### Re: IGE mode is broken (Re: IGE mode in OpenSSL)

Typo: James A. Donald wrote: Let P(k) be the kth block of plain text. We prepend a random block, P(0) to the text, and append a fixed block to the end. If anything is altered, the fixed block at the end will not contain the expected data, but will be gibberish. The adversary knows every block in the plain text message except our P(0). He can intercept and change the encrypted message. He wishes to modify the message so that the intended recipient receives something different from the message that the adversary knows he should receive without the intended recipient realizing something is wrong. Let W(k) = P(k) + W(k-1) + W(k-1){W(k-1)} Where means bitwise and, and + means addition modulo 2 to the block size. W(0) = P(0) (our random block, unknown to the adversary or the recipient, and changing with every message.) {} means encryption, {W(k-1)} is the block we get by encrypting W(k-1) We transmit T(k)= {W(k)} + W(k-1)|{W(k-1)} where | means bitwise or, curly brace means encryption. Should read: We transmit T(k) = {W(k)} + ((~W(k-11){W(k-1)}) where ~ means bitwise negation, | means bitwise or, curly brace means encryption. W(-1) is zero. The adversary knows P(k), except for P(0), and can intercept all transmitted values T(k). Because the combination of addition and bitwise logical operations is non linear, this method gets through a loophole in Jutla's proof in http://eprint.iacr.org/2000/039 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Raw RSA

On Sun, 10 Sep 2006, James A. Donald wrote: Could you describe this attack in more detail. I do not see a scenario where it would be useful. Suppose that an attacker runs an activex control on the user's computer and the control is able to ask a smart card connected to the computer to perform raw RSA operations with user's private key. The goal of the attacker is to be able to sign some useful messages with the user's private key *after* the user disconnect his smart card. The attacker can encrypt a subset of numbers - those that encrypt to a B smooth number, but for this to be useful to him, he has to find a number in the subset set that corresponds to what he desires to encrypt, which looks like a very long brute force search. If the attacker needs to sign a message x, he needs to find a smooth number y = x + k n, where n is the RSA modulus and k is some arbitrary number. I forgot what was the algorithm to find such y (I am not even sure that it exists), IIRC, it was based on LLL. -- Regards, ASK - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Exponent 3 damage spreads...

Ben Laurie [EMAIL PROTECTED] quotes: Since I've been told often that most of the world won't upgrade resolvers, presumably most of the world will be vulnerable to this problem for a long time. What you really meant to say was most of the vanishingly small proportion of the world that bothers with DNSSEC, right? So the real vulnerability level is down somewhere lost in the noise level. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Exponent 3 damage spreads...

James A. Donald wrote: -- James A. Donald wrote: What is the penetration of Secure DNS? Ben Laurie wrote: Anyone who is running any vaguely recent version of BIND is DNSSEC enabled, whether they are using it now or not. I am not well informed about DNSSEC, but I am under the impression that: 1. Actually using DNSSEC is a major performance hit. No more than using SSL. Well, not much more :-) 2. Actually using DNSSEC requires manual secure master public key distribution, which people are disinclined to do, and which may not scale very well, unless unspecified institutions and arrangements are put in place. Key distribution is, indeed, an open question. Certainly manual key distribution is not a solution. 3. No one actually uses DNSSEC in the wild. I don't know whether this is true or not. Finding out what people do and don't do with DNS is hard. Please advice me if these impressions are wrong, or have become outdated. I realize that I sound like a cold wet sponge with a non stop stream of unpleasantly negative posts, but one of the reasons that cryptography is not widely used is that the various standards, processes, and tools are not in fact very usable. Doesn't bother me any, its just that I happen to have done work on DNSSEC, so I figured I should alert those who care to the problem. Implementing protocols requires widespread consensus, but when too many people show at a meeting then either nothing gets done, or the outcome is extremely stupid, or both, and anyone who points to big problems in what is being done is dismissed as out of order or off topic in order to create the semblance of progress, with the result that what little progress occurs is usually in the wrong direction. That seems a rather harsh judgement of a working group you say you're not informed about. Not that I totally disagree: the work I did on DNSSEC was initially dismissed as out of order and off topic, and it took a lot of effort to get people to accept that the problem was genuine. :-) Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Exponent 3 damage spreads...

Ben Laurie [EMAIL PROTECTED] writes: ...thought this might interest people here. Anyone got a test key with a real and a forged signature to test other implementations than OpenSSL? Thanks in advance. Regards, -- Jostein Tveit [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: secure key storage APIs

Perry, please merge with my previous message; I hit 'send' by mistake. Also, the following are of general interest: Henson S., `Netscape certificate database info`: http://www.drh-consultancy.demon.co.uk/cert7.html Henson S., `Netscape key database format`: http://www.drh-consultancy.demon.co.uk/key3.html Cheers, -- Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: secure key storage APIs

Travis H. wrote: Does anyone know of any OSS OS facilities for managing keys? Take a look at the GNOME Keyring: http://en.wikipedia.org/wiki/GNOME_Keyring http://cvs.gnome.org/viewcvs/gnome-keyring/ In addition, various frontends exists to GnuPG, e.g. KGPG. It's not yet clear, but I might have to write something from scratch to satisfy our needs at OLPC (http://laptop.org). -- Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Exponent 3 damage spreads...

Jostein Tveit wrote: Ben Laurie [EMAIL PROTECTED] writes: ...thought this might interest people here. Anyone got a test key with a real and a forged signature to test other implementations than OpenSSL? If I understand the attack mathematics correctly, the following algorithm should give you an alleged signature value that would be mistakenly accepted by a flawed RSA implementation. I didn't implement the algorithm, and I will not make suggestions as a convenient big number arithmetic tool to implement it. Note: The algorithm output value is NOT A FORGED SIGNATURE, since a non-flawed RSA signature verification implementation will correctly reject it. Nonetheless, using public exponent 3 with any use of RSA should be deprecated. For the record, I am referring to Hal Finney, Bleichenbacher's RSA signature forgery based on implementation error Wed, 30 Aug 2006 http://www.mail-archive.com/cryptography@metzdowd.com/msg06537.html Input: N, large public modulus (of unknown factorization) h, hash value Constant: p: hex 01 FF 00 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 A random binary source (e.g. large enough PRNG output) Algorithm: (A) find the largest value of r such that b=(p*2^20+h)*2^(8r) such that b+2^(8r)-1N (B) select random a, 0aN^2, then set c=a*N^2+b+2^(8r)-1 (C) using a simple binary search, find the d = integer cubic root of c (D) if d^3a*N^2+b, go back to step (B) -- if it occurs with a high probability, that's a failure of the approach proposed here, intuition suggests that the probability is either very close to zero, or very close to one (E) set alleged signature s=d mod N (indeed, dN, so s=d) and validate (merely as a software self-check) that (s^3 mod N) div 2^(8r) equals (p*2^20+h) (F) output alleged signature s Regards, -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]