Matasano Chargen - Latest Comments in Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Lucas Nelson — Sat, 09 Sep 2006 17:00:21 -0000

This reminds me a bit of Ross Anderson's Guy Fawkes protocol. Of course the point there was to remain anonymous and yet prove that one had predicted something.

http://www.cl.cam.ac.uk/~rja14/Papers/fawkes.pdf

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Anton Stiglic — Sat, 09 Sep 2006 10:06:00 -0000

The idea was discussed in a class by Claude Crépeau back in 1994, at least.
Definitly not a new idea, but still interesting.

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Thomas Ptacek — Fri, 08 Sep 2006 01:04:14 -0000

Peter Honeyman, as usual, rules.

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

dugsong — Fri, 08 Sep 2006 00:40:23 -0000

peter honeyman did this almost a decade ago with the publication of some vulnerabilities in Schlumberger's Java smartcard - he mailed them a copy of the Michigan Daily's classified section, where he'd taken out an ad containing the MD5 hash of his advisory (which i can't find anymore, but some photographic evidence still exists :-)

http://www.citi.umich.edu/projects/smartcard/le...
http://www.citi.umich.edu/projects/smartcard/sm...

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Dan Moniz — Thu, 07 Sep 2006 17:12:58 -0000

Well, right, or in that this still requires infrastructure (i.e. public mailing lists whose operators are unlikely to collude with you) but infrastructure we already have and rely on, at least to a degree.

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Thomas Ptacek — Thu, 07 Sep 2006 17:06:05 -0000

That suggestion seems sound, but it's not in the spirit of the original proposal. If we had an actual online notary for our advisories then, like Ryan suggested, we could simply encrypt them and file them.

This proposal works in the absence of any infrastructure. Unless someone tells me "you idiot, this won't work because...", we'll probably publish most of our advisory backlog this weekend using it.

One extension I came up with since last night: tack a key to the end of your advisory before you notarize it (head /dev/urandom | openssl sha1). This gives you the option, though you probably won't take it, of publishing an advisory later WITHOUT disclosing how long the vendor took (just change the key).

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Dan Moniz — Thu, 07 Sep 2006 16:47:27 -0000

Heck, I'm a little bored too.

I haven't looked at Tom's idea above more than just the initial glance to read the post (i.e., I haven't read it in detail yet), but to point out other potential way you could extend this or augment it, here are some ideas.

Add blinding, and a third party to be the notary. The canonical (Applied Crypto, 2nd Ed.) simple example is something like (from memory):

1. Peter Pwnerson takes his expoit (code and notes, or whatever) and multiples it by a random value. Peter now has a blinded exploit and the random value is a blinding factor.

2. Peter sends the blinded exploit to Nancy Notary.

3. Nancy signs the blinded document.

4. Peter divides the blinded exploit by the blinding factor, leaving the original exploit, signed by Nancy.

There are, of course, a whole bunch of caveats regarding randomness, etc. Mostly this helps Tom's protocol, which relies on Peter to create the timestamp and can be subverted. Nothing stops me from backdating a bunch of stuff, except maybe that no one saw me "publish" the hash when I claim I did. Still.

One other somewhat related thing I've been idly thinking about this week has been what kind of real-world zero-knowedge protcol could be implemented to address the issue that David Maynor and Jon Ellch have been dealing with.

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Thomas Ptacek — Thu, 07 Sep 2006 16:36:45 -0000

While I agree with Dan, it's worth noting saying that if I was pen-testing this system, I wouldn't aim at the hash function first. =)

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Dan Moniz — Thu, 07 Sep 2006 16:28:59 -0000

If you care about the integrity of hashes for potentially years and decades into the future, as Tom's use proposes, *right now*, you shouldn't be using MD5 or SHA1, you should be using SHA-256 or SHA-512 (skip SHA-384), and you should be looking to move to something better in a few years as SHA in general looks worse with each year's Crypto conference.

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Ryan Russell — Thu, 07 Sep 2006 14:44:04 -0000

Right this very second, as far as those of us in the general populace can tell, SHA1 is WAY better than MD5. As in, SHA1 is only (publically) broken for reduced-round attacks, for (I think) two chosen plaintexts. I haven't been able to find yet what "broken" is either, in terms of how many bits do I have to brute force? Is it 64 bits, or what?

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Mark — Thu, 07 Sep 2006 14:24:15 -0000

Raymond Chen had a similar idea:
http://blogs.msdn.com/oldnewthing/archive/2006/...

(It provoked a really interesting response: people thought it was a challenge to decode his prediction!)

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Thomas Ptacek — Thu, 07 Sep 2006 13:57:44 -0000

Did I slip up and say MD5 somewhere?

How much better is SHA1 at this point anyways?

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Nate — Thu, 07 Sep 2006 13:38:56 -0000

MD5 is completely insecure against collisions. May I never hear it mentioned by you or Josh again. Just in case you forgot, you're a SECURITY consultant.

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Ryan Russell — Thu, 07 Sep 2006 10:58:51 -0000

A number of years ago, about when I started the vuln-dev list, I wanted to start a second mailing list. The purpose of the list would be to post encrypted emails. Such emails could include things like PGP passphrase-encrypted notes. The assumption is that the list would be mirrored in enough places so that there would be little chance of archive tampering.

One of the purposes of such a list was for people to post their encrypted exploits. That way, they could just post the key at a later date, and prove that they had something at a particular time.

The hash version is perhaps a little more elegant. Though, the hash algorithms need to quit failing so fast.

For some reason, SecurityFocus wasn't interested in hosting such a list, go figure. So I never started it.

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Josh Daymont — Thu, 07 Sep 2006 10:49:43 -0000

You could scan the printed docs and the certified mail label and post those. But yea for the internet a *published* signed md5 is probably better

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Thomas Ptacek — Thu, 07 Sep 2006 10:15:49 -0000

Yeah, but you can't post the certified mail on your web site to take credit. =)

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

kurt wismer — Thu, 07 Sep 2006 09:08:41 -0000

reminds me of vulnerability escrow except it doesn't require a trusted 3rd party... i think the trusted 3rd party would solve the trusted timestamp problem though...

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Chris — Thu, 07 Sep 2006 09:00:19 -0000

Or, you could go Old Skool: type up the details and send them to yourself via certified mail. Then, when you're running low on ego, control, or competition, you unseal the envelope and prove you were there first.

This mechanism may also have the added value of being one that courts are familiar with.

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Thomas Ptacek — Thu, 07 Sep 2006 08:12:22 -0000

Also, I'm guessing the utility of this is less obvious if you're not even telling the vendor before you post vulnerabilities, let alone waiting for a patch. ;)

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

Thomas Ptacek — Thu, 07 Sep 2006 07:43:38 -0000

No, just frustrated that we can't get stuff published.

Re: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

tom ferris — Thu, 07 Sep 2006 01:01:21 -0000

hahhaha you must be bored. :)