Topics

• future topic: keyed message authentication code

News and Errata

• Quicktime 7.6 Update for both Mac and Windows, critical, 7 exploits patched
• illegal iWork ’09 with a trojan that will deeply infect your Mac with a bot net
• you have options for your windows automatic update, choose the one right for you, make sure you are patched
• Yubikey, limited size of password discussed last show, someone wrote in to say longer password is possible
• http://cryptolink.com trademark is in place now
• http://My.BarackObama.com forum, people were putting up trojans

Crypto Recap

3.5 year review of all the security pieces that have been talked about

threat model – what is it we can do? what are we trying to do?

for example, we assume the endpoints are secure while we try to secure the communication between the two endpoints – keystroke logger, for example, we can’t secure against – if someone gets physical access, we’re insecure

we assume non-infinite computational power because all of the crypto is subject to brute force attack, no matter how long the key is

“perfect” security? yes, one-time pad – still isn’t secure if someone has physical access

much crypto depends on this fact: it is very easy to multiply two big prime numbers together, not easy to factor the result into those two original primes

taking something to a power is easy, taking the log is hard – also a fundamental assumption of security at present

you want there not to be a single point of failure, even if single communications is cracked, all the rest of the communications should still be secure – a single shared key is a bad idea for this reason

assume endpoints secure, path inbetween (the internet) totally insecure

what do we mean by security? in this context where we’re protecting traffic between two endpoints, we want 3 things:

1. confidentiality, interceptor in the middle cannot read the messages
2. integrity of message, guard against message being modified
3. authenticate the endpoints, are we really talking who we think we are?

encryption gives confidentiality, symmetric (same key at both ends used to encrypt and decrypt), asymmetric (two different keys used, one to encrypt a random symmetric key that’s used to encrypt the message, the other to decrypt that symmetric key), key agreement

message integrity, using hashes to create a signature (md5, sha1, etc), a hash is a digest of a much-larger communication, a fingerprint – any change to the original message will change that fingerprint – not computationally feasible to make a change to the original message and deliberately produce the same signature – md5 has been broken in this respect

in a couple of weeks we’ll talk about keyed digest, giving an authenticated signature, which we don’t have now

endpoint authentication, certificates and chain of trust anchored to a root authority

get yours here.

iron wil

So, I have been thinking about this and pondering what Apple may be doing in the next 3 to 5 years. I mean we have iTunes and Quicktime for Windows; and earlier this year they released Safari for Windows [much to the chagrin of the Firefox community - speaking of the keynote]. I think that we are going to see three things happen, all of the ⁽¹⁾iLife and ⁽²⁾iWork Suites will be released for 79$ to Windows users. Then finally Apple will release ⁽³⁾OX for beige box hardware. Now you are thinking what’s the catch? Well, the way I see it, they would provide a list of hardware that they have written drivers for or they will form partnerships and “encourage” the vendors to write drivers according to their specs.

Okay, breathe now, get out your paper bag. If they are a software company as Steve & Co. claim it would only make sense to offer their software to every computer user no matter what hardware they are using. I will have to admit that would really change the dynamics of the “PC” market. Just think HP, Dell, Alienware, all offering Windows, Linux, and OS X! Really think about it, cheaper pc hardware and one of the safest operating systems in the world for 129$.

Think of the OS X on x86 team, proving that Tiger for Intel can run on a WinBox pc. Yes, it totally voids the warranty and is totally illegal according to Apple Legal. However, it is being done. Now Apple just has to make it official. I would love to get a cheap Dell laptop for 1000$ and be able to run OS X on it; however, it is more likely that I will be getting a cheap Dell with XP and then dual boot Ubuntu [fav Linux distro]. After, I have saved up enough $$ for that fully loaded 17″ MacBook Pro [can you say triple boot!!!] I will be happy to purchase my dream laptop, but for now . . ..

I don’t know if these ideas are out of the question, yet it seems to be a logical progression to me. It could very well never happen or it could happen in a year from now. We don’t really know what Apple Computer Inc. is doing until leaks find their way out of Apple’s InfoDam.

Personally, I am excited to see what they are up to, their products turn heads. Their hardware is cutting edge design, and they prove time and time again that Apple knows how to create a product frenzy [can you say iPod or iPhone?].

iron wil

Notes:

1) Ars Technica, Ars Technica Article on OX on Intel/AMD.