Re: Exponent 3 damage spreads...

[Thierry Moreau]

Jostein Tveit wrote:


Ben Laurie <[EMAIL PROTECTED]> writes:



...thought this might interest people here.



Anyone got a test key with a real and a forged signature to test
other implementations than OpenSSL?



If I understand the attack mathematics correctly, the following 
algorithm should give you an alleged signature value that would be 
mistakenly accepted by a flawed RSA implementation. I didn't implement 
the algorithm, and I will not make suggestions as a convenient big 
number arithmetic tool to implement it.


Note: The algorithm output value is NOT A FORGED SIGNATURE, since a 
non-flawed RSA signature verification implementation will correctly 
reject it. Nonetheless, using public exponent 3 with any use of RSA 
should be deprecated.


For the record, I am referring to
Hal Finney, "Bleichenbacher's RSA signature forgery based on 
implementation error" Wed, 30 Aug 2006

http://www.mail-archive.com/cryptography@metzdowd.com/msg06537.html

Input:

N, large public modulus (of unknown factorization)
h, hash value

Constant:

p: hex 01 FF 00 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14

A random binary source (e.g. large enough PRNG output)

Algorithm:

(A) find the largest value of r such that b=(p*2^20+h)*2^(8r) such that 
b+2^(8r)-1

(B) select random a, 0(D) if d^3probability, that's a failure of the approach proposed here, intuition 
suggests that the probability is either very close to zero, or very 
close to one


(E) set alleged signature s=d mod N (indeed, d(merely as a software self-check) that (s^3 mod N) div 2^(8r) equals 
(p*2^20+h)


(F) output alleged signature s

Regards,

--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: secure key storage APIs

[Ivan Krstić]

Travis H. wrote:
> Does anyone know of any OSS OS facilities for managing keys?

Take a look at the GNOME Keyring:

 http://en.wikipedia.org/wiki/GNOME_Keyring
 http://cvs.gnome.org/viewcvs/gnome-keyring/

In addition, various frontends exists to GnuPG, e.g. KGPG. It's not yet
clear, but I might have to write something from scratch to satisfy our
needs at OLPC (http://laptop.org).

-- 
Ivan Krstić <[EMAIL PROTECTED]> | GPG: 0x147C722D

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: secure key storage APIs

[Ivan Krstić]

Perry,

please merge with my previous message; I hit 'send' by mistake.


Also, the following are of general interest:

Henson S., `Netscape certificate database info`:
 http://www.drh-consultancy.demon.co.uk/cert7.html

Henson S., `Netscape key database format`:
 http://www.drh-consultancy.demon.co.uk/key3.html


Cheers,

-- 
Ivan Krstić <[EMAIL PROTECTED]> | GPG: 0x147C722D

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Exponent 3 damage spreads...

[Jostein Tveit]

Ben Laurie <[EMAIL PROTECTED]> writes:

> ...thought this might interest people here.

Anyone got a test key with a real and a forged signature to test
other implementations than OpenSSL?

Thanks in advance.

Regards,
-- 
Jostein Tveit <[EMAIL PROTECTED]>

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Exponent 3 damage spreads...

[Ben Laurie]

James A. Donald wrote:
> --
> James A. Donald wrote:
>> > What is the penetration of Secure DNS?
> 
> Ben Laurie wrote:
>> Anyone who is running any vaguely recent version of
>> BIND is DNSSEC enabled, whether they are using it now
>> or not.
> 
> I am not well informed about DNSSEC, but I am under the
> impression that:
> 
> 1.  Actually using DNSSEC is a major performance hit.

No more than using SSL. Well, not much more :-)

> 2.  Actually using DNSSEC requires manual secure master
> public key distribution, which  people are disinclined
> to do, and which may not scale very well, unless
> unspecified institutions and arrangements are put in
> place.

Key distribution is, indeed, an open question. Certainly manual key
distribution is not a solution.

> 3.  No one actually uses DNSSEC in the wild.

I don't know whether this is true or not. Finding out what people do and
don't do with DNS is hard.

> Please advice me if these impressions are wrong, or have
> become outdated.
> 
> I realize that I sound like a cold wet sponge with a non
> stop stream of unpleasantly negative posts, but one of
> the reasons that cryptography is not widely used is that
> the various standards, processes, and tools are not in
> fact very usable.

Doesn't bother me any, its just that I happen to have done work on
DNSSEC, so I figured I should alert those who care to the problem.

> Implementing protocols requires widespread consensus,
> but when too many people show at a meeting then either
> nothing gets done, or the outcome is extremely stupid,
> or both, and anyone who points to big problems in what
> is being done is dismissed as out of order or off topic
> in order to create the semblance of progress, with the
> result that what little progress occurs is usually in
> the wrong direction.

That seems a rather harsh judgement of a working group you say you're
not informed about.

Not that I totally disagree: the work I did on DNSSEC was initially
dismissed as out of order and off topic, and it took a lot of effort to
get people to accept that the problem was genuine. :-)

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: secure key storage APIs

[Thomas]

> Any considerations that I'm missing?

Something more general then *-agent but not part of the core-OS
might be Novell's CASA. AFAICR it is open source and part of newer
SUSE Linux distributions...


Thomas

-- 
Tom <[EMAIL PROTECTED]>
fingerprint = F055 43E5 1F3C 4F4F 9182  CD59 DBC6 111A 8516 8DBF

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Exponent 3 damage spreads...

[Peter Gutmann]

Ben Laurie <[EMAIL PROTECTED]> quotes:

>Since I've been told often that most of the world won't upgrade resolvers,
>presumably most of the world will be vulnerable to this problem for a long
>time.

What you really meant to say was "most of the vanishingly small proportion of
the world that bothers with DNSSEC", right?  So the real vulnerability level
is down somewhere lost in the noise level.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Raw RSA

[Alexander Klimov]

On Sun, 10 Sep 2006, James A. Donald wrote:
> Could you describe this attack in more detail.  I do not see a
> scenario where it would be useful.

Suppose that an attacker runs an activex control on the user's
computer and the control is able to ask a smart card connected to the
computer to perform raw RSA operations with user's private key. The
goal of the attacker is to be able to sign some useful messages with
the user's private key *after* the user disconnect his smart card.

> The attacker can encrypt a subset of numbers - those that encrypt to
> a B smooth number, but for this to be useful to him, he has to find
> a number in the subset set that corresponds to what he desires to
> encrypt, which looks like a very long brute force search.

If the attacker needs to sign a message x, he needs to find a smooth
number y = x + k n, where n is the RSA modulus and k is some arbitrary
number. I forgot what was the algorithm to find such y (I am not even
sure that it exists), IIRC, it was based on LLL.

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Exponent 3 damage spreads...

[James A. Donald]

--
James A. Donald wrote:
> > What is the penetration of Secure DNS?

Ben Laurie wrote:
> Anyone who is running any vaguely recent version of
> BIND is DNSSEC enabled, whether they are using it now
> or not.

I am not well informed about DNSSEC, but I am under the
impression that:

1.  Actually using DNSSEC is a major performance hit.

2.  Actually using DNSSEC requires manual secure master
public key distribution, which  people are disinclined
to do, and which may not scale very well, unless
unspecified institutions and arrangements are put in
place.

3.  No one actually uses DNSSEC in the wild.

Please advice me if these impressions are wrong, or have
become outdated.

I realize that I sound like a cold wet sponge with a non
stop stream of unpleasantly negative posts, but one of
the reasons that cryptography is not widely used is that
the various standards, processes, and tools are not in
fact very usable.

Implementing protocols requires widespread consensus,
but when too many people show at a meeting then either
nothing gets done, or the outcome is extremely stupid,
or both, and anyone who points to big problems in what
is being done is dismissed as out of order or off topic
in order to create the semblance of progress, with the
result that what little progress occurs is usually in
the wrong direction.

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 GrAiqEAJZ+JTHX8XzGkkIqdEZiBNsCxO48sjUIrp
 4Z3Mnj015pjujvoBENQ/n6+j9Kb3Q0DMKqWI/eKJR

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: IGE mode is broken (Re: IGE mode in OpenSSL)

[James A. Donald]

Typo:

James A. Donald wrote:

Let P(k) be the kth block of plain text.  We prepend a
random block, P(0) to the text, and append a fixed block
to the end.  If anything is altered, the fixed block at
the end will not contain the expected data, but will be
gibberish.

The adversary knows every block in the plain text
message except our P(0).  He can intercept and change
the encrypted message.  He wishes to modify the message
so that the intended recipient receives something
different from the message that the adversary knows he
should receive without the intended recipient realizing
something is wrong.

Let W(k) = P(k) + W(k-1) + W(k-1)&{W(k-1)}

Where & means bitwise and, and + means addition modulo 2
to the block size.

W(0) = P(0) (our random block, unknown to the adversary
or the recipient, and changing with every message.)

{} means encryption, {W(k-1)} is the block we get by
encrypting W(k-1)

We transmit T(k)= {W(k)} + W(k-1)|{W(k-1)} where |
means bitwise or, curly brace means encryption.


Should read:

We transmit T(k) = {W(k)} + ((~W(k-11){W(k-1)})
where ~ means bitwise negation, | means bitwise or,
curly brace means encryption.


W(-1) is zero.

The adversary knows P(k), except for P(0), and can
intercept all transmitted values T(k).

Because the combination of addition and bitwise logical
operations is non linear, this method gets through a
loophole in Jutla's proof in
http://eprint.iacr.org/2000/039



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]