Phillip Hallam-Baker's Web Security Blog

So we managed to make it past the RSA conference without a new break on a major algorithm. Some people had been expecting that this would be the year that someone finally broke SHA-1, at least at the level of the compression function.

One of the more worrying issues of the debate though is when people say things like 'well you are still using SHA-1 so why the concern?' This is to miss the point.

One of the reasons that commercial cryptographic systems have proved so durable is precisely because we are so conservative in choice of algorithms. Changing a cryptographic algorithm is expensive and takes many years. So we look to deploy systems with an expected lifetime of decades.

I am certainly not going to design a new cryptographic security protocol using SHA-1 today. I would look to use SHA-256 or 512. But that does not mean that we should abandon all our existing SHA-1 based applications immediately because we would no longer sanction a new system using that design.

What we do instead is to look at each application in turn and decide whether the known algorithm compromise is significant in the context that the algorithm is used. This is tedious, time consuming work but necessary. It is not work that I would care to do for a new protocol, I am certainly not going to spend my time asking 'must we use SHA-256 here or is SHA-1 sufficient?' when building from scratch - just use the stronger algorithm and be done.

When you have a legacy base to support it is essential to know whether a new algorithm is a choice or a requirement. Fortunately for Certificate Authorities the practice of a CA is not critically dependent on the particular cryptographic properties of SHA1 (or MD5 for that matter) that have been compromised. It is still necessary to plan for SHA-256 support so that future applications can be supported but we don't need to withdraw support for existing, deployed product.

So if you are desigining a new system use the algorithm we recommend, not the one we support in legacy products with a billion users.

Posted by Phillip Hallam-Baker at 05:40 AM | Permalink | Comments (0) | TrackBacks (0)

Eric Rescorla has discovered a virus in the parking lot computer system at SFO.

Trojans and malware can infect any system with a microprocessor configured to execute unrestricted code so taking measures to stop viruses makes sense. Loading commercial AV software to address the problem does not.

In the first place the chance that anyone would update the virus signatures on an embedded device is negligible. When was the last time you updated the virus checking on your coffee pot? Running AV software without up to date signatures does no good at all.

The more important reason AV is the wrong technology here is because it is software designed to deal with a very difficult problem applied to a problem where the constraint that makes it so difficult is absent. The difficulty with AV software is caused by the fact that we like to run lots of different programs on our computers. The embedded system is designed to only run one program during its entire life. A code signing/verification strategy is much more appropriate.

Posted by Phillip Hallam-Baker at 05:24 AM | Permalink | Comments (0) | TrackBacks (0)

Once upon a time there were three knights who as is fitting an dproper for knights decided to fight a dragon that was doing the stomping, terrorizing and eating of young maidens that is fitting and proper for dragons to do.

The road to the dragon was long and on the way the knights argued amongst themselves as to who would be the one to slay the dragon. One said that he would to the deed because he was the largest, another said he would do the deed because he was the smallest nimblest, the third said that he would be the one as he had been in the dragon killing game for many years and knew a thing or two.

So anyway to cut to the chase when they arrive at the cave and see that the dragon is a really really big one the large knight and the small knight realize that it is going to be a pretty big task even if all three of them work together.

Which is a long way of saying that Bill Gates just announced that Microsoft CardSpace will be supporting OpenID.

This makes a great deal of sense, none of the Identity 2.0 schemes has the full story. All the schemes already recognize the fact that SAML is the only standards based authentication technology neutral format for issuing third party accredited attribute assertions.

CardSpace has a compelling user interface which as Mike Jones of Microsoft just reminded me provides an initial experience that is not under the control of the relying party. If we are to defeat phishing type attacks we have to move to this type of interface built deep into the core of the operating system.

OpenID 2.0 has netroots reach, the ability to engage the blogs and the ability to support the legacy infrastructure. It is also potentially a compelling brand.

In ten years time I expect that elements of all three infrastructures will be in ubiqitous use. I don't think we will ever get to the point where the authentication requirements for banks and blogs are equal but there is no reason why a single technology platform cannot meet both sets of requirements.

Posted by Phillip Hallam-Baker at 08:40 AM | Permalink | Comments (0) | TrackBacks (0)

Last night the Microsoft CTO office invited me to a private dinner party with 20 or so other security principals.

The speaker is from the NSA, the subtext is that they are looking for contributions for the new national cryptological museum. As sometimes happens at these events they throw out an interesting titbit to grab attention.

This time its a huge one.

The reason that the Allies chose Normandy for the D-Day landings and the reason they were able to fool the NAZIs into thinking that the attack would come at Calais. Critical to the deception was the ability to invade without performing reconnaissance.

The reason the allies could do this was that earlier the Japanese had become worried about the threat of an invasion and the NAZIs had taken a senior Japanese general on a tour of the Normandy defences. On completion of the tour he sends a 12 page report on what he has seen, including the placement of every gun emplacement, pill box, &ct.

The message is encrypted in the MAGIC cipher that the allies have already broken. The allies know everything they need to invade in Normandy and can thus engage in the critical deception designed to persuade the NAZIs that the invasion will come in Calais. All the reconnaissance is directed at Calais.

The deception succeeded and this success was critical in allowing the Allies to establish a beachhead in Normandy.

The role of the British cryptanalysts at Bletchley Park has been recognized for many years now. Until yesterday it had not been acknowledged that the US cryptanalysts had played such a decisive role in the European theatre.

Posted by Phillip Hallam-Baker at 08:15 AM | Permalink | Comments (0) | TrackBacks (0)

In case you are wondering why the frequency of blogging has dropped off lately the reason is that I am working to finish the manuscript of my book The dotCrime Manifesto which should be published later this year. Technical blogging focusing on small easily digested chunks does not mix well with writing a first draft of a chapter on Secure Identiy or Secure Networks.

I will be speaking at the RSA conference twice this week. On Wednesday I will be speaking on Extended Validation certificates and on Friday I will be presenting a new scheme designed to provide unlinkable identity without the expense and inflexibility incurred in traditional schemes.

And speaking of Extended Validation certificates, I have just become one of the first bloggers in the world to have an EV certificate on their blog. To see The Accountable Web with an EV green addressbar simply visit the SSL secured version.

Posted by Phillip Hallam-Baker at 03:47 PM | Permalink | Comments (0) | TrackBacks (0)