Lessons learned in implementing and deploying crypto software

Proceedings of the 11th USENIX Security Symposium

Volumn , Issue , 2002, Pages

  Gutmann, Peter ^a  

^a UNIVERSITY OF AUCKLAND   (New Zealand)

Author keywords

[No Author keywords available]

Indexed keywords

BASIC BUILDING BLOCK; PROBLEM AREAS; REAL-WORLD EXPERIENCE; SAFETY FEATURES; SECURITY PROPERTIES; SECURITY SOFTWARE;

CRYPTOGRAPHY;

EID: 85084163781     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (59)

1. “The Design of a Cryptographic Security Architecture”, Peter Gutmann, Proceedings of the 1999 Usenix Security Symposium, August 1999, p.153.
2. “cryptlib Security Toolkit”, http://www.cs.auckland.ac.nz/~pgut001/cryptlib/.
3. “Why Cryptosystems Fail”, Ross Anderson, Proceedings of the ACM Conference on Computer and Communications Security, 1993, p.215.
4. “Why Cryptosystems Fail”, Ross Anderson, Communications of the ACM, Vol.37, No.11 (November 1994), p.32.
5. “Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0”, Alma Whitten and J.D.Tygar, Proceedings of the 1999 Usenix Security Symposium, August 1999, p.169.
6. “Secrets and Lies”, Bruce Schneier, John Wiley and Sons, 2000.
7. “Building Secure Software”, John Viega and Gary McGraw, Addison-Wesley, 2001.
8. “Security Engineering”, Ross Anderson, John Wiley and Sons, 2001.
9. “Writing Secure Code”, Michael Howard and David LeBlanc, Microsoft Press, 2001.
10. “Linux Security”, Ramón Hontañón, Sybex, 2001.
11. ”How to break Netscape’s server key encryption”, Peter Gutmann, posting to the cypherpunks mailing list, message-ID 84366802803808@-cs26.cs.auckland.ac.nz, 25 September 1996.
12. ”How to break Netscape’s server key encryption - Followup”, Peter Gutmann, posting to the cypherpunks mailing list, message-ID 84373168812186@cs26.cs.auckland.-ac.nz, 26 September 1996.
13. “PFX: Personal Information Exchange Syntax and Protocol Standard”, version 0.019, Microsoft Corporation, 1 September 1996.
14. “PFX: Personal Information Exchange APIs”, version 0.019, Microsoft Corporation, 1 September 1996.
15. ““PFX: Personal Information Exchange Syntax and Protocol Standard”, version 0.020, Microsoft Corporation, 27 January 1997.
16. “PFX — How Not to Design a Crypto Protocol/Standard”, Peter Gutmann, http://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html.
17. “Personal Information Exchange Syntax Standard”, PKCS #12, RSA Laboratories, 24 June 1999.
18. “VeriSign Certification Practice Statement (CPS), Version 2.0”, Verisign, 31 August 2001.
19. “How to recover private keys for Microsoft Internet Explorer, Internet Information Server, Outlook Express, and many others — or — Where do your encryption keys want to go today?”, Peter Gutmann, http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms.txt, 21 January 1998.
20. “How to recover private keys for various Microsoft products”, Peter Gutmann, posting to the cryptography@c2.net mailing list, message-ID 88531016604880@cs26.cs.auckland.-ac.nz, 21 January 1998.
21. “An update on MS private key (in)security issues”, Peter Gutmann, posting to the cryptography@c2.net mailing list, message-ID 88650938015887@cs26.cs.auckland.-ac.nz, 4 February 1998.
22. “PGP User’s Guide, Volume I: Essential Topics”, Philip Zimmermann, 11 October 1994.
23. “Re: Purpose of PEM string”, Doug Porter, posting to pem-dev@tis.com mailing list, message-ID 93Aug16.003350pdt.13997-2@well.sf.ca.us, 16 August 1993.
24. th Annual International Conference on Mobile Computing and Networking (Mobicom 2001), 2001.
25. th Systems Administration Conference (LISA’99), November 1999, p.1.
26. “A Security Risk of Depending on Synchronized Clocks”, Li Gong, Operating Systems Review, Vol.26, No.1 (January 1992), p.49.
27. “A Note on the Use of Timestamps as Nonces”, B.Clifford Neuman and Stuart Stubblebine, Operating Systems Review, Vol.27, No.2 (April 1993), p.10.
28. “Limitations of the Kerberos Authentication System”, Steven Bellovin and Michael Merritt, Proceedings of the Winter 1991 Usenix Conference, 1991, p.253.
29. “Systematic Design of Two-Party Authentication Protocols”, Ray Bird, Inder Gopal, Amir Herzberg, Philippe Janson, Shay Kutten, Refik Molva, and Moti Yung, Advances in Cryptology (Crypto’91), Springer-Verlag Lecture Notes in Computer Science No.576, August 1991, p.44.
30. “KryptoKnight Authentication and Key Distribution System”, Refik Molva, Gene Tsudik, Els Van Herreweghen and Stefano Zatti, Proceedings of the 1992 European Symposium on Research in Computer Security (ESORICS’92), Springer-Verlag Lecture Notes in Computer Science No.648, 1992, p.155.
31. “The KryptoKnight Family of Light-Weight Protocols for Authentication and Key Distribution”, Ray Bird, Inder Gopal, Amir Herzberg, Philippe Janson, Shay Kutten, Refik Molva, and Moti Yung, IEEE/ACM Transactions on Networking, Vol.3, No.1 (February 1995), p.31.
32. “Network Security”, Charlie Kaufman, Radia Perlman, and Mike Speciner, Prentice-Hall, 1996.
33. “Yaksha: Augmenting Kerberos with Public Key Cryptography”, Ravi Ganesan, Proceedings of the 1995 Symposium on Network and Distributed System Security (NDSS’95), February 1995, p.132.
34. “The Yaksha Security System”, Ravi Ganesan, Communications of the ACM, Vol.39, No.3 (March 1996), p.55.
35. “The Kerberos Network Authentication Service (V5)”, RFC 1510, John Kohl and B.Clifford Neuman, September 1993.
36. “Jonah: Experience Implementing PKIX Reference Freeware”, Mary Ellen Zurko, John Wray, Ian Morrison, Mike Shanzer, Mike Crane, Pat Booth, Ellen McDermott, Warren Marcek, Ann Graham, Jim Wade, and Tom Sandlin, Proceedings of the 1999 Usenix Security Symposium, 1999, p.185.
37. ”Phase II Bridge Certification Authority Interoperability Demonstration Final Report”, A&N Associates Inc, prepared for the Maryland Procurement Office, 9 November 2001.
38. “Internet X.509 Public Key Infrastructure: Time-Stamp Protocol (TSP)”, RFC 3161, Carlisle Adams, Pat Cain, Denis Pinkas, and Robert Zuccherato, August 2001.
39. “Re: A history of Netscape/MSIE problems”, Phillip Hallam-Baker, posting to the cypherpunks mailing list, message-ID 3238962F.1372@-ai.mit.edu, 12 September 1996.
40. “Re: Problem Compiling OpenSSL for RSA Support”, David Hesprich, posting to the openssl-dev mailing list, 5 March 2000.
41. “Re: “PRNG not seeded” in Window NT”, Pablo Royo, posting to the openssl-dev mailing list, 4 April 2000.
42. “Re: PRNG not seeded ERROR”, Carl Douglas, posting to the openssl-users mailing list, 6 April 2001.
43. “Bug in 0.9.5 + fix”, Elias Papavassilopoulos, posting to the openssl-dev mailing list, 10 March 2000.
44. “Re: setting random seed generator under Windows NT”, Amit Chopra, posting to the openssl-users mailing list, 10 May 2000.
45. “1 RAND question, and 1 crypto question”, Brian Snyder, posting to the openssl-users mailing list, 21 April 2000.
46. “Re: unable to load ‘random state’ (OpenSSL 0.9.5 on Solaris)”, Theodore Hope, posting to the openssl-users mailing list, 9 March 2000.
47. “RE: having trouble with RAND_egd()”, Miha Wang, posting to the openssl-users mailing list, 22 August 2000.
48. “Re: How to seed before generating key?”, ‘jas’, posting to the openssl-users mailing list, 19 April 2000.
49. “Re: “PRNG not seeded” in Windows NT”, Ng Pheng Siong, posting to the openssl-dev mailing list, 6 April 2000.
50. “Re: Bug relating to /dev/urandom and RAND_egd in libcrypto.a”, Louis LeBlanc, posting to the openssl-dev mailing list, 30 June 2000.
51. “Re: Bug relating to /dev/urandom and RAND_egd in libcrypto.a”, Louis LeBlanc, posting to the openssl-dev mailing list, 30 June 2000.
52. “Re: PRNG not seeded ERROR”, Carl Douglas, posting to the openssl-users mailing list, 6 April 2001.
53. “Error message: random number generator:SSLEAY_RAND_BYTES / possible solution”, Michael Hynds, posting to the openssl-dev mailing list, 7 May 2000.
54. “Re: Unable to load 'random state' when running CA.pl”, Corrado Derenale, posting to the openssl-users mailing list, 2 November 2000.
55. “OpenSSL Frequently Asked Questions”, http://www.openssl.org/support/faq.html.
56. “Re: Announcing Public Availability of NoHTML for Outlook 2000/2002”, Vesselin Bontchev, posting to the ntbugtraq@listserv.ntbugtraq.com mailing list, message-ID 5.1.0.14.0.20011217140633.-035a3a60@127.0.0.1, 17 December 2001.
57. “IIS 4.0 SSL ISAPI Filter Can Leak Single Buffer of Plaintext (Q244613)”, Microsoft Knowledge Base article Q244613, 17 April 2000.
58. “Patch Available for Windows Multithreaded SSL ISAPI Filter Vulnerability”, Microsoft Security Bulletin MS99-053, 2 December 1999.
59. “PKI: It’s Not Dead, Just Resting”, Peter Gutmann, to appear.