GOST RFCs 5830, 5831, 5832

2010-03-17 Thread Anne Lynn Wheeler

welcome back

announcement of RFC 5830, 5831,  5832 in today's RFC distribution

abstract for 5830:

This document is intended to be a source of information about the
Russian Federal standard for electronic encryption, decryption, and
message authentication algorithms (GOST 28147-89), which is one of the
Russian cryptographic standard algorithms called GOST algorithms).
Recently, Russian cryptography is being used in Internet applications,
and this document has been created as information for developers and
users of GOST 28147-89 for encryption, decryption, and message
authentication.  This document is not an Internet Standards Track
specification; it is published for informational purposes.

--
42yrs virtualization experience (since Jan68), online at home since Mar1970

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: 1024 bit RSA cracked?

2010-03-17 Thread James Muir
 The RSA algorithm gives security under the assumption that as long as
 the private key is private, you can't break in unless you guess it.
 We've shown that that's not true, said Valeria Bertacco, an associate
 professor in the Department of Electrical Engineering and Computer
 Science, in a statement.
 
 They're not the first ones to show that!  Side-channel attacks have been
 around for a while now.  It's not just the algorithms, but the machine
 executing them and its physical characteristics that matter.

I agree. I think the paper overstates its novelty and implications.  It
seems to be an experimental implementation of a fault attack presented
by Boneh, DeMillo and Lipton (i.e. where it is assumed that single bit
errors affect the private exponent).  They target _some_ crypto
application** that uses the openssl library running on an fpga board.
Getting the attack to work in real life is no small feat, so they
deserve props for that, but they make a few questionable claims -- e.g.
they seem to state that the left-to-right fixed-window exponentiation
algorithm was thought to be immune to fault attacks.  In fact, adapting
the BDL attack, which was presented against a right-to-left algorithm,
to work against a left-to-right algorithm is straightforward, and so the
susceptibility of the left-to-right FWE algorithm has been known for
some time.

What I find much more strange about the paper is that the authors make
no mention of message blinding.  I could be wrong, but message blinding
would defeat their attack.  By default, an openssl server utilizes
message blinding in its private key operations, so there attack wouldn't
apply...

** I just had the following realization:  I had assumed that the authors
were attacking an openssl *server* running on the fpga board, but
perhaps that is not so.  They don't seem to make that specific claim.
They claim only to be attacking an unmodi´Čüed version of the OpenSSL
library.  It is possible that they only created a toy RSA application
that generates signatures using the openssl library (i.e. by making
calls to specific openssl functions).  This would explain why they don't
discuss message blinding -- because they didn't enable it in their toy
application!  I suspect that's what they did.  In that case, their
experimental results say very little about the susceptibility of an
openssl server to fault attacks.  Wow... if I'm correct, then the
authors really need to be more clear about exactly what they did.

-James



signature.asc
Description: OpenPGP digital signature


Re: 1024 bit RSA cracked?

2010-03-17 Thread netsecurity
On Wed, 10 Mar 2010 21:27:06 +0530, Udhay Shankar N ud...@pobox.com
wrote:
 Anyone know more?
 

http://news.techworld.com/security/3214360/rsa-1024-bit-private-key-encryption-cracked/
 
 RSA 1024-bit private key encryption cracked
 Researchers find weakness in security system
 
 By Network World Staff | Network World US
 Published: 13:26 GMT, 05 March 10
 
 Three University of Michigan computer scientists say they have found a
 way to exploit a weakness in RSA security technology used to protect
 everything from media players to smartphones and ecommerce servers.
 
 RSA authentication is susceptible, they say, to changes in the voltage
 supply to a private key holder. The researchers   Andrea Pellegrini,
 Valeria Bertacco and Todd Austin - outline their findings in a paper
 titled  Fault-based attack of RSA authentication   to be presented 10
 March at the Design, Automation and Test in Europe conference.
 
 The RSA algorithm gives security under the assumption that as long as
 the private key is private, you can't break in unless you guess it.
 We've shown that that's not true, said Valeria Bertacco, an associate
 professor in the Department of Electrical Engineering and Computer
 Science, in a statement.
 
 The RSA algorithm was introduced in a 1978 paper outlining the
 public-key cryptosystem. The annual RSA security conference is being
 held this week in San Francisco.
 
 While guessing the 1,000-plus digits of binary code in a private key
 would take unfathomable hours, the researchers say that by varying
 electric current to a secured computer using an inexpensive
 purpose-built device they were able to stress out the computer and
 figure out the 1,024-bit private key in about 100 hours   all without
 leaving a trace.
 
 The researchers in their paper outline how they made the attack on a
 SPARC system running Linux. They also say they have come up with a
 solution, which involves a cryptographic technique called salting that
 involves randomly juggling a private key's digits.
 
 The research is funded by the National Science Foundation and the
 Gigascale Systems Research Center.

Interesting, especially since I recently did a security assessment at a
power company. From what I saw I suspect that one might be able to get to
some of their servers in outlying areas that handle smart meters and apply
techniques like this.

Given that they were able to do 1024 in 100 hours, what might it take them
to crack 2048 or 4096?

Regards,

Allen

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com