Archive for April, 2006

Of Alice and Bob…

Wednesday, April 19th, 2006

So my colleague Paul Madsen (ha ha — no, that’s not him, altho he *is* a “Dr.” — this is him) has published a humorous blog posting about “Alice and Bob” w.r.t. how they are employed in examples in various (Liberty) specifications.

In fact, Alice and Bob have had a long relationship in the security/crypto world, going back into the 1970’s it appears, and they have become part of “the tradition” therein.

Here’s a (old) overview of their doings, tying their escapades back into fundamental facets of computer security, cryptography, and information science…

The Story of Alice and Bob

On SAML and Liberty Adoption

Wednesday, April 19th, 2006

The SAMLv1 effort began in earnest in Jan-2001. The Liberty Alliance was kicked off by Sun Microsystems in late Summer 2001 and got rolling by Dec-2001. Official, “OASIS Standard” SAMLv1 specs were published in Nov-2002, and the initial Liberty ID-FFv1 (Identity Federation Framework) specs were published in summer 2001 (based on SAMLv1 drafts), with v1.1 in Jan 2003 (based on OASIS-Standard SAMLv1.0). Subsequently, ID-FFv1.x and SAMLv1.x were formally converged to become SAMLv2.0 — which was issued as an OASIS-Standard spec in March 2005.

It’s now April 2006. The above specs are implemented in various commercial and open-source products (e.g. SAMLv2.0 conformance-tested products). What’s up with deployment? Various people have claimed that “those specs are too complicated and aren’t user-centric, and there isn’t any wide deployment of them” (to sort of paraphrase, but nearly quote).

Well, the Liberty Alliance has done some navel-gazing about this, beginning in earnest last year, and we’ve now published both a “Market Adoption” page (to be periodically updated), and have launched a quarterly “Executive Newsletter” — this first issue of which focuses on adoption.

It looks like deployments are occuring and momentum is building (the term “billions” is used), and we’re proving the above quote wrong. Check it out.

Skype.exe innards revealed…

Thursday, April 6th, 2006

This slide deck, from the recent Black Hat Europe 2006 conference..

..provides an intriguing look inside the Skype executable, revealing the fairly great lengths its creators went to in attempting to obfuscate its code and workings. Also dissected are the ciphering techniques applied to Skype PDUs (protocol data units, aka packets). The deck illustrates creatively effective use of various debugging/disassembling tools. Icing on the proverbial cake are their some-assembly-required instructions for how to patch skype.exe for use in creating your own closed, private P2P network :)

This work adds to the body of openly disseminated information about this very closed P2P network and program. For reference, here are two earlier analyses..