the IRS. We do ongoing data matching on our
people and their accesses to computerized records. Any access to an
IDRS (Integrated Data Retrieval System) record is run across the
personal profile of the employee to find matches or patterns of unusual
accesses. If an employee, for example, accesses the files of a neighbor
(even someone they don't know in any way), an investigation is
automatically triggered. Geographic data is part of the data matching
used to make sure unauthorized accesses do not happen. Additional
matching, against things like family members, assigned casework, etc.,
is also done. Employees just don't look at tax records unless they need
them to do a job.

As the prominence of customers goes up, so do the precautions. The
files of famous people are flagged and accesses are not just screened
but reviewed by a case worker. At the very top, if, pursuant to an
audit, you have occasion to handle the tax returns of a President, past
or present, you can expect to have a very intimidating Special Agent
with the Secret Service standing next to you the whole time. There will
also be a Special Agent with the IRS next to you (and probably a small
squad of others somewhere nearby, drinking coffee and waiting to move on
to the next processing point.) Literally, if you turn a page and read
something you don't need to do your job, you'll be instantly arrested.

Yes, I know this from first-hand experience.

Our track record for ethical treatment of taxpayer records was,
admittedly, forced on us. Without going into too much detail, President
Nixon severely misused the agency for nefarious purposes. As a result,
Congress passed a number of oversight measures. Our data security is
certainly not perfect but considering our size and the sensitivity of
our data, we are well out in front on these issues. We had about a
20-year head start compared to most organizations and are *far* more
sensitive to privacy and security issues than most people realize. The
way Congress beat up on us, post-Nixon, put us on a path toward the
practical respect of private citizen data a very long time ago; today,
we view being put on that path so early as a blessing.

>From a technical perspective, a number of practical procedural and
technical solutions are in place. All laptops (technically, all
computers that leave IRS-controlled space) are encrypted unless they are
going to a jurisdiction where importing encryption is illegal. All
removable media (CDs, USB keys, even floppies) are encrypted for people
in identified user groups; that will apply to everyone, by default, in
the near future. All desktop workstations will be fully encrypted by
this summer. Data on paper is kept very secure. There is a culture of
data protection here that leads people to, for example, automatically
turn documents face down when you walk up to their desk. Nobody makes a
big deal about it; it's just the way we work.

Of course we're not perfect. We've hired extensively over the last few
years and some of the kids we've hired didn't "get it" quite quickly
enough. Some unauthorized accesses have happened and there's been an
uptick in people fired for that reason. That doesn't concern me; it
actually means we're finding the people who screw up.

Over the course of my career, I've seen about a person a decade
perp-walked out of a building in handcuffs for selling data. It's rare
enough that it sticks in the memory. It's certainly not common.

So, to address your specific question (and I'm not perfectly sure I
understood the question, so I apologize in advance if I've
misinterpreted) – No, I don't think what I said is fodder for any
rumors. I don't accept that it qualifies as disinformation because we
certainly don't expect our people to hold their passwords secure in the
face of torture. We do expect them to be ethical enough to protect
sensitive data adequately and consistently in accordance with policy;
that expectation is rarely wrong. When it is, harsh penalties are
imposed and everything that contributed to the lapse (training,
technology, procedures, everything) is examined under a microscope and
changes, if needed, are made.

Actually, I'm pretty proud of our record and our dedication to data
security.

Is the frog dead yet?

Bernard Owens
USTreas/IRS

_______________________________________________
FDE mailing list
FDE@www.xml-dev.com
http://www.xml-dev.com/mailman/listinfo/fde

The NSA has been declassifying some interesting material of late:

http://www.nsa.gov/public/cryptologic_histories.cfm

http://www.nsa.gov/public/cryptologicquarterly.cfm

–
Perry E. Metzger perry@piermont.com

———————————————————————
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

I’m sorry, I somehow missed this email earlier (and it’s taken me a few tries to get subscribed to the mailing list).

If you’re interested in Host-Proof Hosting, we recently published a (simplistic) primer on our blog here: http://passpack.wordpress.com/2008/03/10/host-proof-hosting/

In a nutshell – the pass phrase should never be sent to the server, and all data should be encrypted on the client before ever going over the wire.

On certified Host-Proof Hosting… I don’t think that exists actually. It’s only been since late 2006 that the pattern was made practical (though theorized much earlier). There are very few companies that have begun to use it yet. That said – can you think of any companies that you would trust to implement such a certification?

Tara Kelly

Ali, Saqib ha scritto:

    * even though you sent them the pass phrase     

That is the key thing. With host-proof hosting,  you never send the pass phrase to the hosting server. Your pass phrase remains on your client computer.  Maybe Ms. Kelly (whom I have copied on this email) can elaborate more on the topic of host-proof hosting pattern. Her company (www.passpack.com) has successfully implemented this pattern.    On 3/20/08, Crispin Cowan <crispin@crispincowan.com> wrote:   

Ali, Saqib wrote:  > Wells Fargo to Personal Online Safe for storing electronic copies of  > important materials, such as financial statements, loan and tax  > documents, wills, passports, and birth, marriage and death  > certificates:  > https://www.wellsfargo.com/press/2008/20080319_Online_Safe  >  Ok, that sounds like a bad idea.    > Note: The only way I will feel safe about this service is that Wells  > Fargo uses Host-Proof Hosting patterns[1], and PROVE (i.e. get  > certified) that host-proof hosting pattern is implemented properly and  > securely. Until then I will store these documents on a encrypted drive  > that I have control over.  >  > 1. http://en.wikipedia.org/wiki/Host-proof_hosting  >  This *also* sounds like a really bad idea. You trust the host to:      * not persist the clear text data     * not persist the passphrase     * not persist the decryption key     * even though you sent them the pass phrase   Never mind that lots of web sites have been caught trousers down  retaining the extra 3-digit security codes from credit cards, never mind  that they aren't supposed to retain that either.   Crispin     

> So you need a device that registers as a HID (keyboard) and
> automatically starts sending keystrokes (any key or special key
> sequences?) without running any app on the "guest" system?!

yup exactly.

i wonder why no one has created such a device. it should be fairly
easy to create something like this. The keyboard is recognized at the
boot time (BIOS and boot-loader level), so no additional keyboard
drivers are required to be loaded.
_______________________________________________
FDE mailing list
FDE@www.xml-dev.com
http://www.xml-dev.com/mailman/listinfo/fde

I've got two presentations I've given on encrypted storage technologies here:

http://www.subspacefield.org/security/

There's also a book I'm writing, if anyone is interested.
–

https://www.subspacefield.org/~travis/
I need a better strategy for being less analytical.
For a good time on my email blacklist, email john@subspacefield.org.

———————————————————————
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com