CyptoBlog

Here is my review of an article on a new zero knowledge identification protocol.

As recently reported in an IEEE On-line magazine, practical implementations of quantum cryptographic systems are exposed to attack. The weakness arises from the need to authenticate the communicating parties. The laws of physic determine that the proverbial eavesdropper Eve will reveal her presence when snooping from a quantum channel.
However, to avoid a trivial man-in-the-middle attack, quantum encryption protocols need to exchange information over a classic channel for authentication purposes. Authentication over a classic channel is subjected to classic attacks targeting the weaknesses of the underlying protocol.
My two comments on this:
Authentication is still ‘the’ problem for many cryptographic systems and;
Prof. Lomonaco’s dictum* is applicable also to quantum encryption.

[*] To be able to communicate in secret one must first communicate in secret

related post

Is this the next thing to worry about?

Technology security firm sounds alarm over VoIP phone vulnerabilities

National Post
08 Apr 2008

The latest telephone systems that rely on the Internet to make calls are easily breached by hackers and the bad guys are just beginning to attack, an Ottawa technology security firm says. More than 100 vulnerabilities have been found in VoIP (voice… read more…

My colleague Aiden Bruen sent me an e-mail comment on a recent news article (“Burning down the house” Globe and Mail, March 8, 08) concerning the newly released movie 21.
He says:

[the article] is somewhat misleading, as is the plot of the movie.
Counting cards in blackjack goes way back to a paper entitled “Fortune’s Formula: a winning strategy for blackjack” presented by mathematician Ed Thorp in January 1961. The paper explained how card-counting improves the odds and how much should be bet. Many backers offered to finance Thorp who went to Reno to try out the system during Spring Break at MIT in 1961. The system worked perfectly. Eventually however, Thorp and his associates would be asked to leave. Most casinos then also adopted the “professor stopper” which allowed dealers to shuffle multiple decks together, thereby sharply reducing the edge afforded by “card counting”. Details are nicely described in the book by W. Poundstone.
The mathematics is based on the work of the great Claude Shannon on information theory [see our book]. The ideas, fundamental in communications, are still used prominently in finance and gambling using the so-called Kelly formula.

A quick search on the internet turn out this other article (“Getting a hand”) and many references to the Four Horseman who were pioneers in devising an optimal strategy for beating Blackjack. Their insights were later formalized and corrected by Edward Thorp in his book “Beat the Dealer”. John Kelly made an important contribution to the information theoretical aspects of the optimal betting strategy problem.

IBM ended a brilliant 2007 with the news about a silicon Mach-Zehnder electro-optic modulator the smallest electro-optic modulator yet, that will allow the connection of multiple processing cores inside a chip by using beams of light, instead of wires. This certainly will help to extend the longevity of Moore’s Law, and IBM knows it:

IBM’s pioneering work to move the industry from aluminum to copper wiring, unveiled in 1997, gave the industry an immediate 35 percent reduction in electron flow resistance and a 15 percent boost in chip performance.

Since then, IBM scientists have continued to drive performance improvements to continue the path of Moore’s Law. And in 2007 alone, IBM announced:

High-k metal gates (January 2007): a solution to one of the industry’s most vexing problems — transistors that leak current. By using new materials IBM will create chips with “high-k metal gates” that will enable products with better performance that are both smaller and more power efficient.

eDRAM (February 2007) - By replacing SRAM with an innovative new type of speedy DRAM on a microprocessor chip, IBM will be able to more than triple the amount of embedded memory and boost performance significantly.

3-D Chip Stacking (April 2007) - IBM announces the creation of three-dimensional chips using “through-silicon vias,” allowing semiconductors to be stacked vertically instead of being placed near each other horizontally. This cuts the length of critical circuit pathways by up to 1,000 times.

Airgap (May 2007) - Using a “self assembly” nanotechnology IBM has created a vacuum between the miles of wire inside a Power Architecture microprocessor reducing unwanted capacitance and improving both performance and power efficiency.
IBM’s pioneering work to move the industry from aluminum to copper wiring, unveiled in 1997, gave the industry an immediate 35 percent reduction in electron flow resistance and a 15 percent boost in chip performance.

Ditto

There is certain fascination with the One Time Pad (or Vernam cipher) among people interested in cryptography.
One of the reasons is the famous fact that it is the only provably secure cipher. Shannon`s theoretical insight cemented the fame of the OTP as the only truly unbreakable cipher. For those that already don`t know how it works and why it is unbreakable the following links will give a very good intro:

Dirk`s Rijmenants website, “A one-time pad isn’t a cryptosystem:” it’s a state of mind and of course the entry at Wikipedia

Another reason is the spy-vs-spy aspect of the OTP. The NSA’s VENONA pages abound in details about the successful deciphering of many KGB documents enciphered with OTPs during 1942 and 1980. The KGB’s cryptographic material manufacturing center apparently reused some of the pages from one-time pads, breaking one of the fundamental rules of the OTPs, use the random material only once.

The great mathematician Stanislaw Ulam once said that the question was not what mathematics can do for biology, but what biology can do for mathematics.
Reading an article about Digital Evolution[1], I become curious about up to what point the link between evolutive computer software and the field of computer security has progressed. It seems obvious to think in terms of biological concepts such as immune systems and mutating entities when you think about viruses, troyans and other current and future threats to security.
It looks like there is a wealth of research already conducted on such connection. A good starting point is the work of Prof. Forrest[2] from the University of New Mexico. There seems to be also some attempts at using genetic algorithms for intruder detection such as [3].
Without doubt this is a promising area. The traditional approach of trying to guess and hard code against external attackers is not going to work as the complexity of systems and applications grows, seemingly unbound.
I am planning to start doing more research about this, as this touches many fields in which I have worked in the past. Any insight or advice is going to be welcome and greatly appreciated!

[1] Harnessing Digital Evolution, P. McKinley, B. Cheng, C. Ofria, D. Knoester, B. Beckmann and H. Goldstein, Computer Jan 2008.

[2] Principles of a Computer Immune System A. Somayaji, S. Hofmeyr, & S. Forrest

[3] Using Genetic Algorithm for Network Intrusion Detection, W. Li

The Cryptool website has a wealth of information on how the past-present and future crypto-algorithms work. Download and install the freeware (Cryptool 1.4.10 is the current version), an easy and fun way to explore the inner working of the algorithms even further.
There is also a very good overview of Cryptology in this document.
The site is well done, clear and easy to navigate. Excellent work!

As a proof of how pervasive the issue of security is in modern life, a recent Federal Aviation Administration report (mirrored at cryptome.org) alerts about the possibility that data on the flight computer on the new Boeing 787 Dreamliner could be compromised.

The proposed architecture of the 787 is different from that of existing production (and retrofitted) airplanes. It allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane. Because of this new passenger connectivity, the proposed data network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane. The existing regulations and guidance material did not anticipate this type of system architecture or electronic access to aircraft systems that provide flight critical functions. Furthermore, 14 CFR regulations and current system safety assessment policy and techniques do not address potential security vulnerabilities that could be caused by unauthorized access to aircraft data buses and servers. Therefore, special conditions are imposed to ensure that security, integrity, and availability of the aircraft systems and data networks are not compromised by certain wired or wireless electronic connections between airplane data buses and networks.

Wired magazine also reports the comments of Boeing spokeswoman Lori Gunter and Mark Loveless, a network security analyst with Autonomic Networks.

Gunter said the FAA and Boeing have already agreed on the tests that the plane manufacturer will have to do to demonstrate that it has addressed the FAA’s security concerns.

“It will all be done before the first airplane is delivered,” she said.

Loveless said he’s glad the FAA and Boeing are addressing the issue, but without knowing specifically what Boeing is doing, it is impossible to say whether the proposed solution will work as intended. Loveless said software firewalls offer some protection, but are not bulletproof, and he noted that the FAA has previously overlooked serious onboard-security issues.

What would airport security do after the first successful hack attack?

In a previous post I speculated about the need for a business model shift on the distribution of digital content. It looks like the industry is recognizing the obvious, at least with respect to music content.
TopTech News reports that:

Warner Music Group, a major holdout on selling music online without copy protection, caved in to the growing trend Thursday and agreed to sell its tunes on Amazon.com Inc.’s digital music store.

Until now, Warner Music had resisted offering songs by its artists in the MP3 format, which can be copied to multiple computers and burned onto CDs without restriction and played on most PCs and digital media players, including Apple Inc.’s iPod and Microsoft Relevant Products/Services Corp.’s Zune.

The deal raises the total number of MP3s for sale through Amazon’s music download store to more than 2.9 million. Warner Music’s entire catalog, including work by artists Led Zeppelin, Aretha Franklin and Sean Paul, will be added to the site throughout the week. The Amazon store launched with nearly 2.3 million songs in September.

This is an interesting development because it seem to represent an attitude shift by the industry that spend billions on useless technologies and gave us the rootkit scandal in the process of trying to prevent the unavoidable.