lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4C328B85.7030005@gce.com>
Date: Mon, 05 Jul 2010 21:48:53 -0400
From: Mary and Glenn Everhart <Everhart@....com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Full-Disclosure Digest, Vol 65, Issue 7

Might I suggest that in addition to discussing how to defend against 
software attacks, that it is also useful to devise methods and protocols 
that will function even where the systems being used to communicate are 
infected with malware?

I have wondered whether such tricks as oblivious transfer might be used 
in such connection, but thus far nothing has occurred at least to me. 
However, it is possible to build systems that are pure software and 
which can resist a few attacks. Repeated uses can of course enable an 
attacker to deduce what is going on. However, if the systems may have 
hardware components, it is possible to do very much better. 
Bidirectional authentication and transaction signing (which I fear are 
elements that are all needed) can be achieved.

Perhaps others will be able to find resistant systems that might (also) 
use the human mind as part of the protocols and which might provide the 
elements for supporting transactions whether the systems used are 
attacked or not, provided only that the transaction information can get 
back and forth. (Attacks that simple in effect cut the wire should be 
noticeable as producing a failed transaction, but cannot very well allow 
one to succeed whatever one does.)

Glenn Everhart

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ