copy of On the generation of DSS one-time keys?

2010-03-25 Thread James Muir
Daniel Bleichenbacher presented an implementation attack against DSA in
2001 titled On the generation of DSS one-time keys.  I think it made
the rounds as a preprint, but I don't know if it was ever officially
published.  It's cited frequently (e.g. in the SEC1 doc
http://www.secg.org/download/aid-780/sec1-v2.pdf), but I cannot seem to
locate a copy.

Can anyone point me to a copy of this preprint?

-James



signature.asc
Description: OpenPGP digital signature


Re: 1024 bit RSA cracked?

2010-03-17 Thread James Muir
 The RSA algorithm gives security under the assumption that as long as
 the private key is private, you can't break in unless you guess it.
 We've shown that that's not true, said Valeria Bertacco, an associate
 professor in the Department of Electrical Engineering and Computer
 Science, in a statement.
 
 They're not the first ones to show that!  Side-channel attacks have been
 around for a while now.  It's not just the algorithms, but the machine
 executing them and its physical characteristics that matter.

I agree. I think the paper overstates its novelty and implications.  It
seems to be an experimental implementation of a fault attack presented
by Boneh, DeMillo and Lipton (i.e. where it is assumed that single bit
errors affect the private exponent).  They target _some_ crypto
application** that uses the openssl library running on an fpga board.
Getting the attack to work in real life is no small feat, so they
deserve props for that, but they make a few questionable claims -- e.g.
they seem to state that the left-to-right fixed-window exponentiation
algorithm was thought to be immune to fault attacks.  In fact, adapting
the BDL attack, which was presented against a right-to-left algorithm,
to work against a left-to-right algorithm is straightforward, and so the
susceptibility of the left-to-right FWE algorithm has been known for
some time.

What I find much more strange about the paper is that the authors make
no mention of message blinding.  I could be wrong, but message blinding
would defeat their attack.  By default, an openssl server utilizes
message blinding in its private key operations, so there attack wouldn't
apply...

** I just had the following realization:  I had assumed that the authors
were attacking an openssl *server* running on the fpga board, but
perhaps that is not so.  They don't seem to make that specific claim.
They claim only to be attacking an unmodi´Čüed version of the OpenSSL
library.  It is possible that they only created a toy RSA application
that generates signatures using the openssl library (i.e. by making
calls to specific openssl functions).  This would explain why they don't
discuss message blinding -- because they didn't enable it in their toy
application!  I suspect that's what they did.  In that case, their
experimental results say very little about the susceptibility of an
openssl server to fault attacks.  Wow... if I'm correct, then the
authors really need to be more clear about exactly what they did.

-James



signature.asc
Description: OpenPGP digital signature


Re: padding attack vs. PKCS7

2009-06-14 Thread James Muir
travis+ml-cryptogra...@subspacefield.org wrote:
 http://www.matasano.com/log/1749/typing-the-letters-a-e-s-into-your-code-youre-doing-it-wrong/
 
 Towards the end of this rather offbeat blog post they describe a
 rather clever attack which is possible when the application provides
 error messages (i.e. is an error oracle) for PKCS7 padding in e.g. AES
 CBC-encrypted web authenticators that allows an adversary to attack
 the crypto one octet at a time.

I think this attack can be attributed to Klima and Rosa:

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format.
V. Klima and T. Rosa.
http://eprint.iacr.org/2003/098.pdf

-James



signature.asc
Description: OpenPGP digital signature


Re: white-box crypto Was: consulting question....

2009-05-29 Thread James Muir
Alexander Klimov wrote:
 On Tue, 26 May 2009, James Muir wrote:
 There is some academic work on how to protect crypto in software from
 reverse engineering.  Look-up white-box cryptography.

 Disclosure:  the company I work for does white-box crypto.
 
 Could you explain what is the point of white-box cryptography (even
 if it were possible)?

The introduction to the following paper (from SAC 2002) gives a very
good overview of white-box crypto:

http://www.scs.carleton.ca/%7Epaulv/papers/whiteaes.lncs.ps

 If I understand correctly, the only plausible result is to be able to
 use the secret key cryptography as if it were the public-key one, for
 example, to have a program that can do (very slow, btw) AES
 encryption, but be unable to deduce the key (unable to decrypt). If
 this is the case, then why not use normal public-key crypto (baksheesh
 aside)?

You're right -- a white-box implementation of a symmetric cipher
essentially creates an asymmetric cipher.  Despite this, there are still
situations where you might want a whitebox AES implementation running on
a client.  Consider a server that sends out updates to several hundred
clients (each client has its own key).  The clients are subject to
whitebox attacks but the server is not.  Rather than force the server to
do several hundred public-key operations when it needs to push out an
update, we might be able to save the server some work if use a symmetric
cipher.

-James




signature.asc
Description: OpenPGP digital signature


Re: consulting question....

2009-05-27 Thread James Muir
Ray Dillinger wrote:
 Does anyone feel that I have said anything untrue?

 Can anyone point me at good information uses I can use to help prove
 the case to a bunch of skeptics who are considering throwing away
 their hard-earned money on a scheme that, in light of security
 experience, seems foolish?

Security is relative -- you need to evaluate it against a threat model
and consider what goals you are trying to achieve.  A software solution
may succeed in deterring attackers from developing a way to strip the
DRM from a $0.99 mp3; if the mp3 only costs $0.99, then may be it isn't
worth the trouble of reverse engineering the software.

There is some academic work on how to protect crypto in software from
reverse engineering.  Look-up white-box cryptography.

Disclosure:  the company I work for does white-box crypto.

-James




signature.asc
Description: OpenPGP digital signature


no warrant required

2009-02-13 Thread James Muir
From today's (13 Feb 2009) National Post:

http://www.nationalpost.com/news/story.html?id=1283120

excerpt:

 An Ontario Superior Court ruling could open the door to police
 routinely using Internet Protocol addresses to find out the names of
 people online, without any need for a search warrant.
 
 Justice Lynne Leitch found that there is no reasonable expectation
 of privacy in subscriber information kept by Internet service
 providers (ISPs), in a decision issued earlier this week.

-James





signature.asc
Description: OpenPGP digital signature


Re: Cube cryptanalysis?

2008-10-25 Thread James Muir
Paul Hoffman wrote:
 At 11:08 AM -0700 8/21/08, Greg Rose wrote:
 Adi mentioned that the slides and paper will go online around the
 deadline for Eurocrypt submission; it will all become much clearer
 than my wounded explanations then.

 There now: http://eprint.iacr.org/2008/385


Given all the excitement over the Cube attack, readers may be interested
to have a closer look at an earlier paper by Vielhaber:

Breaking ONE.FIVIUM by AIDA (an Algebraic IV Differential Attack)
Michael Vielhaber
http://eprint.iacr.org/2007/413

Vielhaber claims that AIDA anticipates the Cube attack; see his post on
the iacr eprint forum:

http://eprint.iacr.org/forum/read.php?8,59

-James

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Cube cryptanalysis?

2008-10-24 Thread James Muir

Paul Hoffman wrote:

At 11:08 AM -0700 8/21/08, Greg Rose wrote:
Adi mentioned that the slides and paper will go online around the 
deadline for Eurocrypt submission; it will all become much clearer 
than my wounded explanations then.


There now: http://eprint.iacr.org/2008/385



Given all the excitement over the Cube attack, readers may be interested 
to have a closer look at an earlier paper by Vielhaber:


Breaking ONE.FIVIUM by AIDA (an Algebraic IV Differential Attack)
Michael Vielhaber
http://eprint.iacr.org/2007/413

Vielhaber claims that AIDA anticipates the Cube attack; see his post on 
the iacr eprint forum:


http://eprint.iacr.org/forum/read.php?8,59

-James

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Cube cryptanalysis?

2008-09-22 Thread James Muir

Paul Hoffman wrote:

At 11:08 AM -0700 8/21/08, Greg Rose wrote:
Adi mentioned that the slides and paper will go online around the 
deadline for Eurocrypt submission; it will all become much clearer 
than my wounded explanations then.


There now: http://eprint.iacr.org/2008/385



I just noticed the following comment from Michael Vielhaber on the iacr 
eprint discussion forum:


http://eprint.iacr.org/forum/read.php?8,59

Vielhaber states that the cube attack is anticipated by his 2007 paper:

Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack
Michael Vielhaber
http://eprint.iacr.org/2007/413

-James

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Ransomware

2008-06-12 Thread James Muir

Marcos el Ruptor wrote:

I've just looked at the virus.


Just curious -- where were you able to download the virus from?

-James

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: A call for aid in cracking a 1024-bit malware key

2008-06-09 Thread James Muir

Steven M. Bellovin wrote:

According to
http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818intsrc=hm_list%3E%20articleId=9094818intsrc=hm_list
some new malware is encrypting files with a 1024-bit RSA key.  Victims
are asked to pay a random to get their files decrypted.  So -- can
the key be factored?


I saw a similar story reported on Slashdot a few days ago.  I wonder if 
the malware authors cited Adam Young and Moti Yung?  They hypothesized 
about such malware a few years ago:


http://en.wikipedia.org/wiki/Cryptovirology

-James

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Estimated 10 million dollars lost in parking meter fraud

2008-04-22 Thread James Muir

michael taylor wrote:

http://www.torontosun.com/News/TorontoAndGTA/2008/04/18/5320936-sun.html

The city is playing a $10M game of catchup to stymie thieves using
bogus credit cards to get free parking


An assuming read. The article mentions the Europark Card; you buy it 
online for $15 (the web site is still up) and it gets you free parking 
in various cities in Australia, US, and Canada.  Here is a link to a 
demo video on YouTube:


http://www.youtube.com/watch?v=WfoWDQUR4sk

Unlike the recent Oyster Card crack (London, UK), Toronto's free 
parking problem does not seem to have been caused by bad cryptography -- 
at least, there is no mention of cryptography in the article.  It goes 
to show that there's more to systems security than just crypto.


-James

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: fyi: Adi Shamir's microprocessor bug attack

2007-11-28 Thread James Muir

James A. Donald wrote:

James Muir wrote:
  Can anyone think of a deployed implementation of RSA
  signatures that would be vulnerable to the attack
  Shamir mentions?  Hashing and message blinding would
  seem to thwart it.

As I said, public key encryption has long been known to
be weak against chosen plaintext and chosen cryptotext -
so protocols have long been designed to prevent this
sort of attack.  If they are not so designed, they were
known to be weak before this attack was discovered.


I completely agree with you.  Good public key cryptography should be
designed to resist chosen message attacks.  This has been a standard
part of cryptographic theory since the 80s.  But this is an
implementation attack, and real world implementations don't necessarily
follow all the rules of cryptographic theory.

If you or anyone else happened to know of a single real-world
implementation of RSA signatures that is vulnerable to this fault
attack, then that might give some justification for the incredible media
coverage it has received.  I can't think of any, and my feeling is that
this announcement has been over-hyped (and presented without proper
perspective).

-James


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: fyi: Adi Shamir's microprocessor bug attack

2007-11-21 Thread James Muir

' =JeffH ' wrote:

From: John Young [EMAIL PROTECTED]
Subject: Adi Shamir's microprocessor bug attack
To: [EMAIL PROTECTED]
Date: Sat, 17 Nov 2007 09:50:31 -0500 (GMT-05:00)


Adi Shamir's note on a microprocessor bug attack on public key cryptography 
featured in the NY Times today:


http://cryptome.org/bug-attack.htm

The NYT report:

http://www.nytimes.com/2007/11/17/technology/17code.html



Can anyone think of a deployed implementation of RSA signatures that 
would be vulnerable to the attack Shamir mentions?  Hashing and message 
blinding would seem to thwart it.


Incidentally, in the 2001 Boneh-DeMillo-Lipton paper they do mention the 
Intel floating point division bug.


-James

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


stickers can deter car theft

2007-05-26 Thread James Muir

I thought this was an interesting security-related story:

http://www.cbc.ca/canada/nova-scotia/story/2007/05/25/decal-car.html

quoting from the article:


The black-and-yellow sticker, which only costs a loonie, is an
invitation for police to pull over your vehicle if it's on the road
after 1 a.m.

The problem with car theft is actually bigger than any of us
realize, said Staff Sgt. Peter MacIsaac, with Cape Breton Regional
Police.

Nearly 400 cars were stolen in the Sydney area last year, he said,
and statistics show that most disappear between 1 a.m. and 5 a.m.

MacIsaac said people have been calling the police station to ask
about the Combat Auto Theft (CAT) program, which he says has been a
success in the United States.


Anyone heard of this before?  Is there a reason why a car theft can't 
simply remove or cover up these stickers?


-James

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Selective disclosure

2007-05-07 Thread James Muir

I think the first people to consider i can find Waldo proofs were
Naor, Naor  Reingold.  You might want to add a reference to their paper 
Applied Kid Cryptography in your write-up:


http://www.wisdom.weizmann.ac.il/~naor/PAPERS/waldo_abs.html

-James


Ben Laurie wrote:

I recently wrote a layman's introduction to selective disclosure which
I thought might interest members of this list:
http://www.links.org/files/selective-disclosure.pdf

Cheers,

Ben.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: the meaning of linearity, was Re: picking a hash function to be encrypted

2006-05-15 Thread James Muir

Travis H. wrote:

- Stream ciphers (additive)


This reminds me, when people talk about linearity with regard to a
function, for example CRCs, exactly what sense of the word do they
mean?  I can understand f(x) = ax + b being linear, but how exactly
does XOR get involved, and are there +-linear functions and xor-linear
functions?  Are they disjoint?  etc.


If you have a linear algebra book handy, look up linear transformation.

Briefly, a function T from a vector space V to another vector space W 
(where V and W are defined over the same field) is called a

linear transformation if it satisfies

i) T(u +_V v) = T(u) +_W T(v)
ii) T(c *_V u) = c *_V T(u)
iii) T(0_V) = 0_W

CRC is a linear transformation because

CRC(u + v) = CRC(u)+CRC(v).

-James

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: webcam encryption beats quasar encryption

2006-03-30 Thread James Muir

Heyman, Michael wrote:
Internet webcam signals from webcams could emerge as an 
exotic but effective new tool for securing terrestrial 
communications against eavesdropping.


 snip

Kidding aside, there are some interesting theoretical results about 
ciphers that utilize a plentiful, publicly available source of random 
bits.  See:


http://citeseer.ist.psu.edu/context/238746/0

I think the Rip Van Winkle cipher was mentioned in Schneier's Applied 
Cryptography.  Also, I vaguely recall another news story (1999?) that 
reported on an encryption technique that hypothesized a stream of random 
bits generated by an orbiting satellite.


Quasar encryption is likely impractical, but there could be more to it 
than you think.  However, I did think web cam encryption was funny. :-)


-James

--
James Muir, [EMAIL PROTECTED]
School of Computer Science, Carleton University
http://www.ccsl.carleton.ca/~jamuir

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Symmetric ciphers as hash functions

2005-10-31 Thread James Muir
Tom Shrimpton (http://www.cs.pdx.edu/~teshrim/) does research in this 
area (ie. using block ciphers to build hash functions).  See the papers 
on his web site; in particular:


Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions 
from PGV [pdf] [ps]

John Black, Phillip Rogaway, and Thomas Shrimpton

-James

Arash Partow wrote:

Hi all,

How does one properly use a symmetric cipher as a cryptographic hash
function? I seem to be going around in circles.

Initially I thought you choose some known key and encrypt the data
with the key, using either the encrypted text or the internal state of
the cipher as the hash value, turns out all one needs to do to break
it, is decrypt the hash value with the known key and you get a value
which will produce the same hash value.

Reversing the situation (using the data as the key and a known plain-
text) makes a plaintext attack seem like a joy etc..

Are there any papers/books/etc that explain the implementation/use of
symmetric ciphers (particularly AES) as cryptographic hash functions?

btw I know that hash functions and symmetric ciphers share the same
structural heritage (feistel rounds etc...), I just don't seem to be
making the usage link at this point in time... :D

Any help would be very much appreciated.



Kind regards


Arash Partow

Be one who knows what they don't know,
Instead of being one who knows not what they don't know,
Thinking they know everything about all things.
http://www.partow.net


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: RSA signatures without padding

2005-06-20 Thread James Muir
There is an attack against this type of RSA signature scheme, although
cannot remember just now if it requires that the verfication exponent be
small (ie. e=3).

The attack I am trying to recall is a chosen-message attack and its
efficiency is related to the probability that a random 128-bit integer can
be factorized over a small set of primes (ie. the prob that a uniformily
selected 128-bit integer is B-smooth for a small integer B).  Basically,
you pick a message for which you'd like to forge a signature, find a variant
of the message that hashes to a B-smooth 128-bit integer, and then you
construct the forgery after solving a linear system modulo e (the linear
system incorporates the signatures on the chosen messages).

I can't think of a reference for this but I will post another message if I
find it.

-James

On Mon, 20 Jun 2005, Florian Weimer wrote:

 I came across an application which uses RSA signatures on plain MD5
 hashes, without padding (the more significant bits are all zero).
 Even worse, the application doesn't check if the padding bits are
 actually zero during signature verification.  The downside is that the
 encryption exponent is fairly large, compared to the modules (27 vs
 1024 bits). A few hundred signed messages have been published so far.

 What do you think?  Are attacks against this application feasible?
 (It should be corrected, of course, but it's not clear if a
 high-priority update is needed.)

 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: RSA signatures without padding

2005-06-20 Thread James Muir

Taral wrote:

On 6/20/05, James Muir [EMAIL PROTECTED] wrote:


The attack I am trying to recall is a chosen-message attack and its
efficiency is related to the probability that a random 128-bit integer can
be factorized over a small set of primes (ie. the prob that a uniformily
selected 128-bit integer is B-smooth for a small integer B).  Basically,
you pick a message for which you'd like to forge a signature, find a variant
of the message that hashes to a B-smooth 128-bit integer, and then you
construct the forgery after solving a linear system modulo e (the linear
system incorporates the signatures on the chosen messages).



I think you're referring to the Desmedt-Odlyzko selective forgery attack.

See http://www.ipa.go.jp/security/enc/CRYPTREC/fy15/doc/1014_Menezes.sigs.pdf


Yes, that's it.  Thanks for the URL.

-James



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]