DISQUS

anonymous · 3 years ago

who or what is Google Security?

Nate · 3 years ago

The math is more straightforward if you think about it differently than most people present it. Instead of:
m = s^e mod n

Think:
m = s * s * s - k * n

This iterative process is actually how modular exponentiation is implemented in computers. Each loop, you multiply by s and occasionally subtract off an n, based on the value of some bits of s. "k" is just an unimportant constant (how many times you subtract off n).

So, the question is "how big is 's'?" Normally, size_bits(s) = size_bits(n), i.e. 2048 commonly. This means that every time you multiply by "s", your accumulator wraps around quite a few times. This makes it hard for an attacker to guess how many times it wrapped, just by observing the final result (discrete log problem). Strict enforcement of padding is intended to keep this property.

But Bleichenbacher's attack (and a similar one we found previously in a shipping product) involves making "s" much smaller than n. If you can make size_bits(s)

Nate · 3 years ago

Uh, great blog comment system.

... size_bits(s)

Nate · 3 years ago

... LESS THAN OR EQUAL TO size_bits(n) / 3, means the exponentiation won't wrap. This means it's easy to find a value, s_evil, where the cube root produces a value that matches SHA1(evil).

Dave G. · 3 years ago

Nate:

I like that you can simultaneously break crypto and not be able to use a web application with one button :) This is why you need to stop using your c64 for web browsing.

Much love,

Dave G.

anonymous former SunSoft/IR P · 3 years ago

Jesus "tapdancing" Christ!!!(expletive deleted)


and thanx

nuff said

Nicko · 3 years ago

... Safari also depends on OpenSSL

Actually Safari uses Apple's "Security Framework", which is based on the OpenGroup CDSA codebase. Apple's code does not have the above bug; it makes use of the fact that PKCS#1 signatures are deterministic, constructs the correct value for the cleartext of the signature and check that this is exactly the same as the decryption of the signature.

marius · 3 years ago

Google employs security enabled engineers in various teams. They like mucking around with this stuff.

There's more subtle flavors too:
padding|asn1((HASHALGO_ID,random[xx]),hash), so the noise to make for a nice cube is hidden inside an ignored, large parameter. Rinse, repeat. Many variants, different implementations fail different ways.
If you care about others' code verifying your signatures less error prone, don't use 3. And don't delegate powers to keys that use 3 either ;-)

sour grep:s · 3 years ago

cat curl-ca-bundle.crt | grep Exponent | grep ": 3" | wc -l

!?!!??


grep -c "Exponent: 3" curl-ca-bundle.crt

Thomas Ptacek · 3 years ago

Yeah, yeah, yeah.

Thomas Ptacek · 3 years ago

Also: grep -c? Gross.

jan · 2 years ago

Hi Guys, please email this solution to me quickly. thanks...that is today please, esperate
Suppose Fred sees your RSA signaure on m1 and m2, (i.e., he sees (m1d mod n) and (m2d mod n)).
How does he compute the signature on each of m1j mod n (for positive integer j), m1-1 mod n, m1 x m2 mod n, and
in general m1j m2k mod n (for arbitrary j and k)?

Hiba · 2 years ago

Elobrate more in follwing please:

Suppose Fred sees your RSA signaure on m1 and m2, (i.e., he sees (m1d mod n) and (m2d mod n)).
How does he compute the signature on each of m1j mod n (for positive integer j), m1-1 mod n, m1 x m2 mod n, and
in general m1j m2k mod n (for arbitrary j and k)?

Thomas Ptacek · 2 years ago

http://www.matasano.com/log/531/rsa-signature-f...

swapniel · 2 years ago

Suppose Fred sees your RSA signature on m1 and m2 (i.e. he sees m1d mod m and m2d mod n). How does he compute the signature on each of m1j mod n
(Positive integer j), m1-1 mod n, m1.m2 mod n, and in general m1j.m2k mod n (for arbitrary integers j and k)?
need the solution to this question plzzz