Am Montag, den 25.09.2006, 01:28 +0200 schrieb Philipp Gühring:
Hi,
We have been researching, which vendors were generating Exponent 3 keys, and
we found the following until now:
* Cisco 3000 VPN Concentrator
* CSP11
* AN.ON / JAP (they told me they would change it on the next day)
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using
Hash Collisions, by Scott Contini and Yiqun Lisa Yin (*)
On Mon, 25 Sep 2006, Anton Stiglic wrote:
Very interesting, I wonder how this integrates with the following paper
http://citeseer.ist.psu.edu/bellare06new.html (**)
From a security point of view, shar has obvious
problems :-)
Really, what? There are things it doesn't do, but since it's only a
packaging format that's a good thing.
/r$
--
STSM, Senior Security Architect
SOA Appliances
Application Integration Middleware
and for a whole lot of drift with respect to smartcards being pda/cellphone
wanabees
Storm building over RFID-enabled passports
http://www.networkworld.com/news/2006/092106-rfid-passports.html
from above:
The chip, which is embedded inside the cover of the passport, contains only a
duplicate
On 9/26/06, Richard Salz [EMAIL PROTECTED] wrote:
Really, what? There are things it doesn't do, but since it's only a
packaging format that's a good thing.
Though there are unshar tools, typically people run it as input to /bin/sh,
usually without reading through it (and given the level of
[The Memory Hole also publishes an interesting list of FOIA logs,
listing who asked NSA for what, across many years. I see a lot of
friends in there. http://www.thememoryhole.org/foi/caselogs/ -- gnu]
HUGE CACHE OF NATIONAL SECURITY AGENCY INDEXES PUBLISHED ONLINE
By Michael Ravnitzky ,
On Sep 25, 2006, at 10:29 AM, Simon Josefsson wrote:
Leichter, Jerry [EMAIL PROTECTED] writes:
I agree that there are two issues, and they need to be treated
properly. The first - including data after the ASN.1 blob in the
signature computation but then ignoring it in determining the
From: Ralf-Philipp Weinmann
[...]
Relevant files to this problem that were patched turned out
to be security/nss/lib/cryptohi/secvfy.c and
nss/lib/util/secdig.c. Have a look at the function
DecryptSigBlock() in secdig.c, lines 92-95
/* make sure the parameters are not too
Abstract
Widely-used online trust authorities issue certifications without
substantial verification of the actual trustworthiness of recipients.
Their lax approach gives rise to adverse selection: The sites that
seek and obtain trust certifications are actually significantly less
[EMAIL PROTECTED] wrote:
From: Ian Brown [EMAIL PROTECTED]
Subject: On-card displays
To: [EMAIL PROTECTED]
Date: Wed, 20 Sep 2006 07:29:13 +0100
Via Bruce Schneier's blog, flexible displays that can sit on smartcards.
So we finally have an output mechanism that means you don't have to
trust
Steve Schear wrote:
I have a Mondex card from years ago that used a separate reader with LCD.
we were asked to do the design/sizing/cost for mondex infrastructure in the us.
one of the things that turned up was much of the mondex infrastructure was
based on float (initially essentially all
| *That* is the Right Way To Do It. If there are variable parts (like
| hash OID, perhaps), parse them out, then regenerate the signature data
| and compare it byte-for-byte with the decrypted signature.
|
| You know, this sort of reminds me of a problem with signatures on
| tar.gz files.
Circle Bank is using a coordinate matrix to let
users pick three letters according to a grid, to be
entered together with their username and password.
The matrix is sent by email, with the user's account
sign on ID in plaintext.
Worse, the matrix is pretty useless for the majority of users,
At 14:33 -0400 2006/09/28, Leichter, Jerry wrote:
|
VMS has for years had a simple CHECKSUM command, which had a variant,
CHECKSUM/IMAGE, applicable only to executable image files. It knew
enough about the syntax of executables to skip over irrelevant metadata
like link date and time. (The
| Circle Bank is using a coordinate matrix to let
| users pick three letters according to a grid, to be
| entered together with their username and password.
|
| The matrix is sent by email, with the user's account
| sign on ID in plaintext.
|
| Worse, the matrix is pretty useless for the
Here,(Mexico) BBVA / Bancomer uses 24 special three digits numbers on a
card you need to have at hand to access your account after login and
username... the system asks you one of those 24 numbers to allow each
session - entry.
supposed to be effective. donno if there is a similar system
On 2006-09-28, Leichter, Jerry wrote:
VMS has for years had a simple CHECKSUM command, which had a variant,
CHECKSUM/IMAGE, applicable only to executable image files. It knew
enough about the syntax of executables to skip over irrelevant metadata
like link date and time. (The checksums
17 matches
Mail list logo
