Cryptosmith

A SANS Handler Notebook entry by Toby Kohlenberg reports on data leakage in cloud computing, and links to a terrific paper from some UCSD/MIT people: Ristenpart, Tromer, Shacham, and Savage.

If we set the wayback machine to the early 1970s, we find a paper by Butler Lampson about something called the confinement problem. It’s the same thing. Ristenpart et al pick up some of the threads (like noninterference) though their paper doesn’t point all the way back to Lampson.

This is a hard problem to solve. The only defense right now is if attackers lack the motivation to exploit it.

Continue Reading »

Posted under History of Technology & Security | No Comments »

Troy Davis posted info about a malware ad encountered on NYTimes.com. I always enjoy a good, basic forensic analysis. The location of the ad is disturbing, to say the least, though it reflects a problem with today’s on-line commercial culture.

It’s so easy to do on-line transactions (you send money, I do an on-line service) that vendors aren’t inclined to vet their customers. Vetting costs money: it takes time and it puts the vendor in the position of turning down potential sales. Companies make more money by playing ignorant.

On the other hand, we like to think that a respectable organization, like the New York Times, takes some responsibility for the ads it hosts.

From the consumer/victim point of view, though, it’s probably hard to prove that a particular site hosted a particular ad, unless you can get a team of individuals to document it, too.

Posted under Security | No Comments »

A reader, GregoryF, has proposed a solution to Boak’s puzzle. Many years ago, David G. Boak of the NSA gave lectures to train employees on communications security matters. In one case he presented a written story about insufficiently burned crypto materials (keys, etc.), several tons’ worth, that needed disposal.

Boak didn’t quite explain how they disposed of the waste. Instead, he coded the answer using an innocent text system and challenged the readers to solve it.

GregoryF’s solution is posted as a comment to the earlier article. He actually came up with two different solutions. The “system” behind the second solution gets somewhat complicated, which casts some doubt on its correctness. Also, I haven’t quite recovered the same results.

Spoilers ahead!

Continue Reading »

Posted under History of Technology & Security | 4 Comments »

Gilbert Vernam was a digital systems designer from the early 20th century. He invented the stream cipher, what browsers often use today to encrypt messages exchanged with protected web sites. In his days, however, the mechanism of choice was the relay: an electromagnetic switch. Vernam also described the one-time pad, and noted the danger in reusing the key stream.

What, then is a Vernam cipher? Is it a stream cipher or a one-time pad? I’ve seen the term used both ways.

Now we can check the source. Steve Bellovin recently blogged on Vernam’s work, and posted a PDF of Vernam’s original  paper. Vernam wrote the paper for an AIEE conference (that’s one of the precursors of today’s IEEE – Bellovin negotiated permission to post the historic paper).

If we look at the historical description, Vernam does not restrict his cipher to the one-time pad case. Thus, a Vernam cipher in practice might – or might not – be a one-time pad. [revised 9/7/09]

Continue Reading »

Posted under History of Technology & Security | No Comments »