Re: 50 attacks... [NOISE]
Boy, you people just don't appreciate anything that has a little bit of humor mixed with a little bit of reality. 1 - I can't believe that you failed to see any humor in the fifty ways to leave your Netscape posting. I would have thought some of you would have noticed that a substantial number of these methods would work with current W3 browsers! Do I really have to set up a URL to prove it to you? If I do, what good will it do me? 2 - I can't believe that you all think that aplets (a.k.a. downloadable programs at the push of a button) will make you safe. The "we will only run trusted applets and they will all be secure" attitude is 180 degrees off base from my view. 3 - I would have figured at least one of you would have looked up the chosen plaintext attack and told me why Netscape keys can't be gotten at this way. I think there's an off change I could win a grand! 4 - If you just keep quiet, I may be able to get $50K out of Netscape for a few minutes of typing. If they can make a billion on hype, why can't I make $50K? 5 - How much do you want to bet that within 12 months of my posting, at least 10 of the 50 listed items will have happened in one form or another? I got the same flaming 8 months ago when I mentioned that I thought syslog could be gotten at because of the way it was designed. I got piles of flames telling me to show code or stop smearing syslog. Three months later, a syslog attack appeared, and three months later, another one showed up. 6 - I think that it is the responsibility of the people who claim "security" to tell us what they mean by it and to demonstrate why we should believe them. You may disagree, but I didn't see any flames when I asked what they meant by secure only a few days ago. I also didn't see any answers. 7 - I got one assertion that the reason my earlier message was perceived as malicious was because I started with the word WRONG!!! It's probably correct that that's why I got flamed for it, so from now on, I want you all to design your mail filters to replace WRONG!!! in my postings with I respectfully disagree. 8 - The first 50 flamers responding to this message get a free 1 Gigabyte email message every day for the next week. Anonymous remailers included. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
fc@all.net (Dr. Frederick B. Cohen) writes:
3 - I would have figured at least one of you would have looked up the chosen plaintext attack and told me why Netscape keys can't be gotten at this way. I think there's an off change I could win a grand!
I had missed this in your original posting. Here it is again:
Concept 3 - There is a chosen plaintext attack against the RSA (published in the 1980s in a Crypto conference (IACR?).
Attack 50 - Use your Hot Java capability to sign selected message after message till the attacker derives your private key. I think this takes one or two messages per bit of private key.
Chosen plaintext attacks against RSA don't work in the context of RSA signatures, because the input to the RSA algorithm is a hash of the message being signed. You can't control the hash the way you need to to implement a chosen plaintext attack. (You can't "choose" the hash.) For example, one kind of chosen plaintext attack would be to get an RSA signature on 2, on 3, on 5, on 7, and so on, on all the primes. This would let you create an RSA signature on any number by factoring the number and multiplying the RSA signatures of its prime factors. But there is no way to do this in practice because as RSA-based signatures are actually implemented only hashes are signed. This is done exactly to prevent this and similar attacks. Hal
fc@all.net (Dr. Frederick B. Cohen) writes:
3 - I would have figured at least one of you would have looked up the chosen plaintext attack and told me why Netscape keys can't be gotten at this way. I think there's an off change I could win a grand!
I had missed this in your original posting. Here it is again:
Concept 3 - There is a chosen plaintext attack against the RSA (published in the 1980s in a Crypto conference (IACR?).
Attack 50 - Use your Hot Java capability to sign selected message after message till the attacker derives your private key. I think this takes one or two messages per bit of private key.
Chosen plaintext attacks against RSA don't work in the context of RSA signatures, because the input to the RSA algorithm is a hash of the message being signed. You can't control the hash the way you need to to implement a chosen plaintext attack. (You can't "choose" the hash.)
For example, one kind of chosen plaintext attack would be to get an RSA signature on 2, on 3, on 5, on 7, and so on, on all the primes. This would let you create an RSA signature on any number by factoring the number and multiplying the RSA signatures of its prime factors. But there is no way to do this in practice because as RSA-based signatures are actually implemented only hashes are signed. This is done exactly to prevent this and similar attacks.
And how secure is the hash? It it possible to create values that will hash to each prime (or something else that does the job)? Is the hash something we can figure a way to precompute using massively parallel processing so that we can then provide a set of codes which will produce the desired results? (etc.) -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Someone abused "Frederick B. Cohen"'s reputation by making him write :
there is no way to do this in practice because as RSA-based signatures are actually implemented only hashes are signed. This is done exactly to prevent this and similar attacks. And how secure is the hash? By design choice, "Very secure"...("the difficulty of coming up with any message having a given message digest is on the order of 2^128 operationssee end") It it possible to create values that will hash to each prime (or something else that does the job)? No. Is the hash something we can figure a way to precompute using massively parallel processing so that we can then provide a set of codes which will produce the desired results? (etc.) No.
Why wouldn't you try to answer the questions yourself before mailing random thought ? see RFC1321 The MD5 Message-Digest Algorithm and numerous reviews... Maybe I was being just "tested" and should not have replied :/ dl -- Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Linux|PGP|Gnu|Tcl|... Freedom Prime#1: cent cinq mille cent cinq milliards cent cinq mille cent soixante sept Uzi security Marxist NSA ammunition NORAD FSF
participants (4)
-
cjs@netcom.com -
fc@all.net -
Hal -
Laurent Demailly