CRYPTO-GRAM September 15, 2010 by Bruce Schneier Chief Security Technology Officer, BT schneier@schneier.com http://www.schneier.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>. You can read this issue on the web at <http://www.schneier.com/crypto-gram-1009.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively comment section. An RSS feed is available. ** *** ***** ******* *********** ************* In this issue: Consumerization and Corporate IT Security News Schneier News More Skein News Wanted: Skein Hardware Help ** *** ***** ******* *********** ************* Consumerization and Corporate IT Security If you're a typical wired American, you've got a bunch of tech tools you like and a bunch more you covet. You have a cell phone that can easily text. You've got a laptop configured just the way you want it. Maybe you have a Kindle for reading, or an iPad. And when the next new thing comes along, some of you will line up on the first day it's available. So why can't work keep up? Why are you forced to use an unfamiliar, and sometimes outdated, operating system? Why do you need a second laptop, maybe an older and clunkier one? Why do you need a second cell phone with a new interface, or a BlackBerry, when your phone already does e-mail? Or a second BlackBerry tied to corporate e-mail? Why can't you use the cool stuff you already have? More and more companies are letting you. They're giving you an allowance and allowing you to buy whatever laptop you want, and to connect into the corporate network with whatever device you choose. They're allowing you to use whatever cell phone you have, whatever portable e-mail device you have, whatever you personally need to get your job done. And the security office is freaking. You can't blame them, really. Security is hard enough when you have control of the hardware, operating system and software. Lose control of any of those things, and the difficulty goes through the roof. How do you ensure that the employee devices are secure, and have up-to-date security patches? How do you control what goes on them? How do you deal with the tech support issues when they fail? How do you even begin to manage this logistical nightmare? Better to dig your heels in and say "no." But security is on the losing end of this argument, and the sooner it realizes that, the better. The meta-trend here is consumerization: cool technologies show up for the consumer market before they're available to the business market. Every corporation is under pressure from its employees to allow them to use these new technologies at work, and that pressure is only getting stronger. Younger employees simply aren't going to stand for using last year's stuff, and they're not going to carry around a second laptop. They're either going to figure out ways around the corporate security rules, or they're going to take another job with a more trendy company. Either way, senior management is going to tell security to get out of the way. It might even be the CEO, who wants to get to the company's databases from his brand new iPad, driving the change. Either way, it's going to be harder and harder to say no. At the same time, cloud computing makes this easier. More and more, employee computing devices are nothing more than dumb terminals with a browser interface. When corporate e-mail is all webmail, corporate documents are all on GoogleDocs, and when all the specialized applications have a web interface, it's easier to allow employees to use any up-to-date browser. It's what companies are already doing with their partners, suppliers, and customers. Also on the plus side, technology companies have woken up to this trend and -- from Microsoft and Cisco on down to the startups -- are trying to offer security solutions. Like everything else, it's a mixed bag: some of them will work and some of them won't, most of them will need careful configuration to work well, and few of them will get it right. The result is that we'll muddle through, as usual. Security is always a tradeoff, and security decisions are often made for non-security reasons. In this case, the right decision is to sacrifice security for convenience and flexibility. Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it. This essay first appeared as the second half of a point/counterpoint with Marcus Ranum in Information Security Magazine. You can read Marcus's half there. http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci15196... or http://tinyurl.com/22qhrem ** *** ***** ******* *********** ************* News Breaking into a garage in seconds. Garage doors with automatic openers have always seemed like a lot of security theater to me: people regularly treat their garage door as if it had the same security as their front door. http://www.youtube.com/watch?v=CMz1tXBVT1s Hacking cars through wireless tire-pressure sensors. It's minor, but this kind of thing is only going to get worse. http://www.technologyreview.com/communications/25962/ http://arstechnica.com/security/news/2010/08/cars-hacked-through-wireless-ty... or http://tinyurl.com/29tdys8 http://www.h-online.com/security/news/item/Known-by-their-wheels-1058068.htm... or http://tinyurl.com/3yqbdlf http://www.winlab.rutgers.edu/~Gruteser/papers/xu_tpms10.pdf Earlier paper on automobile computer security: http://www.autosec.org/pubs/cars-oakland2010.pdf Good essay by Seth Godin on the "Fear Tax": http://sethgodin.typepad.com/seths_blog/2010/08/the-fear-tax.html Intel buying McAfee is another example of a large non-security company buying a security company. I've been talking about this sort of thing for two and a half years. http://www.schneier.com/blog/archives/2010/08/intel_buys_mcaf.html Malware might have been a contributory cause of an air crash. I say "might" because it's hard to get reliable information. http://www.schneier.com/blog/archives/2010/08/malware_contrib.html Skeletal identification: http://www.physorg.com/news201454875.html And you thought fingerprints were intrusive. danah boyd on social steganography: http://www.zephoria.org/thoughts/archives/2010/08/23/social-steganography-le... or http://tinyurl.com/33zrwyz Detecting deception in conference calls: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1572705 Their detection system is only slightly better than random, but this kind of thing will only get better. Full-body scanners in roving vans: http://www.schneier.com/blog/archives/2010/08/is_the_whole_co.html Since a fatal crash a few years ago, Boston T (their subway) operators have been forbidden from using -- or even having -- cell phones while on the job. Passengers are encouraged to report violators. But sometimes T operators need to use their official radios on the job, and passengers can't tell the difference. The solution: mark their official radios with orange tape. Of course, no T operator would ever think of putting bright orange tape on his cell phone. Because if he did that, the passengers would immediately know not to report him. http://www.boston.com/news/local/massachusetts/articles/2010/08/26/orange_ta... or http://tinyurl.com/32kzqqf Chilling interview about misidentification and the court system. http://www.schneier.com/blog/archives/2010/08/misidentificati.html In Australia, a high school teacher assigned a movie-plot threat contest problem to his students, and everyone went crazy. He sounds like me, really. http://www.schneier.com/blog/archives/2010/08/high_school_tea.html Australian police are claiming the assignment was illegal, so Australians who enter my movie-plot threat contests should think twice. Also anyone writing a thriller novel about terrorism, perhaps. Interesting research: eavesdropping on smart homes with distributed wireless sensors. http://www.cs.virginia.edu/~stankovic/psfiles/UbiComp192-srinivasan-1-1.pdf or http://tinyurl.com/295j586 This, about the Pentagon and cyber-offense, is beyond stupid. http://www.schneier.com/blog/archives/2010/09/cyber-offence_i.html Very clever attack against a quantum cryptography system. http://www.nature.com/news/2010/100829/full/news.2010.436.html http://dx.doi.org/10.1038/nphoton.2010.214 UAE man-in-the-middle attack against SSL. http://www.slate.com/id/2265204 http://www.eff.org/deeplinks/2010/08/open-letter-verizon Great article on terrorism entrapment: http://www.salon.com/news/opinion/feature/2010/07/06/fbi_foiled_terrorism_pl... or http://tinyurl.com/23nhkcy Parental fears vs. realities: http://www.npr.org/blogs/health/2010/08/30/129531631/5-worries-parents-should-drop-and-5-they-should?sc=fb&cc=fp or http://tinyurl.com/372dyj9 The new German ID card is hackable. No surprise there. http://www.thelocal.de/sci-tech/20100824-29359.html In Japan, paint-filled orange balls are an anti-robbery device. http://www.schneier.com/blog/archives/2010/09/orange_balls_as.html Problems with Twitter's OAuth authentication system. http://arstechnica.com/security/guides/2010/09/twitter-a-case-study-on-how-t... or http://tinyurl.com/2u8ofep http://hueniverse.com/2010/09/all-this-twitter-oauth-security-nonsense/ or http://tinyurl.com/2cmgju9 http://blog.nelhage.com/2010/09/dear-twitter/ The Onion on national security: "Smart, Qualified People Behind the Scenes Keeping America Safe: 'We Don't Exist.'" http://www.theonion.com/articles/smart-qualified-people-behind-the-scenes-ke... or http://tinyurl.com/26jx93v Kenzero is a Japanese Trojan that collects and publishes users' porn surfing habits, and then blackmails them to remove the information. http://www.schneier.com/blog/archives/2010/09/kenzero.html Vulnerabilities in US-CERT network: http://www.wired.com/threatlevel/2010/09/us-cert/ http://www.nextgov.com/nextgov/ng_20100909_5549.php?oref=topnews http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-111_Aug10.pdf http://gcn.com/articles/2010/09/09/us-cert-riddled-with-security-holes.aspx?... or http://tinyurl.com/3a4xz56 Not answering questions at U.S. customs. http://knifetricks.blogspot.com/2010/04/i-am-detained-by-feds-for-not-answer... or http://tinyurl.com/264resf Police set up a highway sign warning motorists that there are random stops for narcotics checks ahead, but actually search people who take the next exit. http://420tribune.com/2010/03/narcotics-checkpoint/ Popular usernames and passwords, in graphical form. http://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html ** *** ***** ******* *********** ************* Schneier News Back in May, I attended the EastWest Institute's First Worldwide Cybersecurity Summit in Dallas. I only had eight minutes to speak, and tried to turn the dialog to security, privacy, and the individual. http://www.youtube.com/watch?v=I6ZkU2fUM5w The conference: http://www.ewi.info/worldwide-cybersecurity-summit Commentary on my short talk: http://www.insidehighered.com/blogs/law_policy_and_it/watch_this_video On September 16, I'll be a keynote speaker at IDC's IT Security Conference 2010 in London. http://guest.cvent.com/EVENTS/Info/Summary.aspx?e=4cc6aaee-f08f-493b-8090-d6... or http://tinyurl.com/2aok7d2 On September 18, I'll be a keynote speaker at Hacktivity in Budapest. http://hacktivity.hu/ On October 1, I'll be a keynote speaker at CELAES 2010: XXV FELABAN Conference on Bank Security in Miami. http://www.felaban-seguridadbancaria.com/index.php On October 8, I'll be giving a luncheon keynote speech at the Minnesota Library Association Conference in Rochester, MN. http://mnlibraryassociation.org/mlaconference10/ On October 12, I'll be a keynote speaker at RSA Europe in London. http://www.emc.com/microsites/rsa-conference/2010/europe/index.htm ** *** ***** ******* *********** ************* More Skein News Skein is my new hash function. Well, "my" is an overstatement; I'm one of the eight designers. It was submitted to NIST for their SHA-3 competition, and one of the 14 algorithms selected to advance to the second round. Last week was the Second SHA-3 Candidate Conference. Lots of people presented papers on the candidates: cryptanalysis papers, implementation papers, performance comparisons, etc. There were two cryptanalysis papers on Skein. The first was by Kerry McKay and Poorvi L. Vora. They tried to extend linear cryptanalysis to groups of bits to attack Threefish (the block cipher inside Skein). It was a nice analysis, but it didn't get very far at all. The second was a fantastic piece of cryptanalysis by Dmitry Khovratovich, Ivica Nikolie, and Christian Rechberger. They used a rotational rebound attack to mount a "known-key distinguisher attack" on 57 out of 72 Threefish rounds faster than brute force. It's a new type of attack -- some go so far as to call it an "observation" -- and the community is still trying to figure out what it means. It only works if the attacker can manipulate both the plaintexts and the keys in a structured way. Against 57-round Threefish, it requires 2**503 work -- barely better than brute force. And it only distinguishes reduced-round Threefish from a random permutation; it doesn't actually recover any key bits. Even with the attack, Threefish has a good security margin. Also, the attack doesn't affect Skein. But changing one constant in the algorithm's key schedule makes the attack impossible. NIST has said they're allowing second-round tweaks, so we're going to make the change. It won't affect any performance numbers or obviate any other cryptanalytic results -- but the best attack would be 33 out of 72 rounds. The second-round algorithms are: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grostl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. You can find details on all of them, as well as the current state of their cryptanalysis, at the SHA-2 Zoo site. NIST will select approximately five algorithms to go on to the third round by the end of the year. In other news, we're once again making Skein polo shirts available to the public. Those of you who attended either of the two SHA-3 conferences might have noticed the stylish black Skein polo shirts worn by the Skein team. Anyone who wants one is welcome to buy it, at cost. All orders must be received before October 1, and we'll have all the shirts made in one batch. http://www.schneier.com/skein-shirts.html The Second SHA-3 Candidate Conference: http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/index.html Conference program: http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/Program_S... or http://tinyurl.com/2g24ybz Kerry McKay and Poorvi L. Vora's presentation and paper: http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/presentat... or http://tinyurl.com/2cj5swk http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MC... or http://tinyurl.com/282kv6h Dmitry Khovratovich, Ivica Nikolie, and Christian Rechberger's presentation and paper: http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/presentat... or http://tinyurl.com/28uulbg http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/RE... or http://tinyurl.com/2b2ltnu Known-key distinguisher: http://www.springerlink.com/content/y2437717g1630plp/ https://online.tugraz.at/tug_online/voe_main2.getvolltext?pCurrPk=31551 or http://tinyurl.com/2fvjare Our Skein update from the SHA-3 conference: http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/presentat... or http://tinyurl.com/242x77w Skein website: http://www.skein-hash.info/ Skein paper: http://www.schneier.com/skein.pdf Skein source code: http://www.schneier.com/code/skein.zip My previous essays on Skein: http://www.schneier.com/essay-249.html http://www.schneier.com/blog/archives/2009/09/skein_news.html SHA-3 website: http://csrc.nist.gov/groups/ST/hash/sha-3/index.html SHA-3 Zoo: http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo ** *** ***** ******* *********** ************* Wanted: Skein Hardware Help As part of NIST's SHA-3 selection process, people have been implementing the candidate hash functions on a variety of hardware and software platforms. Our team has implemented Skein in Intel's 32 nm ASIC process, and got some impressive performance results. Several other groups have implemented Skein in FPGA and ASIC, and have seen significantly poorer performance. We need help understanding why. For example, a group led by Brian Baldwin at the Claude Shannon Institute for Discrete Mathematics, Coding and Cryptography implemented all the second-round candidates in FPGA. Skein performance was terrible, but when they checked their code, they found an error. Their corrected performance comparison has Skein performing much better and in the top ten. We suspect that the adders in all the designs may not be properly optimized, although there may be other performance issues. If we can at least identify (or possibly even fix) the slowdowns in the design, it would be very helpful, both for our understanding and for Skein's hardware profile. Even if we find that the designs are properly optimized, that would also be good to know. A group at George Mason University led by Kris Gaj implemented all the second-round candidates in FPGA. Skein had the worst performance of any of the implementations. We're looking for someone who can help us understand the design, and determine if it can be improved. Another group, led by Stefan Tillich at University of Bristol, implemented all the candidates in 180 nm custom ASIC. Here, Skein is one of the worst performers. We're looking for someone who can help us understand what this group did. Three other groups -- one led by Patrick Schaumont of Virginia Tech, another led by Shin'ichiro Matsuo at National Institute of Information and Communications Technology in Japan, and a third led by Luca Henzen at ETH Zurich -- implemented the SHA-3 candidates. Again, we need help understanding how their Skein performance numbers are so different from ours. We're looking for people with FPGA and ASIC skills to work with the Skein team. We don't have money to pay anyone; co-authorship on a paper -- and an Erdos number of 4 -- is our primary reward. (Also, a Skein polo shirt.) Please send me e-mail if you're interested. Our presentation and paper on Skein in a custom ASIC: http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/presentat... or http://tinyurl.com/25keymm http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WA... or http://tinyurl.com/2bddhn7 Brian Baldwin's original presentation and paper: http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/presentat... or http://tinyurl.com/2dz4q2l http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BA... or http://tinyurl.com/2653k99 Brian Baldwin's corrected presentation and paper: http://www.ucc.ie/en/crypto/SHA-3Hardware/NISTSHA-3/Baldwin-SHA-3-Presentati... or http://tinyurl.com/2c55hb2 http://www.ucc.ie/en/crypto/SHA-3Hardware/NISTSHA-3/Baldwin-SHA-3-Paper-Aug-... or http://tinyurl.com/29qbrud Kris Gaj's presentation and papers: http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/presentat... or http://tinyurl.com/26qatdx http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/GA... or http://tinyurl.com/27lkjhw http://eprint.iacr.org/2010/445.pdf Stefan Tillich's presentation and paper: http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/presentat... or http://tinyurl.com/27cpqom http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TI... or http://tinyurl.com/2d5p9p7 Patrick Schaumont's presentation and paper: http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/presentat... or http://tinyurl.com/28t9qxc http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SC... or http://tinyurl.com/2dju4rn Shin'ichiro Matsuo's presentation and paper: http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/presentat... or http://tinyurl.com/2byyycq http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MA... or http://tinyurl.com/24qxhdo Luca Henzen's papers: http://www.vlsi.uwaterloo.ca/~ahasan/web_papers/technical_reports/web_five_S... or http://tinyurl.com/2be9nj8 http://www.vlsi.uwaterloo.ca/~ahasan/web_papers/technical_reports/web_five_S... or http://tinyurl.com/2g4u2dj http://www.springerlink.com/content/g0115v3272156r06/ ** *** ***** ******* *********** ************* Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL. Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>. Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT. Copyright (c) 2010 by Bruce Schneier. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE