| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 05 Jul 2010 21:48:53 -0400 From: Mary and Glenn Everhart <Everhart@....com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Full-Disclosure Digest, Vol 65, Issue 7 Might I suggest that in addition to discussing how to defend against software attacks, that it is also useful to devise methods and protocols that will function even where the systems being used to communicate are infected with malware? I have wondered whether such tricks as oblivious transfer might be used in such connection, but thus far nothing has occurred at least to me. However, it is possible to build systems that are pure software and which can resist a few attacks. Repeated uses can of course enable an attacker to deduce what is going on. However, if the systems may have hardware components, it is possible to do very much better. Bidirectional authentication and transaction signing (which I fear are elements that are all needed) can be achieved. Perhaps others will be able to find resistant systems that might (also) use the human mind as part of the protocols and which might provide the elements for supporting transactions whether the systems used are attacked or not, provided only that the transaction information can get back and forth. (Attacks that simple in effect cut the wire should be noticeable as producing a failed transaction, but cannot very well allow one to succeed whatever one does.) Glenn Everhart _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists