Re: AES cache timing attack

2005-06-20 Thread D. J. Bernstein
http://cr.yp.to/talks.html#2005.06.01 has slides that people might find useful as an overview of what's going on. In particular, there's a list of six obstacles to performing array lookups in constant time. People who mention just one of the obstacles are oversimplifying the problem. Hal Finney

massive data theft at MasterCard processor

2005-06-20 Thread Steven M. Bellovin
MasterCard reported the exposure of up to 40,000,000 credit card numbers at CardSystems Solutions, a third-party processor of credit card data. CardSystems was infected with a script that targeted specific data. In other words, this wasn't the usual carelessness, this was enemy action, and

Re: AES cache timing attack

2005-06-20 Thread Perry E. Metzger
[EMAIL PROTECTED] (Peter Gutmann) writes: [EMAIL PROTECTED] (Hal Finney) writes: Steven M. Bellovin writes: Dan Bernstein has a new cache timing attack on AES: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf This is a pretty alarming attack. It is? Recovering a key from a

Re: AES cache timing attack

2005-06-20 Thread Stephan Neuhaus
Peter Gutmann wrote: Stephan Neuhaus [EMAIL PROTECTED] writes: Concerning the practical use of AES, you may be right (even though it would be nice to have some advice on what one *should* do instead). Definitely. Maybe time for a BCP, not just for AES but for general block ciphers? I

Re: AES cache timing attack

2005-06-20 Thread Peter Gutmann
Stephan Neuhaus [EMAIL PROTECTED] writes: Concerning the practical use of AES, you may be right (even though it would be nice to have some advice on what one *should* do instead). Definitely. Maybe time for a BCP, not just for AES but for general block ciphers? But as far as I know, resistance

RSA signatures without padding

2005-06-20 Thread Florian Weimer
I came across an application which uses RSA signatures on plain MD5 hashes, without padding (the more significant bits are all zero). Even worse, the application doesn't check if the padding bits are actually zero during signature verification. The downside is that the encryption exponent is

Re: AES cache timing attack

2005-06-20 Thread Victor Duchovni
On Mon, Jun 20, 2005 at 01:54:46AM -, D. J. Bernstein wrote: One can carry out the final search with nothing more than known ciphertext: try decrypting the ciphertext with each key and see which result looks most plausible. It should even be possible to carry out a timing attack with

Re: massive data theft at MasterCard processor

2005-06-20 Thread Ka-Ping Yee
On Fri, 17 Jun 2005, Steven M. Bellovin wrote: Designing a system that deflects this sort of attack is challenging. The right answer is smart cards that can digitally sign transactions, but that would require rolling out new readers to all the merchants. I was amazed to hear of the UK's fast

Re: RSA signatures without padding

2005-06-20 Thread James Muir
There is an attack against this type of RSA signature scheme, although cannot remember just now if it requires that the verfication exponent be small (ie. e=3). The attack I am trying to recall is a chosen-message attack and its efficiency is related to the probability that a random 128-bit

Re: massive data theft at MasterCard processor

2005-06-20 Thread Peter Fairbrother
Steven M. Bellovin wrote: Designing a system that deflects this sort of attack is challenging. The right answer is smart cards that can digitally sign transactions No, it isn't! A handwritten signature is far better, it gives post-facto evidence about who authorised the transaction - it is

Re: RSA signatures without padding

2005-06-20 Thread Taral
On 6/20/05, James Muir [EMAIL PROTECTED] wrote: The attack I am trying to recall is a chosen-message attack and its efficiency is related to the probability that a random 128-bit integer can be factorized over a small set of primes (ie. the prob that a uniformily selected 128-bit integer is

Re: RSA signatures without padding

2005-06-20 Thread James Muir
Taral wrote: On 6/20/05, James Muir [EMAIL PROTECTED] wrote: The attack I am trying to recall is a chosen-message attack and its efficiency is related to the probability that a random 128-bit integer can be factorized over a small set of primes (ie. the prob that a uniformily selected 128-bit

Re: massive data theft at MasterCard processor

2005-06-20 Thread Anne Lynn Wheeler
Steven M. Bellovin wrote: MasterCard reported the exposure of up to 40,000,000 credit card numbers at CardSystems Solutions, a third-party processor of credit card data. CardSystems was infected with a script that targeted specific data. In other words, this wasn't the usual carelessness,