Re: IGE mode is broken (Re: IGE mode in OpenSSL)

2006-09-11 Thread James A. Donald 

Typo:

James A. Donald wrote:

Let P(k) be the kth block of plain text.  We prepend a
random block, P(0) to the text, and append a fixed block
to the end.  If anything is altered, the fixed block at
the end will not contain the expected data, but will be
gibberish.

The adversary knows every block in the plain text
message except our P(0).  He can intercept and change
the encrypted message.  He wishes to modify the message
so that the intended recipient receives something
different from the message that the adversary knows he
should receive without the intended recipient realizing
something is wrong.

Let W(k) = P(k) + W(k-1) + W(k-1){W(k-1)}

Where  means bitwise and, and + means addition modulo 2
to the block size.

W(0) = P(0) (our random block, unknown to the adversary
or the recipient, and changing with every message.)

{} means encryption, {W(k-1)} is the block we get by
encrypting W(k-1)

We transmit T(k)= {W(k)} + W(k-1)|{W(k-1)} where |
means bitwise or, curly brace means encryption.


Should read:

We transmit T(k) = {W(k)} + ((~W(k-11){W(k-1)})
where ~ means bitwise negation, | means bitwise or,
curly brace means encryption.


W(-1) is zero.

The adversary knows P(k), except for P(0), and can
intercept all transmitted values T(k).

Because the combination of addition and bitwise logical
operations is non linear, this method gets through a
loophole in Jutla's proof in
http://eprint.iacr.org/2000/039



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Raw RSA

2006-09-11 Thread Alexander Klimov 
On Sun, 10 Sep 2006, James A. Donald wrote:
 Could you describe this attack in more detail.  I do not see a
 scenario where it would be useful.

Suppose that an attacker runs an activex control on the user's
computer and the control is able to ask a smart card connected to the
computer to perform raw RSA operations with user's private key. The
goal of the attacker is to be able to sign some useful messages with
the user's private key *after* the user disconnect his smart card.

 The attacker can encrypt a subset of numbers - those that encrypt to
 a B smooth number, but for this to be useful to him, he has to find
 a number in the subset set that corresponds to what he desires to
 encrypt, which looks like a very long brute force search.

If the attacker needs to sign a message x, he needs to find a smooth
number y = x + k n, where n is the RSA modulus and k is some arbitrary
number. I forgot what was the algorithm to find such y (I am not even
sure that it exists), IIRC, it was based on LLL.

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Exponent 3 damage spreads...

2006-09-11 Thread Peter Gutmann 
Ben Laurie [EMAIL PROTECTED] quotes:

Since I've been told often that most of the world won't upgrade resolvers,
presumably most of the world will be vulnerable to this problem for a long
time.

What you really meant to say was most of the vanishingly small proportion of
the world that bothers with DNSSEC, right?  So the real vulnerability level
is down somewhere lost in the noise level.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Exponent 3 damage spreads...

2006-09-11 Thread Ben Laurie 
James A. Donald wrote:
 --
 James A. Donald wrote:
  What is the penetration of Secure DNS?
 
 Ben Laurie wrote:
 Anyone who is running any vaguely recent version of
 BIND is DNSSEC enabled, whether they are using it now
 or not.
 
 I am not well informed about DNSSEC, but I am under the
 impression that:
 
 1.  Actually using DNSSEC is a major performance hit.

No more than using SSL. Well, not much more :-)

 2.  Actually using DNSSEC requires manual secure master
 public key distribution, which  people are disinclined
 to do, and which may not scale very well, unless
 unspecified institutions and arrangements are put in
 place.

Key distribution is, indeed, an open question. Certainly manual key
distribution is not a solution.

 3.  No one actually uses DNSSEC in the wild.

I don't know whether this is true or not. Finding out what people do and
don't do with DNS is hard.

 Please advice me if these impressions are wrong, or have
 become outdated.
 
 I realize that I sound like a cold wet sponge with a non
 stop stream of unpleasantly negative posts, but one of
 the reasons that cryptography is not widely used is that
 the various standards, processes, and tools are not in
 fact very usable.

Doesn't bother me any, its just that I happen to have done work on
DNSSEC, so I figured I should alert those who care to the problem.

 Implementing protocols requires widespread consensus,
 but when too many people show at a meeting then either
 nothing gets done, or the outcome is extremely stupid,
 or both, and anyone who points to big problems in what
 is being done is dismissed as out of order or off topic
 in order to create the semblance of progress, with the
 result that what little progress occurs is usually in
 the wrong direction.

That seems a rather harsh judgement of a working group you say you're
not informed about.

Not that I totally disagree: the work I did on DNSSEC was initially
dismissed as out of order and off topic, and it took a lot of effort to
get people to accept that the problem was genuine. :-)

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Exponent 3 damage spreads...

2006-09-11 Thread Jostein Tveit 
Ben Laurie [EMAIL PROTECTED] writes:

 ...thought this might interest people here.

Anyone got a test key with a real and a forged signature to test
other implementations than OpenSSL?

Thanks in advance.

Regards,
-- 
Jostein Tveit [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: secure key storage APIs

2006-09-11 Thread Ivan Krstić 
Perry,

please merge with my previous message; I hit 'send' by mistake.


Also, the following are of general interest:

Henson S., `Netscape certificate database info`:
 http://www.drh-consultancy.demon.co.uk/cert7.html

Henson S., `Netscape key database format`:
 http://www.drh-consultancy.demon.co.uk/key3.html


Cheers,

-- 
Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: secure key storage APIs

2006-09-11 Thread Ivan Krstić 
Travis H. wrote:
 Does anyone know of any OSS OS facilities for managing keys?

Take a look at the GNOME Keyring:

 http://en.wikipedia.org/wiki/GNOME_Keyring
 http://cvs.gnome.org/viewcvs/gnome-keyring/

In addition, various frontends exists to GnuPG, e.g. KGPG. It's not yet
clear, but I might have to write something from scratch to satisfy our
needs at OLPC (http://laptop.org).

-- 
Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Exponent 3 damage spreads...

2006-09-11 Thread Thierry Moreau 



Jostein Tveit wrote:


Ben Laurie [EMAIL PROTECTED] writes:



...thought this might interest people here.



Anyone got a test key with a real and a forged signature to test
other implementations than OpenSSL?



If I understand the attack mathematics correctly, the following 
algorithm should give you an alleged signature value that would be 
mistakenly accepted by a flawed RSA implementation. I didn't implement 
the algorithm, and I will not make suggestions as a convenient big 
number arithmetic tool to implement it.


Note: The algorithm output value is NOT A FORGED SIGNATURE, since a 
non-flawed RSA signature verification implementation will correctly 
reject it. Nonetheless, using public exponent 3 with any use of RSA 
should be deprecated.


For the record, I am referring to
Hal Finney, Bleichenbacher's RSA signature forgery based on 
implementation error Wed, 30 Aug 2006

http://www.mail-archive.com/cryptography@metzdowd.com/msg06537.html

Input:

N, large public modulus (of unknown factorization)
h, hash value

Constant:

p: hex 01 FF 00 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14

A random binary source (e.g. large enough PRNG output)

Algorithm:

(A) find the largest value of r such that b=(p*2^20+h)*2^(8r) such that 
b+2^(8r)-1N


(B) select random a, 0aN^2, then set c=a*N^2+b+2^(8r)-1

(C) using a simple binary search, find the d = integer cubic root of c

(D) if d^3a*N^2+b, go back to step (B) -- if it occurs with a high 
probability, that's a failure of the approach proposed here, intuition 
suggests that the probability is either very close to zero, or very 
close to one


(E) set alleged signature s=d mod N (indeed, dN, so s=d) and validate 
(merely as a software self-check) that (s^3 mod N) div 2^(8r) equals 
(p*2^20+h)


(F) output alleged signature s

Regards,

--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]