SHA-1 collisions now 2^52
Until now, the best complete differential path (to our knowledge) has complexity 2^63 The new path presented has complexity 2^52 - a significant reduction. Practical collisions are within resources of a well funded organisation. We are continuing our search for differential paths where the boomerang attack can be used with maximum effect. Paper will appear on eprint soon. http://ping.fm/uCVUM -- Dustin D. Trammell Security Researcher BreakingPoint Systems, Inc. signature.asc Description: This is a digitally signed message part
Microsoft Windows Cryptographic Next Generation SDK 2.0 Released
The CNG SDK contains documentation, code, and tools designed to help you develop cryptographic applications and libraries targeting the Windows Vista SP1, Windows Server 2008 R2, and Windows 7 Operating Systems. http://www.microsoft.com/downloads/details.aspx?FamilyId=1EF399E9-B018-49DB-A98B-0CED7CB8FF6F -- Dustin D. Trammell Security Researcher BreakingPoint Systems, Inc. signature.asc Description: This is a digitally signed message part
MD5 considered harmful today, SHA-1 considered harmful tomorrow
On Tue, 2008-12-30 at 11:51 -0800, Hal Finney wrote: Therefore the highest priority should be for the six bad CAs to change their procedures, at least start using random serial numbers and move rapidly to SHA1. As long as this happens before Eurocrypt or whenever the results end up being published, the danger will have been averted. This, I think, is the main message that should be communicated from this important result. Nearly everything I've seen regarding the proposed solutions to this attack have involved migration to SHA-1. SHA-1 is scheduled to be decertified by NIST in 2010, and NIST has already recommended[1] moving away from SHA-1 to SHA-2 (256, 512, etc.). Collision attacks have already been demonstrated[2] against SHA-1 back in 2005, and if history tells us anything then things will only get worse for SHA-1 from here. By not moving directly to at least SHA-2 (until the winner of the NIST hash competition is known), these vendors are likely setting themselves up for similar attacks in the (relatively) near future. [1] http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html [2] http://www.cryptography.com/cnews/hash.html -- Dustin D. Trammell Security Researcher BreakingPoint Systems, Inc. signature.asc Description: This is a digitally signed message part
Re: road toll transponder hacked
On Tue, 2008-08-26 at 10:52 -0400, Matt Blaze wrote: On Aug 26, 2008, at 10:15, [EMAIL PROTECTED] wrote: So, I believe, at least for E-Z Pass, the attack would have to include cloning the license plate and pictures may still be available whenever a victim realizes they have been charged for trips they did not take. I believe that's correct. In fact, the plate recognition technology they use seems to be good enough to make the transponder itself redundant. I know several people with E-Z Pass who disconnected the internal battery of their transponder (out of concern that there might be hidden readers around town that track vehicles at places other than toll gates). Even with dead transponders, their accounts are still charged accurately when they pass toll gates. (The sign displays EZ Pass not read or some such thing, but the account is debited within a day or two anyway). This is the same for the state-wide Texas tag, TxTag[1]. If your tag doesn't register, or you disable or remove it, the toll system can still accurately bill you based on your license plate and vehicle registration. If you're not in the TxTag system at all, they simply mail you a bill. [1] http://www.txtag.org/ -- Dustin D. Trammell Security Researcher BreakingPoint Systems, Inc. signature.asc Description: This is a digitally signed message part
Re: road toll transponder hacked
On Tue, 2008-08-26 at 13:22 -0400, Ken Buchanan wrote: On Tue, Aug 26, 2008 at 11:56 AM, Dustin D. Trammell [EMAIL PROTECTED] wrote: This is the same for the state-wide Texas tag, TxTag[1]. If your tag doesn't register, or you disable or remove it, the toll system can still accurately bill you based on your license plate and vehicle registration. If you're not in the TxTag system at all, they simply mail you a bill. I think this is a bit different than what Michael Heyman said. TxTag, IIRC, was implemented by the same company (Raytheon) that implemented the 407 ETR toll system in Toronto. In the case of the 407, there is no image recognition done if the car has a valid transponder. Only in the case of a missing or invalid transponder is the plate imagery used. Supposedly the OCR has a high enough error rate that there is still manual verification of plates before sending a bill, and accordingly a $3.60 additional charge is applied per trip. If the images are used even when the vehicle has a valid transponder -- as Michael Heyman suggests is happening with E-ZPass -- then it might be feasible to have back end defenses against cloning, though not without inconvenience to customers who borrow cars, buy new cars, or rent cars while their own is getting serviced. Also as Matt Blaze pointed out this makes the transponder wholly redundant. I can confirm that they definitely use imagery even when a valid transponder is detected. A couple years or so ago I had to put my vehicle in the shop and use the wife's for a few days. I assumed that I could use my TxTag in her vehicle, and it would simply bill my account, however a couple of weeks later I received a bill for the tolls, billed to the owner of her vehicle at our address. When I called to inquire, they informed me that it did read the transponder, but mismatched with the plates. There was a grace period during which I could update the transponder to the new vehicle and avoid the fines, but as I would be getting my vehicle back in a few days, I opted to just order a second transponder for her car. They were kind enough to transfer the tolls to the new transponder and waive the fees. -- Dustin D. Trammell Security Researcher BreakingPoint Systems, Inc. signature.asc Description: This is a digitally signed message part
Re: The MD6 hash function (rough notes)
On Thu, 2008-08-21 at 10:26 -0700, Hal Finney wrote: Ron Rivest presented his (along with a dozen other people's) new hash, MD6, yesterday at Crypto. ---8---(snip)---8--- He also presented a number of cryptanalytic results. There is provable security against differential cryptanalysis, by virtue of the large number of rounds; also security against side channels. A SAT solver and another technique could only do something with about 11 rounds, versus the 100+ rounds in the function. The tree structure is also shown to preserve strong properties of the compression function. Overall it seemed very impressive. The distinctive features are the tree structure, very wide input blocks, and the enormous number of rounds. The cryptanalysis results were favorable. However Adi Shamir stood up and expressed concern that his new Cube attack might apply. Rivest seemed confident that the degree of MD6 would be several thousand, which should be safe from Shamir's attack, but time will tell. I came across this paper today while searching for more information: http://groups.csail.mit.edu/cis/theses/crutchfield-masters-thesis.pdf It's titled 'Security Proofs for the MD6 Hash Function Mode of Operation' by Christopher Yale Crutchfield (certified by Ronald L. Rivest). I thought it might be of interest to the followers of this thread. -- Dustin D. Trammell Security Researcher BreakingPoint Systems, Inc. signature.asc Description: This is a digitally signed message part
Re: The MD6 hash function (rough notes)
On Thu, 2008-08-21 at 10:26 -0700, Hal Finney wrote: Ron Rivest presented his (along with a dozen other people's) new hash, MD6, yesterday at Crypto. The slides for this presentation are available from Ronald's website: http://people.csail.mit.edu/rivest/Rivest-TheMD6HashFunction.ppt -- Dustin D. Trammell Security Researcher BreakingPoint Systems, Inc. signature.asc Description: This is a digitally signed message part
Demonstration of Shor’s quantum factoring algorithm using photonic qubits
NewScientist's write-up (subscription required for full article): http://technology.newscientist.com/article.ns?id=mg19526216.700 You can find the full paper here: http://arxiv.org/pdf/0705.1684 -- Dustin D. Trammell Product Security Analyst TippingPoint, a division of 3Com signature.asc Description: This is a digitally signed message part
Experimental demonstration of Shor’s algorithm with quantum entanglement
Also from the NewScientist article that I just posted, another paper from completely different researchers arriving at the same result: http://arxiv.org/pdf/0705.1398 -- Dustin D. Trammell Product Security Analyst TippingPoint, a division of 3Com signature.asc Description: This is a digitally signed message part
