News in the Category "Type"
Page 94 of 97
Crypto Guru Bruce Schneier Answers
Most of the questions we got for crypto guru Bruce Schneier earlier this week were pretty deep, and so are his answers. But even if you’re not a crypto expert, you’ll find them easy to understand, and many of Bruce’s thoughts (especially on privacy and the increasing lack thereof) make interesting reading even for those of you who have no interest in crypto because you believe you have “nothing to hide.” This is a *long and strong* Q&A session.
First Bruce says, by way of introduction…
“I’d like to start by thanking people for sending in questions. I enjoyed answering all of them…
Editors' Choice: Security Suites
Excerpt
The Internet is not a danger zone, but you do need to take steps to safeguard your PC and your privacy. Of the products we tested, these four tools offer the best personal protection.
…
Password Safe 1.7
Counterpane Systems’ Password Safe is an easy, secure, and free solution to the password problem. Password Safe locks all of your user names and passwords in a vault and encrypts them using the strong Blowfish algorithm for maximum protection.
Windows-Based VPNs Not "Industrial Strength"?
In a paper released last week, computer security specialists from Counterpane Security and L0pht Heavy Industries went over with a fine-tooth comb Microsoft Corp.’s built-in Windows virtual private network (VPN) support.
Their target: Microsoft Point-to-Point Tunneling Protocol (PPTP) version 2. Their conclusions? While better than version 1, MS PPTP still leaves VPNs open to attack.
PPTP is a generic protocol that allows Point-to-Point Protocol (PPP) connections to pass through firewalls. The resulting connection is treated as if it had originated behind the firewall, creating a VPN. MS PPTP is Microsoft’s implementation of the PPTP, and is built into the Windows 95, 98, and NT operating systems. While VPN vendors are increasingly moving towards IPSec, PPTP remains important because of its wide distribution on Windows platforms…
Applied Cryptography / Bruce Schneier
This review also appeared in Slashdot.
More than any other field in computer science, cryptography is associated with computer warfare. Recent international treaties define cryptographic algorithms as weapons, and the laws of many countries prohibit either the development, the usage, or the export of cryptographic algorithms. Yet while feared by governments, cryptography is one of the most fascinating—and useful—fields of algorithmics.
The whole point of cryptography is to solve problems. (Actually, that’s the whole point of computers—something many people tend to forget.) Cryptography solves problems that involve secrecy, authentication, integrity, and dishonest people. You can learn all about cryptographic algorithms and techniques, but these are academic unless they can solve a problem…
Random Acts of Cryptography
For encryption developers, a secure system is only as good as its pseudorandom number generator (PRNG). PRNGs produce unique keys that can lock and unlock encrypted data. But Bruce Schneier, president of Counterpane Systems, says that PRNGs lack security and portability.
PRNGs generate numbers based on a variety of factors, such as a user’s mouse movements, and store this data in an entropy pool, which is later tapped by security software to create an encryption key. PRNGs fail, insists Schneier, because hackers can intercept the entropy source and thus predict the output. His response is Yarrow, a new PRNG with an expanded source that creates a larger, less predictable pool. “We’ve added new randomness,” says Schneier of Yarrow’s unique entropy pool, “like radio noise, arrival times of network packets, and disk-drive latency. Even if the source is turned off,” he says, “it still works.”…
Cryptographers Seek DES Successor
The successor to the aging Data Encryption Standard (DES) will begin to emerge this week as some of the world’s top cryptographers convene to review proposals for a new, advanced encryption standard.
Officials at the National Institute for Standards and Technology (NIST) will kick off the first round of “evaluation and analysis” of proposed DES algorithm replacements at the Advanced Encryption Standard (AES) Candidate Conference in Ventura, Calif., later this week.
“This is sort of the debut of the candidate algorithms and the opportunity for any interested [cryptographer] to find out how they work,” said Miles Smid, manager of NIST’s security technology group…
Strong Cryptography Can't Protect a Weak System
Despite oven-hot July heat, a recent trip to Las Vegas to hear Bruce Schneier speak to IT security pros and customers at the second annual Black Hat Briefings (www.blackhat.com) was well worthwhile.
In remarks titled “A Hacker Looks at Cryptography,” Schneier punctured the hype that often surrounds his own area of expertise. You might not expect to hear Schneier, author of the widely praised book “Applied Cryptography,” reminding an audience of a comment that’s often quoted, but that neither of the suspected sources will admit to having made: “If you think cryptography can solve your problem, then you don’t understand your problem and you don’t understand cryptography.”…
Twofish Heads to Washington
A team led by Applied Cryptography author Bruce Schneier has invented a new block encryption algorithm and submitted it for consideration as the next new federal government standard for data scrambling.
Twofish, the sequel to Schneier’s 5-year-old Blowfish block cypher, was submitted last week to the National Institute of Standards and Technology (NIST) for consideration as the Advanced Encryption Standard.
Twofish is designed to be flexible with respect to the necessary performance tradeoffs between the creation of a “secret key” and execution of the actual encryption. As such, it is well suited to large microprocessors, smart cards, and dedicated hardware…
Firm Finds Big Security Holes in Windows NT
Flaws in Microsoft Corp.’s Windows NT software threaten the security of companies using the Internet to tie together their far-flung corporate locations, a computer security consulting firm declared on Monday. “We were able to sniff passwords, eavesdrop on the networks, and passively do traffic analysis,” said Bruce Schneier, president of Counterpane Systems Inc., of Minneapolis, Minn. “Any Microsoft NT server on the Internet is insecure.”
Counterpane discovered the problems while doing a security analysis on a Windows NT, an operating system used by a swiftly growing number of corporations as the foundation for their computer networks. Microsoft confirmed the security problems later the same day…
Cryptographer Slams NT Security
A top cryptographer said Microsoft’s version of a key protocol in Windows NT is so flawed that users should avoid using virtual private network software based on Microsoft’s Point to Point Tunneling Protocol.
Bruce Schneier, a noted cryptographer, said the PPTP in Windows NT 4.0 is so broken it can’t be fixed with patches—a position that Microsoft disputes.
“I believe it’s fundamentally broken,” said Schneier, who authored a widely used cryptography textbook. “What we’re seeing is the basic problem of proprietary security standards. These are really dumb mistakes, kindergarten crypto.”…
Sidebar photo of Bruce Schneier by Joe MacInnis.