Ambitious. I don't know if this is technically feasible -- since Win7 and all other MS OS' seem to inevitably be dynamic (ie. big, imperfect, and thus updated with frequent patches) -- but if you build it or find it, please report back here.
.
I, for one, would probably buy it.
.
PS : McAfee, btw, bought Secure Computing, another OTP vendor and a major competitor to RSA, in 2008.
"And Jesus H. Tap Dancing Christ, what
the F is RSA doing on that list?
Getting smeared! (sigh)
The CA identified by Sotirov et al as owned by "RSA Data Security" was actually RSA's original "Secure Server Certification Authority." It was legally transferred from RSADSI to VeriSign back in 1995, when RSA spun off VeriSign as an independent entity. (Apparently the designated names of root CA can't be changed while they are operational.)
RSA, now part of EMC, still runs two root CA, both of which use SHA1 digests.
This is an all-VeriSign show. All the CAs listed as potentially vulnerable to a MD5 collision attack are owned or controlled by VeriSign.
Widely-respected Australian cryptographer Peter Gutmann offered a concise analysis of the Seifert's achievement on the Cryptography Mailing List yesterday. It offers both detail and useful perspective.
Udhay Shankar N had just summarized the scary rumors about the Seifert's attack:
"... German cryptographer Jean-Pierre Seifert has announced [1]a new
method called Simple Branch Prediction Analysis that is at the same time much
more efficient that the previous ones, only needs a single attempt,
successfully bypasses the OpenSSL protections, and should prove harder to
avoid without a very large execution penalty."
Gutmann replied with a magisterial air:
"That's not quite accurate. What it did was succeed against a an old version
of OpenSSL that (a) didn't have the protections present yet and (b) had been
specially modified to make it vulnerable to the attack. It's a nice attack,
but based on what's been published so far the claims of RSA's demise are
considerably exaggerated.
"What it does is rely on the fact that on a HT P4, if you saturate the branch
target buffer (BTB) from a second thread running in the same pipeline (i.e. on
the same HT CPU), you can see when BTB misses occur in the RSA thread and
therefore observe whether it's branching on a one or zero bit.
"To do this, they had to use (as mentioned above) a rather old version of
OpenSSL that doesn't employ any protection against this type of attack. In
addition they reduced the modexp window size from 5 to 1 (to make sure you get
a branch for each bit, with the standard window size 5 the branches are
replaced by a table lookup), and they disabled the CRT code (to force use of
the textbook-mode RSA operation that, in practice, no software implementation
ever uses).
"This isn't to say that the paper doesn't point out a potential vulnerability.
However, saying "we broke RSA" or "we broke OpenSSL" is pushing things a bit."
This is a thoughtful and thought-provoking post, and I hope the mods reflect that. It offers a polnt of view that we Americans can constructively engage and benefit from -- the Web, after all, came from CERN! -- but surely most of the flaws and frailties of the the Net listed by ABG are not, per se, issues of Governance?
Some are issues in international law enforcement, but most seem to be questions of protocol design or issues about how to manage huge protocol transitions across the Net. And, to be blunt, isn't there a lot of unfair hindsight in this list of complaints?
I too wish the early protocol designers were more cynical about how people in the future might abuse each other on the Net, but surely the optimism of the early Internet designers was a lot more constructive than, say, the gross malevolence of the European bureaucrats who corrupted the crypto functions in the GSM cellular protocols? European spooks are as bad as our spooks, and closed transnational regulatory forums are a favorite playground for both.
I'm surprised, btw, that someone like ABG, who has such a grasp of technical issues in the Internet culture, does not seem aware that Internet engineering issues are handled by the Internet Society and its all-volunteer IETF.
(I suspect both the corporate engineers and the largely libertarian geeks who man the IETF's working groups are pretty open to international influence from anyone willing to invest and share the burden. And the IETF, whatever its failings, is certainly vastly more transparent than the cloistered ITU bureaucrats who expect to rule the Internet in five years if the Americans can be displaced.)
The only complaint ABG listed against US "governance" which may be valid, by my lights, is the claim that the conservative leanings of the Bush administration made its representives unwilling to endorse an xxx domain as a virtual "red light" district on the Net. The xxx domain seems to have pros and cons -- but it seems rash to presume that this American government is any more self-righteous about such social questions than, say, the Indian government, or even the majority of UN nations, would be.
Most nations -- indeed, most people everywhere, Christian or not -- are conservative on this type of social issue, something European progressives like ABG understand quite well.
On the other hand, we Yanks are no less nationalist than other nations, so it would probably do us good -- and be good politics -- if the US were to make a serious commitment to Internet design initiatives that would allow non-Americans to be more certain that the Net will remain accessible to all, no matter who comes into power in the US in the future. All who rely on the Net would benefit if that assurance was universally accepted.
I suspect, of course, that guaranteed access and guarranteed availability are not the goals of all those who want the ITU or some other international regulators to implement new "controls" on the Net through governance "reform" -- but a smart US administration could make common cause with those who do want that assurance.
It's a rare European who would trust the PTTs of the ITU to lead the world into a future full of economic growth, exciting innovation, and disruptive change.
If Br00tus's confusing post is an example of what passes for "informative" historical comment on/., this is a sad state of affairs.
Hey, truth be told, the US government -- and specifically, US intelligence agencies interested in cryptanalysis and signals analysis -- almost exclusively funded the first 10-15 years of the development of the modern computer industry, in both hardware and software. So what? That didn't make symbol manipulation, the essential technology of computing, any less adaptable to business functions, technical design, huge math computations, "what if" modelling, networking, or simple play, when the early commercial computer firms were given free access to the results of that government-funded R&D.
With massive amounts of subsequent investment, those (largely American) comercial developers laid the foundation for today's wondrous display of technical innovation in IT, both commercial and open source, and its widespread adoption and use around the world.
Today, few even bother to acknowledge the initial investments by the US spooks. Yet, obviously, scale and breath of the subsequent private-sector investment, and the evolution of the information culture it spawned, has so overwhelmed the initial government investment that it seems proportionally tiny, if prescient. Important -- but not in the sense that it defined either the technology or the Information Age that has subsequently evolved.
Similarly, while no one should deny or minimize the vision and creativity of the government-funded innovators who gave us the early Internet infrastructure, the scale and breath of the private-sector investment -- just since the early 1990s -- more than justifies the claim that it was private-sector vision, ingenuity, and funding, which has given us the Internet culture we know today.
Anyone want to guess what portion of the current investment in the Internet -- both its infrastructure and its technology -- has occurred subsequent to the explosion of the Web in the mid-1990s?
Sheeesh! Rice's letter, per se, is not nearly as ridiculous as much of the comment it has engendered. If Br00tus' post represents the standard for informed comment, of course, little else could be expected.
Gawd help us all, if this pre-digested and biased children's history is an example of what "everybody on Slashdot knows!" Talk about a herd mentality!
Folks, you gotta think a bit in order to keep isolated historical facts in some perspective.;-)
The Register is a very opinionated publication, and this article, like most, is heavily laden with emotional bias and innuendo. I have no problem with that, per se, but I am confused because K-boy's articles from the Tunis conference seemed to be contradictory.
I recall one article which quoted the head of the ITU bragging that -- because of EC support? -- the ITU (the international consortium of telephone companies and nationalized telephone utilities) would control the Internet within five years. K-boy, the Register reporter, was appropriately horrified at that prospect, and pointed out that ITU controls in the past would have quashed the Internet, simply never let it be born.
Now, however, in his article about Rice's forceful US defense of the status quo, the same reporter seems again disturbed (if perhaps less than horrified) that the US is not more open to international governmental influences, and is not more willing to adapt Internet control to the likes of the ITU.
So where *do* you stand, K-boy?
Many of us Netcitizens are willing to put up with the imperfections of the current Internet governance -- hoping that strong contractual obligations on an independent administrator will, minimally, guarrantee the ongoing availability of connections -- rather than see control of the Net slide into the hands of greedy, lowest-common-denominator, trans-national bureaucrats, of which the ITU is a preeminent example.
Didn't Condi's letter and the US lobbying campaign save us from the ITU, a fate worst than (or perhaps equivalent to) death for the Internet as we know it?
One thing Rice's letter suggested to me was the advantage of the home-town team, the established owner and manager, over uppity rebels with independent ideas. The same thing, I fear, would be true of the advantage the ITU regulators would have over disorganized international libertarians, if the US were to declare the Net's infrastructure to be up for grabs. If Internet governance -- which may only today be an oximoron -- were to slide into the international political arena, wouldn't it only be a matter of time before Real Control would be seized by the organization with the best financing, technical savvy, and skills at political infighting?
The current ITU president obviously thinks that it is a foregone conclusion that the ITU would be that organization. Anyone want to predict the future of the Net that would follow?
What does the history of the ITU tell us about the prospects for future innovation and disruptive change in an Internet controlled by the ITU?
Just because the US government is a proponent of a position does not mean that it is wrong.
I think the poor user gets a bum rap on this, and on many other aspects of the technology that gets laid upon them. It wasn't the users who stuck themselves with multiple passwords, of limited length, each of which can be typically cracked with a moderate amount of time on a password cracker.
It wasn't the users who, as passwords became more vulnerable, laid upon them these Draconian rules which mandate routine changes in all passwords, each to conform to some standard of sufficient complexity that guarrantees that they can't be remembered by mortal men. And it was us techies who, for a decade or so, piously lectured them that they shouldn't write down their passwords -- long after the number of passwords the typical user was expected to memorize had exceeded the number of phone numbers he knew by heart.
Pity the poor user! We gave him a Web brower that can't offer anything like the overt indicators of high risk or pending fraud that he uses to survive in the brick 'n mortar world. We gave him email encryption that you need a phd to understand, and a MS to use -- and the paranoid government kept insisting that he should only authenticate, never encrypt, and continually monkeyed with the standards to leave him unprotected. And this is not even to mention the blizzard of belittling comments from our self-righteous vendors, with their software products for which they disclaim all responsiblity yet are forced to provide daily patches.
Pity the poor user! He has to put up with management bean-counters too cheap to spring for an OTP token, typically the price of a modem, or even a scratch card of OTPs. Worse, he has had to put up with us security types mouthing cant about "user education" for years -- as if the victim is to blame for the poor tools and insecure protocols we created for his exploitation.
Consider the number of enterprises which still refuse to authorize the storage of personal passwords in a cryptographically secure vault for their PCs or PDAs. And those which still lecture him that he should not write down his 15, or 30, or 50 passwords on paper. Pity the poor user! He has to deal in reality, while all to many of the techie elite wander around with our heads in the clouds!
1. If your network runs in the clear, with no network crypto protecting your connection, you've always got a potential risk of session hijacking, let alone more elaborate schemes to subvert the an array of networked authentication servers. The connection between an RSA Authentication Server and it various application-based ACE Authentication Agents that report to it is encrypted, but that doesn't protect other network links, nor the integrity of the TCP/IP session itself.
2. Neither CryptoCard, nor any other OTP vendor, can "emulate" the RSA SecurID's time-synchronized OTP generation, which continually generates a new OTP -- valid for only a minute or two -- every 60 seconds. RSA still has patent protection on this mechanism.
3. I don't know how dated your information about a vulnerability in a domain of multiple authentication servers is, but it seems likely that it dates from the ACE/Server 5.X family, back when RSA used a master/slave architecture. The crux of the problem -- which, to a lesser degree, still exists in RSA 6.x Authentication Managers -- lies in the definition of simultaneity, and the inevitable impact of latency on even "real time" network connections. Typically any effective attack -- which would ring alarms and be logged as a dangerous event as soon as the network was live -- would entail breaking at least two network connections, to isolate one of perhaps several networked authentication servers.
Bringing down multiple network links is no trivial task. There are also additional defenses available within most RSA Authentication Managers (aka ACE/Servers) which can turned on to make it more difficult to exploit a short-term network disruption with this sort of attack.
4. RSA Authentication Managers have two standard defense mechanisms which make this sort of race attack difficult without an attack that breaks both the primary and secondary network links between the servers. The first lies in the ACE Lock Manager (LM), a mechanism which effectively claims an account when an initial authentication call comes in.
If two authentication calls with identical credentials are received by an authentication manager within a very short period of time -- the default is 2 seconds, but it can be increased by the local ACE admin -- the authentication server will reject both authentication requests and request a new SecurID passcode from each user. In this, the LMs rely upon the ongoing distribution of database changes, which upgrades all the networked authentication servers every 100 seconds.
5. In addition, the Lock Manager, when it first receives a new authentication call, fires off a "real-time" message -- to each of its remote replicas -- which identifies the SecurID, by serial number, and notes how many token-codes it has generated since it was initialized at the RSA factory. (Using this metric avoids any server time-skew issues.) Each LM "remembers" all the token-specific metrics it has received for about ten minutes.
A new authentication call, from that token, will be accepted by one of the replica authentication servers only if the number of SecurID OTP cycles used to generate a specific token-code is greater than the count previously noted in the ongoing message traffic among the LMs. In this, the LMs act like a "pre-replication" system, distributing an exclusive claim on a specific token-code, from a specific SecurID, well ahead of the routine database replication.
6. The LMs use a "full-meshed" network topology. Each primary/replica transmits its token-specific lock-down messages to every other RSA authentication server in "real time" -- or at least as close to real-time as possible.
Not all One-time Password tokens are created equal.
Not even all OTP tokens from, say, RSA Security -- the vendor I know best -- are created equal.
Specific mechanisms for "strong authentication" -- since the 1970s, by classical definition, an app which relies on at least two of the three factors (something known, something held, something one is) by which a computer can validate the identity of a pre-registered human user -- are designed for a particular threat environment.
Typically, in a variety of form-factors, OTP generators offer greater or lesser security on a spectrum -- greater or lesser resistance to various potential threats -- in a variety of pricing schemes.
Among the competitive vendors, some support systems -- the authentication servers and agents -- are better adapted to a large volume of authentication calls, or a multi-server geographically-dispersed user base. In small tech-savvy environments, public domain OTP options will always have their place, although commercial enterprises typically want some solvent external entity to accept the risk and track the evolving threats.
RSA, as several posters have noted, has a unique "time-synch" OTP technology. A RSA SecurID continuously generates and displays a new 6-8 digit (or alphanumeric) pseudo-random "token code" every 60 seconds -- an OTP that is valid for no more than a minute or two. In RSA's security paradigm, a SecurID "token holder" is always required to supply a user-memorized password or PIN for two-factor authentication (2FA).
In the enterprise OTP token market it has dominated for nearly 20 years, RSA still closes about 7 of every ten sales. In the nascent consumer market for strong authentication -- where the scale and complexity of the implementations could be unprecedented -- all bets are off and a billion-dollar free-for-all looms.
Most of RSA's leading challengers -- Vasco, ActivCard, Secure Computing, CryptoCard, VeriSign -- have been mentioned, but no one has pointed out how many new vendors are rushing into this market, offering both new and old technologies. Some are big companies; others are tiny. Even low-tech options like TAM cards -- pre-printed lists of OTPs, now indexed, available on wallet-sized "scratch-cards" -- have become quite popular, particularly in Europe.
You'll find the classic OTP tokens for two-factor authentication (2FA) tokens with a variety of form-factors and cryptographic models: time-synch from RSA; mostly Challenge/Response and "event synch" -- click for an OTP -- from the others. One thing you won't find, despite some claims in this thread, are OTP tokens from anyone but RSA which offer RSA's "time-synch" short-term OTPs. None of the challengers, new or traditional, can yet mimic SecurID's patented functionality.
As you survey your options, it's important to keep your eye on the prize here. 2FA protocols are used to validate -- to a relatively high degree of certainty -- a claim that a "token-holder" is entitled to resources and account privileges on a (usually remote) computer or network, on which he has been pre-registered by an authorized party.
With more trustworthy authentication, your managers and security architects can enforce more rigorous accountability. (The gentleman who lamented his company's adoption of user-based strong authentication, on top of the client-based VPN authentication he thought was "more secure," doesn't get it.) Accountability is the goal.
Accountability is the ability to associate a consequence with a past action of an individual. To hold individuals accountable, it must be possible retrospectively to tie them with actions or events for which accountability is desired, or to be able to independently detect and respond to inappropriate behavior. Authentication can never be viewed in isolation. It is obviously dependent upon other critical elements in the security paradigm -- authorization and audit mechanisms, to be sure; but also network integrity and local PC and end-point host security as
I wonder what proportion of/. readers are carrying SecurIDs or some other OTP token for two-factor authentication (2FA) at work? At least in Japan, NTT DoCoMo i-appi phones have had SecurID token-emulation software available for a couple of years.
(This is the same one-time password (OTP) app that RSA offers in the US and elsewhere for PDAs, Blackberries, and various Ericsson and Nokia mobile phones.)
2FA, like everything else, comes packaged in incrimentally stronger or weaker form-factors. "Soft-tokens" are at one end of the 2FA spectrum, since they rely upon the token-holder for physical and virtual security, while sealed tamper-resistant hardware tokens are at the other. It seems entirely possible to more securely engineer the 2FA code into the phone's internal (GSM?) chip, merging the convenience of phone-based 2FA with the security of tamper-resistant hardware. (I noticed that the guys at the DoCoMo US Labs carry SecurID hardware fobs -- which is probably appropriate, given the resources they protect -- but many of us could safely switch to phone-hosted OTP tokens, even now.)
One of the FAQs on the DoCoMO Labs website offered an extraordinary vision in its description of the company's R&D:
"DoCoMo aims to strengthen people's five physical senses and expand their activities by coordinating data that is collected from information sources located everywhere, including a person's own body, and connected 24 hours a day to a network. DoCoMo R&D goes beyond the boundaries of a mobile operator to include such areas as multi-sensory communications, alter-ego interface technology, bio authentication technology, agent technology, super reality communications technology, and sensor network technology. By the acquisition of limitless knowledge, DoCoMo aims to lay a path for realizing a prosperous world."
A phone for five senses?! Now that's an expansive baseline! For those enchanted by the vision, Wiley just published the DoCoMo US Labs's first book. For $120, you can plumb the depths of DoCoMo's R&D in, "Next Generation Mobile Systems: 3G & Beyond," edited by Minoru Etoh.
If not bundled, it's always been readily available for free download from the RSA website, and probably from other vendors too.
RSA's One-Time Password (OTP) apps allow any Windows Mobile device to emulate a SecurID (pinpad) token, accept the tapped input of a user-memorized PIN, and then generate the appropriate series of 6-8 digit SecurID passcodes.
(Also available for free download from RSA are similar "soft token" apps for the Palm OS, Blackberry, Windows desktops, or any one of several mobile phones.)
Of course, to actually register one of these devices with an RSA authentication server, someone will have to buy an RSA-signed "seed" that the RSA server will recognize, associate with a registered SecurID token-holder, and subsequently provide authentication support services for.
These "soft-tokens" -- from RSA or one of its competitors -- are a funny breed of OTP authenticators. They offer something more than "something known," but something less than the full dimension of "something held" that is exemplified by a hand-held token, a sealed dedicated authentication device designed as a personal authenticator.
A personalized physical "token," by its very nature, makes illicit delegation very difficult. A physical token can only be in one place at a time. OTOH, the integrity of a "soft-token" can only be assured if the token-holder can prove physical security and responsible handling -- again, a degree of oversight much higher than than required from someone who carries a sealed hand-held personal authentication token.
Like any RSA SecurID, one of these "soft tokens" generates a two-factor time-based 6-8 digit token-code every 60 seconds. Each one of these token-codes can only be used "now," and can only be used once, to authenticate a token-holder to an RSA authentication server (where some responsible party has already registered this user's ID and privileges, and associated that user ID with the seed that personalized that SecurID application.)
RSA provides a free download of the RSA SecurID Token for Mobile Phones here http://tinyurl.com/5z7rs.
Supported platforms include the Ericsson R380 smart phone, Nokia 9210 Communicator, and the NTT DoCoMo i-appli compatible phones (all 503i, 504i, and some FOMA series mobile phones.)
These are fine for many environments, but it worth remembering that a software app is always going to me less secure, and more dependant on the user for its physical and logical integrity, than a sealed hardware fob or card, the classic SecurID.
To actually use phones or PDAs or pagers with this token-emulation code to authentication against an RSA Authentication Manager (RAM, aka ACE/Server), you will need to buy the 128-bit seed from RSA. The RAM will only accept "seeds" digitally signed by RSA.
Well, one of the reasons. Two-factor authentication was defined (as I recall, by the US Bureau of Standards in the mid-70s) as any AAA system that requires presentation of two of the three factors (something held, something known, something one is), but there was originally an additional requirement: one of those factors must be resistant to replay, dynamic.
Sniff and replay were then, and in many places still are today, a prominent security threat -- and that threat grew exponentially with the evolution of local nets, and then exploded in scale and volume with the Internet. The SecurID, or any One-time Password (OTP) used to provide "strong authentication," does indeed obviate the need for all the Draconian rules now used to buttress the static reusable password or passphrase. In '87, however, as the SecurID was first brought to market, we never thought the static password would survive, no matter how complex it became, because it had none of the inherent resistance to eavesdroppers provided by a dynamic password.
We never dreamed that -- to save, per user, the price of a keyboard -- the corporate bean counters would stay committed to static reusable passwords for another 20 years, using these increasingly painful routines to make those passwords more resistant to guessing, dictionary, and now pre-computed hash attacks. Nor did we expect that the market would consistantly undervalue one of the token's core virtues: its resistance to sniff and replay.
We thought it was obvious that a password, however strong, could never be enough.
You might want to check out RSA's Sign-On Manager (SOM) , which is their SSO vehicle for environments that require multiple authenticatons.
Last year, SOM began shipping with the option of using a fingerprint biometric -- from Precise Biometrics
-- as an optional layer, but only to enhance an already two-factor authentication.
"I honestly can't see where I asked for theory. I am looking for how hard it was to solve this problem," sez TB.
I sympathize with your interest in some straightforward measure that would allow you to compare one factoring project with some previous project. I really do.
Unfortunately, I think you are confusing your irritation with the tardy "formal announcement" of the joint project's success -- the basis for the/. "article" -- with your frustration that the prime researchers (Jens Franke and Thorsten Kleinjung at Bonn University) haven't seen fit to write a report on the labor, work, hardware, and/or software innovations involved in this project -- any report, let alone a paper that would allow you to compare their achievement with other factoring efforts to determine what progress has been made in the state of the art.
Instead, it seems that they, along with a handful of others, just are the state of the art.;-)
(From what I'm told by folks who participated in the RSA576 factoring effort, btw, the primary researchers haven't yet even collected the stats that would be required for a formal paper on the project, so I don't think you will see an academic paper on RSA576 anytime soon.)
I really don't know what to make of that, other than to repeat what I said earlier: while there has been a lot standardization in the software typically used in these big NFS projects, much of the progress in this field seems to still be tied to the continuous and gradual improvement in the software and the hardware , and the way the two interact. What stays stable? Anyone who tried to offer comparisons between these factoring projects would probably have to develop some new team-independent "work-unit" metric. (And developing metrics is always a fairly political process too, for good or ill.)
Have you noticed how these guys always look ahead to the next number they want to factor and guesstimate that their next project will be, say, somewhere between 50 and 100 percent more difficult, more demanding? Nothing precise in those projections either, is there?
It seems to me that, in at least one stage, these projects typically involve the search for a solution that is pseudo-randomly located somewhere in a search-space of tens of millions -- so they are always burdened with the role that luck inevitably plays in whether they stumble upon the solution early or late in their search.
When luck can maybe double your work-load -- whatever the statistical probabilities are supposed to be -- it becomes difficult to give a lot of weight to any metric that measures (in machines, hours, cycles, "work units") the actual work involved in factoring one number -- and harder still to use that result as a gage of how much work will actually be required in the next project.
I too would like to be able to get a handle on the state of the art, I suppose, but I fear that the only people able to really discuss it would be talking about technical advances -- details down in the applied theory, if not the theory, per se -- that I suspect neither you nor I could really comprehend or appreciate.
This thread has been passed by, but I didn't want to leave you without a response, since I had sort of growled at you earlier. I know/. will at least drop you a note that a response has been posted here.
I think your vision of civilization is seriously warped, and your grasp of Japanese history is terribly flawed. While Tokugawa exhibited genius in uniting Japan into a single nation under the Shogunate, the culture that evolved from his social theories trapped Japan, for centuries, into a static class-ridden state that rejected change, both social and technological innovation, and was very much the equivalent of the European Dark Ages.
The elevation of the samurai to a ruling class, and the rigid caste system that they enforced, froze Japan's cultural development and reduced what had been a vital nation into a backward and primitive country that was fragile and all but helpless when it confronted aggressive US and Western neo-colonialism in the mid-1900s.
(It remains to be seen if such model, a culture largely shaped by fear of change and innovation -- and a desperate effort to freeze a economic elite in power by oppressive laws -- will prove irresistible to the RIAA and the US Congress;-)
For the vast majority of Japanese subjects, the experience of the Shogunate -- despite the peace that it brought to their nation -- must have been excruciating terrible. You were what you were born to be, period. Social mobility disappeared. Economic development, technical development, social development, and political development were all but brought to a grinding halt. Even the damn wheel seems to have been forbidden on carriages. Women (even samurai women) were, for the first time, forced into a state of utter dependance on males.
Rule by oppressive soldiers -- soldiers, mind you, in a centuries long interregnum in which there was no war -- made for a sad, damaged, pitiful, feudal society that is only retroactively redeemed in its ruling class poetry and Bushido myths.
By the mid-19th Century, culminating in the Imperial Restoration, the social structure had become so corrupt and self-destructive that -- when it briefly confronted the West -- it collapsed into a fascist monarchist revolution that set the stage for the aggressive Japanese militarism and imperialism that roiled Asia and the world for 50 years, until the WWII surrender placed them in MacArthur's thrall.
Step cautiously when you recommend Tokugawa's social vision. The new millennium already has an overabundance of fearful powerful folk and "leaders" who dream of extending the status quo indefinitely.
Jeeze, what planet (or university) are you from? Someplace where Google or Copernic is outlawed?
Mind you, this is a formal announcement, not an article. The technical details are for the researchers to announce, that's not RSA's reponsibility. And while the inital report of a factoring success -- and mention of any new technique -- usually spreads quickly over the Net (watch the Yahoo Prime Numbers
group), academic papers take longer. And when you're dealing with experts at this level, they'll take their own bloody sweet time -- because they will have already chatted with the handful of peers who can appreciate what they did differently this time.
(Even coordinating a "joint annoucement" among an international group of top academicians, and their respective corporations and universities, typically takes -- trust me -- the patience of Job;-)
And what are you demanding, anyway: a detailed explanation of how Franke et al tweaked their algorithm for lattice sieving? A report on their new implementation of the block Lanczos algorithm for sparse matrices over F2? You say you want an estimate of how your individual efforts might be compared to (sic) their's? Pleeeeeeese!
(You are also wrong to declare that the "last stage" -- the post-processing the siever output -- hasn't been implemented in a distributed fashion. Frankel and friends wrote parallel implementations for both the filtering and the Lanczos step, and they had them running them on a LINUX cluster at IAM in Bonn a couple of years ago.)
This is not really a hardware game yet. The difference between my LAN and the 100 workstations they used to crack RSA174 is neither the number nor speed of the CPUs they used -- rather, it's the touch of obsessive genius involved in constantly refining their algorithms, and adapting them to more distributed computing efforts. There's a reason that all these record-breaking factoring efforts involve the same dozen or so famous gentlemen!! Not even the NSA bothers to compete with them in basic research on factoring!
For a little perspective, visit NSFnet to study up on their G(S)NFS implementation, which was built, at least in part, around the effort to factor this RSA Challenge number.
There still isn't any efficient G(S)NSF implementation that an individual can use on his own computers to factor numbers over 100 digits.
Below 100 digits, however, there is Satoshi Tomabechi's PPSIQS.
See also Chris Monico's GGNFS, which has reportedly been used to successfully factor numbers up to 50 digits or so.
Please put a leash on your hubris. Demanding that genius be translated into vernacular (and quickly!) is unreasonable, as well as futile.
ANSI X9F1 -- the influential working group that develops US standards for the financial services industry on data security -- has reportedly decided, at least informally, that 2010 will be the year at which they will require an upgrade from 80-bit to 112-bit crypto security.
NIST generally follows the lead of X9 in these matters.
80-bit ciphers are generally understood, on the basis of equivalent resistance to brute force attacks -- the state of the art, as measured by the results in RSA Security's industry-defining crypto contests for both symmetric and RSA public key cryptosystems, and Certicom's ECC equivalents -- to encompass 1024-bit RSA (and DSA), as well as SHA1, Skipjack, and 160-bit ECC.
112-bit crypto strength is understood to be found in three-key triple-DES, SHA-224, RSA-2048, 224-bit ECC, and other standard cryptosystems with even longer keys.
This means that any data encrypted today, which must remain secure beyond 2010, should be using at least 112-bit crypto.
(While there are obviously levels of cryptographic security that lie between these 80-bit and 112-bit ciphers, ANSI X9 and NIST are trying to structure the technical debate in order to simplify their ultimate recommendations on effective security measures.)
Doesn't it, like most classical security decisions, depend on the value of what is being transmitted and your threat environment? If the Allies had not cracked the German and Japanese codes in WWII,/. would probably be a German-language forum.
The Nazis, apparently unable to conceive of a technology 2,000 faster than their electro-mechanical calculators, were probably no less confident of the security of their Ultra channel than we are today in RSApkc. (And no less susceptible to human flaws in implementation and execution, basic science be damned;-)
QC is interesting because it might become critical for crypto key distribution if the math paradigms behind today's public key cryptosystems crumble before known or unknown threats, technical or mathematical (quantum computing among them). Unlikely in the near term, of course, but not at all impossible.
The decade-long furor over the NSA's long reach through Echelon, which methodically vacuums the ether and sundry other transport mediums, highlights the fact that a only a small fraction of the world's communication is encrypted today, for reasons social, economic, and political. Which is not to say that the NSA, GCHQ, and all their sibling spook shops around the globe did not -- when confronted with the growth of serious crypto users -- reoriented the bulk of their research budgets to forcus on techniques to subvert the transmission end points, where resistance, if not futile, is rarely rigorous or consistent.
Sure, few today are likely to jump to QC except as a curiosity -- but, ten years hence, who knows what need will exist in hearts of men?
OTOH, it could also become something like Tempest, where a real risk of eavesdropping through emanations was exploded all out of proportion to the real-world threat, swallowing billions of dollars desperately needed elsewhere in the security mix.
Slashdot Mirror
Ambitious. I don't know if this is technically feasible -- since Win7 and all other MS OS' seem to inevitably be dynamic (ie. big, imperfect, and thus updated with frequent patches) -- but if you build it or find it, please report back here. . I, for one, would probably buy it. . PS : McAfee, btw, bought Secure Computing, another OTP vendor and a major competitor to RSA, in 2008.
"And Jesus H. Tap Dancing Christ, what
the F is RSA doing on that list?
Getting smeared! (sigh)
The CA identified by Sotirov et al as owned by "RSA Data Security" was actually RSA's original "Secure Server Certification Authority." It was legally transferred from RSADSI to VeriSign back in 1995, when RSA spun off VeriSign as an independent entity. (Apparently the designated names of root CA can't be changed while they are operational.)
RSA, now part of EMC, still runs two root CA, both of which use SHA1 digests.
This is an all-VeriSign show. All the CAs listed as potentially vulnerable to a MD5 collision attack are owned or controlled by VeriSign.
Opps. My apologies. Peter Gutmann is a New Zealander, not an Australian. Again, humble apologies.
Widely-respected Australian cryptographer Peter Gutmann offered a concise analysis of the Seifert's achievement on the Cryptography Mailing List yesterday. It offers both detail and useful perspective.
Udhay Shankar N had just summarized the scary rumors about the Seifert's attack:
"... German cryptographer Jean-Pierre Seifert has announced [1]a new method called Simple Branch Prediction Analysis that is at the same time much more efficient that the previous ones, only needs a single attempt, successfully bypasses the OpenSSL protections, and should prove harder to avoid without a very large execution penalty."
Gutmann replied with a magisterial air:
"That's not quite accurate. What it did was succeed against a an old version of OpenSSL that (a) didn't have the protections present yet and (b) had been specially modified to make it vulnerable to the attack. It's a nice attack, but based on what's been published so far the claims of RSA's demise are considerably exaggerated.
"What it does is rely on the fact that on a HT P4, if you saturate the branch target buffer (BTB) from a second thread running in the same pipeline (i.e. on the same HT CPU), you can see when BTB misses occur in the RSA thread and therefore observe whether it's branching on a one or zero bit.
"To do this, they had to use (as mentioned above) a rather old version of OpenSSL that doesn't employ any protection against this type of attack. In addition they reduced the modexp window size from 5 to 1 (to make sure you get a branch for each bit, with the standard window size 5 the branches are replaced by a table lookup), and they disabled the CRT code (to force use of the textbook-mode RSA operation that, in practice, no software implementation ever uses).
"This isn't to say that the paper doesn't point out a potential vulnerability. However, saying "we broke RSA" or "we broke OpenSSL" is pushing things a bit."
Peter.Some are issues in international law enforcement, but most seem to be questions of protocol design or issues about how to manage huge protocol transitions across the Net. And, to be blunt, isn't there a lot of unfair hindsight in this list of complaints?
I too wish the early protocol designers were more cynical about how people in the future might abuse each other on the Net, but surely the optimism of the early Internet designers was a lot more constructive than, say, the gross malevolence of the European bureaucrats who corrupted the crypto functions in the GSM cellular protocols? European spooks are as bad as our spooks, and closed transnational regulatory forums are a favorite playground for both.
I'm surprised, btw, that someone like ABG, who has such a grasp of technical issues in the Internet culture, does not seem aware that Internet engineering issues are handled by the Internet Society and its all-volunteer IETF.
(I suspect both the corporate engineers and the largely libertarian geeks who man the IETF's working groups are pretty open to international influence from anyone willing to invest and share the burden. And the IETF, whatever its failings, is certainly vastly more transparent than the cloistered ITU bureaucrats who expect to rule the Internet in five years if the Americans can be displaced.)
The only complaint ABG listed against US "governance" which may be valid, by my lights, is the claim that the conservative leanings of the Bush administration made its representives unwilling to endorse an xxx domain as a virtual "red light" district on the Net. The xxx domain seems to have pros and cons -- but it seems rash to presume that this American government is any more self-righteous about such social questions than, say, the Indian government, or even the majority of UN nations, would be.
Most nations -- indeed, most people everywhere, Christian or not -- are conservative on this type of social issue, something European progressives like ABG understand quite well.
On the other hand, we Yanks are no less nationalist than other nations, so it would probably do us good -- and be good politics -- if the US were to make a serious commitment to Internet design initiatives that would allow non-Americans to be more certain that the Net will remain accessible to all, no matter who comes into power in the US in the future. All who rely on the Net would benefit if that assurance was universally accepted.
I suspect, of course, that guaranteed access and guarranteed availability are not the goals of all those who want the ITU or some other international regulators to implement new "controls" on the Net through governance "reform" -- but a smart US administration could make common cause with those who do want that assurance.
It's a rare European who would trust the PTTs of the ITU to lead the world into a future full of economic growth, exciting innovation, and disruptive change.
Hey, truth be told, the US government -- and specifically, US intelligence agencies interested in cryptanalysis and signals analysis -- almost exclusively funded the first 10-15 years of the development of the modern computer industry, in both hardware and software. So what? That didn't make symbol manipulation, the essential technology of computing, any less adaptable to business functions, technical design, huge math computations, "what if" modelling, networking, or simple play, when the early commercial computer firms were given free access to the results of that government-funded R&D.
With massive amounts of subsequent investment, those (largely American) comercial developers laid the foundation for today's wondrous display of technical innovation in IT, both commercial and open source, and its widespread adoption and use around the world.
Today, few even bother to acknowledge the initial investments by the US spooks. Yet, obviously, scale and breath of the subsequent private-sector investment, and the evolution of the information culture it spawned, has so overwhelmed the initial government investment that it seems proportionally tiny, if prescient. Important -- but not in the sense that it defined either the technology or the Information Age that has subsequently evolved.
Similarly, while no one should deny or minimize the vision and creativity of the government-funded innovators who gave us the early Internet infrastructure, the scale and breath of the private-sector investment -- just since the early 1990s -- more than justifies the claim that it was private-sector vision, ingenuity, and funding, which has given us the Internet culture we know today.
Anyone want to guess what portion of the current investment in the Internet -- both its infrastructure and its technology -- has occurred subsequent to the explosion of the Web in the mid-1990s?
Sheeesh! Rice's letter, per se, is not nearly as ridiculous as much of the comment it has engendered. If Br00tus' post represents the standard for informed comment, of course, little else could be expected.
Gawd help us all, if this pre-digested and biased children's history is an example of what "everybody on Slashdot knows!" Talk about a herd mentality!
Folks, you gotta think a bit in order to keep isolated historical facts in some perspective. ;-)
The Register is a very opinionated publication, and this article, like most, is heavily laden with emotional bias and innuendo. I have no problem with that, per se, but I am confused because K-boy's articles from the Tunis conference seemed to be contradictory.
I recall one article which quoted the head of the ITU bragging that -- because of EC support? -- the ITU (the international consortium of telephone companies and nationalized telephone utilities) would control the Internet within five years. K-boy, the Register reporter, was appropriately horrified at that prospect, and pointed out that ITU controls in the past would have quashed the Internet, simply never let it be born.
Now, however, in his article about Rice's forceful US defense of the status quo, the same reporter seems again disturbed (if perhaps less than horrified) that the US is not more open to international governmental influences, and is not more willing to adapt Internet control to the likes of the ITU.
So where *do* you stand, K-boy?
Many of us Netcitizens are willing to put up with the imperfections of the current Internet governance -- hoping that strong contractual obligations on an independent administrator will, minimally, guarrantee the ongoing availability of connections -- rather than see control of the Net slide into the hands of greedy, lowest-common-denominator, trans-national bureaucrats, of which the ITU is a preeminent example.
Didn't Condi's letter and the US lobbying campaign save us from the ITU, a fate worst than (or perhaps equivalent to) death for the Internet as we know it?
One thing Rice's letter suggested to me was the advantage of the home-town team, the established owner and manager, over uppity rebels with independent ideas. The same thing, I fear, would be true of the advantage the ITU regulators would have over disorganized international libertarians, if the US were to declare the Net's infrastructure to be up for grabs. If Internet governance -- which may only today be an oximoron -- were to slide into the international political arena, wouldn't it only be a matter of time before Real Control would be seized by the organization with the best financing, technical savvy, and skills at political infighting?
The current ITU president obviously thinks that it is a foregone conclusion that the ITU would be that organization. Anyone want to predict the future of the Net that would follow?
What does the history of the ITU tell us about the prospects for future innovation and disruptive change in an Internet controlled by the ITU?
Just because the US government is a proponent of a position does not mean that it is wrong.
It wasn't the users who, as passwords became more vulnerable, laid upon them these Draconian rules which mandate routine changes in all passwords, each to conform to some standard of sufficient complexity that guarrantees that they can't be remembered by mortal men. And it was us techies who, for a decade or so, piously lectured them that they shouldn't write down their passwords -- long after the number of passwords the typical user was expected to memorize had exceeded the number of phone numbers he knew by heart.
Pity the poor user! We gave him a Web brower that can't offer anything like the overt indicators of high risk or pending fraud that he uses to survive in the brick 'n mortar world. We gave him email encryption that you need a phd to understand, and a MS to use -- and the paranoid government kept insisting that he should only authenticate, never encrypt, and continually monkeyed with the standards to leave him unprotected. And this is not even to mention the blizzard of belittling comments from our self-righteous vendors, with their software products for which they disclaim all responsiblity yet are forced to provide daily patches.
Pity the poor user! He has to put up with management bean-counters too cheap to spring for an OTP token, typically the price of a modem, or even a scratch card of OTPs. Worse, he has had to put up with us security types mouthing cant about "user education" for years -- as if the victim is to blame for the poor tools and insecure protocols we created for his exploitation.
Consider the number of enterprises which still refuse to authorize the storage of personal passwords in a cryptographically secure vault for their PCs or PDAs. And those which still lecture him that he should not write down his 15, or 30, or 50 passwords on paper. Pity the poor user! He has to deal in reality, while all to many of the techie elite wander around with our heads in the clouds!
2. Neither CryptoCard, nor any other OTP vendor, can "emulate" the RSA SecurID's time-synchronized OTP generation, which continually generates a new OTP -- valid for only a minute or two -- every 60 seconds. RSA still has patent protection on this mechanism.
3. I don't know how dated your information about a vulnerability in a domain of multiple authentication servers is, but it seems likely that it dates from the ACE/Server 5.X family, back when RSA used a master/slave architecture. The crux of the problem -- which, to a lesser degree, still exists in RSA 6.x Authentication Managers -- lies in the definition of simultaneity, and the inevitable impact of latency on even "real time" network connections. Typically any effective attack -- which would ring alarms and be logged as a dangerous event as soon as the network was live -- would entail breaking at least two network connections, to isolate one of perhaps several networked authentication servers.
Bringing down multiple network links is no trivial task. There are also additional defenses available within most RSA Authentication Managers (aka ACE/Servers) which can turned on to make it more difficult to exploit a short-term network disruption with this sort of attack.
4. RSA Authentication Managers have two standard defense mechanisms which make this sort of race attack difficult without an attack that breaks both the primary and secondary network links between the servers. The first lies in the ACE Lock Manager (LM), a mechanism which effectively claims an account when an initial authentication call comes in.
If two authentication calls with identical credentials are received by an authentication manager within a very short period of time -- the default is 2 seconds, but it can be increased by the local ACE admin -- the authentication server will reject both authentication requests and request a new SecurID passcode from each user. In this, the LMs rely upon the ongoing distribution of database changes, which upgrades all the networked authentication servers every 100 seconds.
5. In addition, the Lock Manager, when it first receives a new authentication call, fires off a "real-time" message -- to each of its remote replicas -- which identifies the SecurID, by serial number, and notes how many token-codes it has generated since it was initialized at the RSA factory. (Using this metric avoids any server time-skew issues.) Each LM "remembers" all the token-specific metrics it has received for about ten minutes.
A new authentication call, from that token, will be accepted by one of the replica authentication servers only if the number of SecurID OTP cycles used to generate a specific token-code is greater than the count previously noted in the ongoing message traffic among the LMs. In this, the LMs act like a "pre-replication" system, distributing an exclusive claim on a specific token-code, from a specific SecurID, well ahead of the routine database replication.
6. The LMs use a "full-meshed" network topology. Each primary/replica transmits its token-specific lock-down messages to every other RSA authentication server in "real time" -- or at least as close to real-time as possible.
Not even all OTP tokens from, say, RSA Security -- the vendor I know best -- are created equal.
Specific mechanisms for "strong authentication" -- since the 1970s, by classical definition, an app which relies on at least two of the three factors (something known, something held, something one is) by which a computer can validate the identity of a pre-registered human user -- are designed for a particular threat environment.
Typically, in a variety of form-factors, OTP generators offer greater or lesser security on a spectrum -- greater or lesser resistance to various potential threats -- in a variety of pricing schemes. Among the competitive vendors, some support systems -- the authentication servers and agents -- are better adapted to a large volume of authentication calls, or a multi-server geographically-dispersed user base. In small tech-savvy environments, public domain OTP options will always have their place, although commercial enterprises typically want some solvent external entity to accept the risk and track the evolving threats.
RSA, as several posters have noted, has a unique "time-synch" OTP technology. A RSA SecurID continuously generates and displays a new 6-8 digit (or alphanumeric) pseudo-random "token code" every 60 seconds -- an OTP that is valid for no more than a minute or two. In RSA's security paradigm, a SecurID "token holder" is always required to supply a user-memorized password or PIN for two-factor authentication (2FA).
In the enterprise OTP token market it has dominated for nearly 20 years, RSA still closes about 7 of every ten sales. In the nascent consumer market for strong authentication -- where the scale and complexity of the implementations could be unprecedented -- all bets are off and a billion-dollar free-for-all looms.
Most of RSA's leading challengers -- Vasco, ActivCard, Secure Computing, CryptoCard, VeriSign -- have been mentioned, but no one has pointed out how many new vendors are rushing into this market, offering both new and old technologies. Some are big companies; others are tiny. Even low-tech options like TAM cards -- pre-printed lists of OTPs, now indexed, available on wallet-sized "scratch-cards" -- have become quite popular, particularly in Europe.
You'll find the classic OTP tokens for two-factor authentication (2FA) tokens with a variety of form-factors and cryptographic models: time-synch from RSA; mostly Challenge/Response and "event synch" -- click for an OTP -- from the others. One thing you won't find, despite some claims in this thread, are OTP tokens from anyone but RSA which offer RSA's "time-synch" short-term OTPs. None of the challengers, new or traditional, can yet mimic SecurID's patented functionality.
As you survey your options, it's important to keep your eye on the prize here. 2FA protocols are used to validate -- to a relatively high degree of certainty -- a claim that a "token-holder" is entitled to resources and account privileges on a (usually remote) computer or network, on which he has been pre-registered by an authorized party.
With more trustworthy authentication, your managers and security architects can enforce more rigorous accountability. (The gentleman who lamented his company's adoption of user-based strong authentication, on top of the client-based VPN authentication he thought was "more secure," doesn't get it.) Accountability is the goal.
Accountability is the ability to associate a consequence with a past action of an individual. To hold individuals accountable, it must be possible retrospectively to tie them with actions or events for which accountability is desired, or to be able to independently detect and respond to inappropriate behavior. Authentication can never be viewed in isolation. It is obviously dependent upon other critical elements in the security paradigm -- authorization and audit mechanisms, to be sure; but also network integrity and local PC and end-point host security as
I wonder what proportion of /. readers are carrying SecurIDs or some other OTP token for two-factor authentication (2FA) at work? At least in Japan, NTT DoCoMo i-appi phones have had SecurID token-emulation software available for a couple of years.
(This is the same one-time password (OTP) app that RSA offers in the US and elsewhere for PDAs, Blackberries, and various Ericsson and Nokia mobile phones.)
2FA, like everything else, comes packaged in incrimentally stronger or weaker form-factors. "Soft-tokens" are at one end of the 2FA spectrum, since they rely upon the token-holder for physical and virtual security, while sealed tamper-resistant hardware tokens are at the other. It seems entirely possible to more securely engineer the 2FA code into the phone's internal (GSM?) chip, merging the convenience of phone-based 2FA with the security of tamper-resistant hardware. (I noticed that the guys at the DoCoMo US Labs carry SecurID hardware fobs -- which is probably appropriate, given the resources they protect -- but many of us could safely switch to phone-hosted OTP tokens, even now.)
One of the FAQs on the DoCoMO Labs website offered an extraordinary vision in its description of the company's R&D:
"DoCoMo aims to strengthen people's five physical senses and expand their activities by coordinating data that is collected from information sources located everywhere, including a person's own body, and connected 24 hours a day to a network. DoCoMo R&D goes beyond the boundaries of a mobile operator to include such areas as multi-sensory communications, alter-ego interface technology, bio authentication technology, agent technology, super reality communications technology, and sensor network technology. By the acquisition of limitless knowledge, DoCoMo aims to lay a path for realizing a prosperous world."
A phone for five senses?! Now that's an expansive baseline! For those enchanted by the vision, Wiley just published the DoCoMo US Labs's first book. For $120, you can plumb the depths of DoCoMo's R&D in, "Next Generation Mobile Systems: 3G & Beyond," edited by Minoru Etoh.
If not bundled, it's always been readily available for free download from the RSA website, and probably from other vendors too.
RSA's One-Time Password (OTP) apps allow any Windows Mobile device to emulate a SecurID (pinpad) token, accept the tapped input of a user-memorized PIN, and then generate the appropriate series of 6-8 digit SecurID passcodes. (Also available for free download from RSA are similar "soft token" apps for the Palm OS, Blackberry, Windows desktops, or any one of several mobile phones.)
Of course, to actually register one of these devices with an RSA authentication server, someone will have to buy an RSA-signed "seed" that the RSA server will recognize, associate with a registered SecurID token-holder, and subsequently provide authentication support services for.
These "soft-tokens" -- from RSA or one of its competitors -- are a funny breed of OTP authenticators. They offer something more than "something known," but something less than the full dimension of "something held" that is exemplified by a hand-held token, a sealed dedicated authentication device designed as a personal authenticator.
A personalized physical "token," by its very nature, makes illicit delegation very difficult. A physical token can only be in one place at a time. OTOH, the integrity of a "soft-token" can only be assured if the token-holder can prove physical security and responsible handling -- again, a degree of oversight much higher than than required from someone who carries a sealed hand-held personal authentication token.
Like any RSA SecurID, one of these "soft tokens" generates a two-factor time-based 6-8 digit token-code every 60 seconds. Each one of these token-codes can only be used "now," and can only be used once, to authenticate a token-holder to an RSA authentication server (where some responsible party has already registered this user's ID and privileges, and associated that user ID with the seed that personalized that SecurID application.)
These are fine for many environments, but it worth remembering that a software app is always going to me less secure, and more dependant on the user for its physical and logical integrity, than a sealed hardware fob or card, the classic SecurID.
To actually use phones or PDAs or pagers with this token-emulation code to authentication against an RSA Authentication Manager (RAM, aka ACE/Server), you will need to buy the 128-bit seed from RSA. The RAM will only accept "seeds" digitally signed by RSA.
Well, one of the reasons. Two-factor authentication was defined (as I recall, by the US Bureau of Standards in the mid-70s) as any AAA system that requires presentation of two of the three factors (something held, something known, something one is), but there was originally an additional requirement: one of those factors must be resistant to replay, dynamic.
Sniff and replay were then, and in many places still are today, a prominent security threat -- and that threat grew exponentially with the evolution of local nets, and then exploded in scale and volume with the Internet.
The SecurID, or any One-time Password (OTP) used to provide "strong authentication," does indeed obviate the need for all the Draconian rules now used to buttress the static reusable password or passphrase. In '87, however, as the SecurID was first brought to market, we never thought the static password would survive, no matter how complex it became, because it had none of the inherent resistance to eavesdroppers provided by a dynamic password.
We never dreamed that -- to save, per user, the price of a keyboard -- the corporate bean counters would stay committed to static reusable passwords for another 20 years, using these increasingly painful routines to make those passwords more resistant to guessing, dictionary, and now pre-computed hash attacks. Nor did we expect that the market would consistantly undervalue one of the token's core virtues: its resistance to sniff and replay.
We thought it was obvious that a password, however strong, could never be enough.
You might want to check out RSA's Sign-On Manager (SOM) , which is their SSO vehicle for environments that require multiple authenticatons. Last year, SOM began shipping with the option of using a fingerprint biometric -- from Precise Biometrics -- as an optional layer, but only to enhance an already two-factor authentication.
"I honestly can't see where I asked for theory. I am looking for how hard it was to solve this problem," sez TB.
I sympathize with your interest in some straightforward measure that would allow you to compare one factoring project with some previous project. I really do.
Unfortunately, I think you are confusing your irritation with the tardy "formal announcement" of the joint project's success -- the basis for the /. "article" -- with your frustration that the prime researchers (Jens Franke and Thorsten Kleinjung at Bonn University) haven't seen fit to write a report on the labor, work, hardware, and/or software innovations involved in this project -- any report, let alone a paper that would allow you to compare their achievement with other factoring efforts to determine what progress has been made in the state of the art.
Instead, it seems that they, along with a handful of others, just are the state of the art. ;-)
(From what I'm told by folks who participated in the RSA576 factoring effort, btw, the primary researchers haven't yet even collected the stats that would be required for a formal paper on the project, so I don't think you will see an academic paper on RSA576 anytime soon.)
I really don't know what to make of that, other than to repeat what I said earlier: while there has been a lot standardization in the software typically used in these big NFS projects, much of the progress in this field seems to still be tied to the continuous and gradual improvement in the software and the hardware , and the way the two interact. What stays stable? Anyone who tried to offer comparisons between these factoring projects would probably have to develop some new team-independent "work-unit" metric. (And developing metrics is always a fairly political process too, for good or ill.)Have you noticed how these guys always look ahead to the next number they want to factor and guesstimate that their next project will be, say, somewhere between 50 and 100 percent more difficult, more demanding? Nothing precise in those projections either, is there?
It seems to me that, in at least one stage, these projects typically involve the search for a solution that is pseudo-randomly located somewhere in a search-space of tens of millions -- so they are always burdened with the role that luck inevitably plays in whether they stumble upon the solution early or late in their search.
When luck can maybe double your work-load -- whatever the statistical probabilities are supposed to be -- it becomes difficult to give a lot of weight to any metric that measures (in machines, hours, cycles, "work units") the actual work involved in factoring one number -- and harder still to use that result as a gage of how much work will actually be required in the next project.
I too would like to be able to get a handle on the state of the art, I suppose, but I fear that the only people able to really discuss it would be talking about technical advances -- details down in the applied theory, if not the theory, per se -- that I suspect neither you nor I could really comprehend or appreciate.
This thread has been passed by, but I didn't want to leave you without a response, since I had sort of growled at you earlier. I know /. will at least drop you a note that a response has been posted here.
_AraratI think your vision of civilization is seriously warped, and your grasp of Japanese history is terribly flawed. While Tokugawa exhibited genius in uniting Japan into a single nation under the Shogunate, the culture that evolved from his social theories trapped Japan, for centuries, into a static class-ridden state that rejected change, both social and technological innovation, and was very much the equivalent of the European Dark Ages.
The elevation of the samurai to a ruling class, and the rigid caste system that they enforced, froze Japan's cultural development and reduced what had been a vital nation into a backward and primitive country that was fragile and all but helpless when it confronted aggressive US and Western neo-colonialism in the mid-1900s.
(It remains to be seen if such model, a culture largely shaped by fear of change and innovation -- and a desperate effort to freeze a economic elite in power by oppressive laws -- will prove irresistible to the RIAA and the US Congress;-)
For the vast majority of Japanese subjects, the experience of the Shogunate -- despite the peace that it brought to their nation -- must have been excruciating terrible. You were what you were born to be, period. Social mobility disappeared. Economic development, technical development, social development, and political development were all but brought to a grinding halt. Even the damn wheel seems to have been forbidden on carriages. Women (even samurai women) were, for the first time, forced into a state of utter dependance on males.
Rule by oppressive soldiers -- soldiers, mind you, in a centuries long interregnum in which there was no war -- made for a sad, damaged, pitiful, feudal society that is only retroactively redeemed in its ruling class poetry and Bushido myths.
By the mid-19th Century, culminating in the Imperial Restoration, the social structure had become so corrupt and self-destructive that -- when it briefly confronted the West -- it collapsed into a fascist monarchist revolution that set the stage for the aggressive Japanese militarism and imperialism that roiled Asia and the world for 50 years, until the WWII surrender placed them in MacArthur's thrall.
Step cautiously when you recommend Tokugawa's social vision. The new millennium already has an overabundance of fearful powerful folk and "leaders" who dream of extending the status quo indefinitely.
_AraratJeeze, what planet (or university) are you from? Someplace where Google or Copernic is outlawed?
Mind you, this is a formal announcement, not an article. The technical details are for the researchers to announce, that's not RSA's reponsibility. And while the inital report of a factoring success -- and mention of any new technique -- usually spreads quickly over the Net (watch the Yahoo Prime Numbers group), academic papers take longer. And when you're dealing with experts at this level, they'll take their own bloody sweet time -- because they will have already chatted with the handful of peers who can appreciate what they did differently this time.(Even coordinating a "joint annoucement" among an international group of top academicians, and their respective corporations and universities, typically takes -- trust me -- the patience of Job;-)
And what are you demanding, anyway: a detailed explanation of how Franke et al tweaked their algorithm for lattice sieving? A report on their new implementation of the block Lanczos algorithm for sparse matrices over F2? You say you want an estimate of how your individual efforts might be compared to (sic) their's? Pleeeeeeese!
(You are also wrong to declare that the "last stage" -- the post-processing the siever output -- hasn't been implemented in a distributed fashion. Frankel and friends wrote parallel implementations for both the filtering and the Lanczos step, and they had them running them on a LINUX cluster at IAM in Bonn a couple of years ago.)
This is not really a hardware game yet. The difference between my LAN and the 100 workstations they used to crack RSA174 is neither the number nor speed of the CPUs they used -- rather, it's the touch of obsessive genius involved in constantly refining their algorithms, and adapting them to more distributed computing efforts. There's a reason that all these record-breaking factoring efforts involve the same dozen or so famous gentlemen!! Not even the NSA bothers to compete with them in basic research on factoring!
For a little perspective, visit NSFnet to study up on their G(S)NFS implementation, which was built, at least in part, around the effort to factor this RSA Challenge number.
There still isn't any efficient G(S)NSF implementation that an individual can use on his own computers to factor numbers over 100 digits.
Below 100 digits, however, there is Satoshi Tomabechi's PPSIQS.
See also Chris Monico's GGNFS, which has reportedly been used to successfully factor numbers up to 50 digits or so.
Please put a leash on your hubris. Demanding that genius be translated into vernacular (and quickly!) is unreasonable, as well as futile.
_AraratANSI X9F1 -- the influential working group that develops US standards for the financial services industry on data security -- has reportedly decided, at least informally, that 2010 will be the year at which they will require an upgrade from 80-bit to 112-bit crypto security.
NIST generally follows the lead of X9 in these matters.
80-bit ciphers are generally understood, on the basis of equivalent resistance to brute force attacks -- the state of the art, as measured by the results in RSA Security's industry-defining crypto contests for both symmetric and RSA public key cryptosystems, and Certicom's ECC equivalents -- to encompass 1024-bit RSA (and DSA), as well as SHA1, Skipjack, and 160-bit ECC.
112-bit crypto strength is understood to be found in three-key triple-DES, SHA-224, RSA-2048, 224-bit ECC, and other standard cryptosystems with even longer keys.
This means that any data encrypted today, which must remain secure beyond 2010, should be using at least 112-bit crypto.
(While there are obviously levels of cryptographic security that lie between these 80-bit and 112-bit ciphers, ANSI X9 and NIST are trying to structure the technical debate in order to simplify their ultimate recommendations on effective security measures.)
_AraratDoesn't it, like most classical security decisions, depend on the value of what is being transmitted and your threat environment? If the Allies had not cracked the German and Japanese codes in WWII, /. would probably be a German-language forum.
The Nazis, apparently unable to conceive of a technology 2,000 faster than their electro-mechanical calculators, were probably no less confident of the security of their Ultra channel than we are today in RSApkc. (And no less susceptible to human flaws in implementation and execution, basic science be damned;-)
QC is interesting because it might become critical for crypto key distribution if the math paradigms behind today's public key cryptosystems crumble before known or unknown threats, technical or mathematical (quantum computing among them). Unlikely in the near term, of course, but not at all impossible.
The decade-long furor over the NSA's long reach through Echelon, which methodically vacuums the ether and sundry other transport mediums, highlights the fact that a only a small fraction of the world's communication is encrypted today, for reasons social, economic, and political. Which is not to say that the NSA, GCHQ, and all their sibling spook shops around the globe did not -- when confronted with the growth of serious crypto users -- reoriented the bulk of their research budgets to forcus on techniques to subvert the transmission end points, where resistance, if not futile, is rarely rigorous or consistent.
Sure, few today are likely to jump to QC except as a curiosity -- but, ten years hence, who knows what need will exist in hearts of men?
OTOH, it could also become something like Tempest, where a real risk of eavesdropping through emanations was exploded all out of proportion to the real-world threat, swallowing billions of dollars desperately needed elsewhere in the security mix.