Slashdot Mirror

Like this?

I love Bruce as much as the next security guy, but no one is perfect. So, I think multiple layers are review are appropriate under any good system. Hopefully driven more around teaching developers how to write better code rather than just catching flaws.

I heard in numerous presentation that export laws have been significantly relaxed. Here is RSA's perspective on the new export landscape. I'm glad they finally made this move, since trying to control public crypto is like trying to catch rain in you hands.

-J

First: considering that this site is supposed to be "News for Nerds" what news did the article provide? At a minimum it generated a forum to request further, more detailed information.

Second: Not unlike countless others, you misread one of my posts. I honestly can't see where I asked for theory. I am looking for how hard it was to solve this problem.

Wasn't that the point of the challenge? To quote the website: "to encourage research into computational number theory and the practical difficulty of factoring large integers."

So, with one of the problems solved, how difficult was it? 100 workstations and 3 months doesn't tell us much. Were all 100 working 100% on their given tasks for the full 3 months? Is it really 3 months, or was that number generously rounded up? How fast are the 100 machines? How do those 100 compare to the same number used to solve a previous value a few years ago? That last one is probably the most important question, because you can't compare between challenges without some honest reference.
And 100 is just an approximation - this announcement is just too vague!

As an example, something similar to this would have satisfied me. Please note that for that project, the delay between the date of submission and their detailed announcement is 1.5 months.

Please put a leash on your hubris.
I do. Perhaps you read frustration, and the expression of it, as arrogance. I've had difficulty finding such details, which is why I asked for assistance on the matter.

Although not quite what I was requesting, thanks for the links. It appears that Google has already provided a couple of them to me in the past. I've found this article to be an excellent primer - provides some history on (and some basics in) the effort of integer factorization. Most importantly it's not nearly as intimidating as the vast majority of publications I've encountered on the subject.

It just took some time to get to the marketoid...

Factorization of RSA-576

Does the numeral posted here actually equal the product of the numerals posted here?

The last digit looks OK, anyway. :-)

No, don't bother to flame me for laziness... I already know...

There was a time when I would have tried to do that on paper by hand, just to keep in practice. These days, not only am I too lazy to try that, but I don't currently have any software system at hand that implements indefinite-sized integer arithmetic... and I'm too lazy to implement one.

Does the numeral posted here actually equal the product of the numerals posted here?

The last digit looks OK, anyway. :-)

No, don't bother to flame me for laziness... I already know...

There was a time when I would have tried to do that on paper by hand, just to keep in practice. These days, not only am I too lazy to try that, but I don't currently have any software system at hand that implements indefinite-sized integer arithmetic... and I'm too lazy to implement one.

> easily cracked with fast computers
If'd be so easy, here is some easy money to earn. When they've cracked the 1k value in less than a year, one could begin to think to change the key... in a decade or so.

It's not like it will not come out that a certain cryptographic scheme is challengable. That is why one should use publicly known algorithms.

Unfortunately my numbers for the 1024 bit key are not correct. It would take them significantly longer than a year to break a 1024 bit key. The 512 key (12 times a day) is still pretty substantial, though - used widely in hardware crypto systems.

See Bulletin #13 from RSA Labs for a decent machine-cost analysis of breaking larger keys.

"There, I said it, can you please put the gun away now?" :-)

-Adam

I'm sure that spammers are using these products for their mass emailing instead of custom applications to obscure header information.

The reduction of spam (solution is too optimistic) will likely come from a multiple solution approach as a single approach will be circumvented.

I'm not so naive as to think spam would be quieted by any one technical solution. Digital signature-esque solutions like the one(s) I pose are probably slightly more difficult to circumvent brute-force wise.

Just imagine if you could use aggresive email filters, but never had to worry about losing a co-worker's important business message because your company compelled everyone to sign their email messages (at least internally). Maybe your non-work email address(es) would still get spam, but your work address(es) would probably get far fewer!

This survey just shows that a new security model is needed - people hate passwords. A place I used to work at used RSA SecurID tokens to authenticate users. It uses a psuedo-random number generated on a (physical) keyring that must match the one in the computer. I think the system is brilliant, and I wish I could find a free/open source version to use at home. The token could be replaced by a handheld computer or a program on a mobile phone for those that don't want to buy a keyring.

Certicom would be stupid if they know the key! here is the link on how RSAsecurity does it:

If done properly, nobody knows the key. The RSA factorisation challenges for instance have an accompanying story in the FAQ about how the primes were generated using a laptop, only the product (challenge) was recorded, the laptop destroyed. It's easy to check a factorisation (multiply :)), so no need to keep the primes around and risk having them leaked by dirty employees (or bribed, coerced etc). As this is a public key encryption scheme, I should hope that the same has been done here.

If done properly, nobody knows the key. The RSA factorisation challenges for instance have an accompanying story in the FAQ about how the primes were generated using a laptop, only the product (challenge) was recorded, the laptop destroyed. It's easy to check a factorisation (multiply :)), so no need to keep the primes around and risk having them leaked by dirty employees (or bribed, coerced etc). As this is a public key encryption scheme, I should hope that the same has been done here.

I wonder how you would classify Edison, with 1368 patents to his name but no formal scientific pedagogy.

A lot of scientists incorporate & turn into businessman/scientist - eg Benjamin Franklin, Dr. Stephen Wolfram ( Founder of Mathematica ), Dr. R & Dr. A ( invented the RSA cryptographic scheme, Carl Sagan, and a whole lot of people in biotech.

The skillsets to be both seem conflicting - businessmen need a Machiavellical sense of brutal realism, while scientists are pursuing truths in the gentler idealic realm of Plato.

I wonder how you would classify Edison, with 1368 patents to his name but no formal scientific pedagogy.

A lot of scientists incorporate & turn into businessman/scientist - eg Benjamin Franklin, Dr. Stephen Wolfram ( Founder of Mathematica ), Dr. R & Dr. A ( invented the RSA cryptographic scheme, Carl Sagan, and a whole lot of people in biotech.

The skillsets to be both seem conflicting - businessmen need a Machiavellical sense of brutal realism, while scientists are pursuing truths in the gentler idealic realm of Plato.

I wonder how you would classify Edison, with 1368 patents to his name but no formal scientific pedagogy.

A lot of scientists incorporate & turn into businessman/scientist - eg Benjamin Franklin, Dr. Stephen Wolfram ( Founder of Mathematica ), Dr. R & Dr. A ( invented the RSA cryptographic scheme, Carl Sagan, and a whole lot of people in biotech.

The skillsets to be both seem conflicting - businessmen need a Machiavellical sense of brutal realism, while scientists are pursuing truths in the gentler idealic realm of Plato.

RSA developed an RFID Blocker Tag which annoys RFID readers by responding grumpily to all RFID read requests. It's a passive device like RFIDs, and doesn't burn out anything, just blocks requests.

RSA developed an RFID Blocker Tag which annoys RFID readers by responding grumpily to all RFID read requests. It's a passive device like RFIDs, and doesn't burn out anything, just blocks requests.

Actually, if Bill really knew his stuff, he wouldn't accept just any old number. 2^2047 is pretty much worthless, while RSA-2048 would put $200K into his pocket!

The paper describes fancier options, such as only impersonating numbers in some given range so that it only blocks reading some kinds of items, like the serial numbers on 100 Euro banknotes.

RSA has studied solutions to prevent the readers from hanging on a "malicious" RFID-blocker. Such a solution is named in their paper:

It is conceivable that expensive, special-purpose readers could filter out blocker tags. For example, if a few readers working together could estimate the location of the tags, they could ignore a multitude of fake identifiers originating from a single location. Of course, existing readers are not capable of this hypothetical technique.
If they will also sell said solution, is something that needs to be watched I guess...

In the RSA paper, there is a section on this very thing (in fact a lot of things discussed here are put forward in that paper).
Basically it says that in a forseeable future, you may want to actually have certain RFID-tags 'alive' so your home appliances, like a washing machine or microwave, can use the tag to, for example, autodetermine a program that has to be run on said product. All sorts of interesting stuff presents itself here.

The trick is that you want to block (certain) RFID's at certain (private) places, and you will always have the last say in the 'who is scanning my stuff'-question.
This RSA-technique tries to have both. Now if there is a good standardization of RFID-numbers (like 1000xxxxxxxx = clothing, 1100xxxxxxxx is food etc.), you can practically shut every part of the binary RFID-tree out that you don't want anyone to scan.

If we harnass this technique instead of plain dismissing it, we could actually get somewhere. But I agree that standardization and privacy-protection, not commerce, should be first and foremost of the agenda of RFID-introduction.

Here is the original paper on RSA's idea of blocking the RSA tags.
I posted a link to this a few months ago, after heise.de posted an article on that very thing.

If you are assuming that knocking sequence is static, then - yeah, it's prone to sniffing and I agree with you on all items you listed. You also assume that the knock is equivalent to the password in canonical authentication scheme, ie there's no username and it's the same for everyone.

However it is trivial to extend the knock to include an analog of a username and to make the password portion dependent on it. Say, first 4 ports knocked comprise user ID, and next 4 make up an authentication part.

This clearly enables all existing one-way authentication schemes ranging from simple one-time/discardable passwords to those based on hardware tokens.

I think the idea certainly has a potential, but it's hardly suitable for open solutions in its present form.

You actually meant this.

My idea was basically a hack version of one of these, built into the client so that the human wouldn't have to enter the number (and lag the negotiation time past the deadline).

RSA SecurID authenticators are as simple to use as entering a password, but much more secure. Each end user is assigned an RSA SecurID authenticator which generates a new, unpredictable code every 60 seconds. The user combines this number with a secret PIN to log into protected resources.

Rivest published MD5 in 1991, but he probably wants to sell some newfangled proprietary alternative that RSA already has patented. Tell them you have a collision, and that you want to offer it for a price, and ask how much they would be willing to pay.

The sad fact is that you'll probably not be offered more than a thousand since your collision was discovered by accident. If you had a method, though, the NSA might want to add three zeros to that.

No one will ever see a post this far down and this late in the story, but..

According to your article, the NSA may be able to crack 512 bit RSA keys. The 128 bit keys you're talking about are AES keys.

The nice thing about cracking RSA keys is that you only have to try combinations of primes, not combinations of all numbers in the keyspace. It's quite a bit faster than brute-force.

The best public algorithms for cracking AES is not that far off from brute force. Your 128 bit AES keys are still relatively safe.

Silverman estimates that one needs a 1620-bit RSA key to provide security equivalent to a 128-bit symmetric cipher key (e.g. AES).

Hope that helps

attracting only comments from old troll accounts?

No one knows anything about how you go about factoring huge composite numbers...

Mathematics has the problem that the general population has listened to claims that "math is hard" and has learnt to ignore any attempt at understanding mathematics beyond useless trivia and professional sports statistics.

To help make some sense of what they are discussing:

Some factoring theory and source code by Paul Herman and Ami Fischman.

From RSA Labs' FAQ - What are the best factoring methods in use today? a fairly technical but readable description of advanced factoring algorithms, and What improvements are likely in factoring capability?

attracting only comments from old troll accounts?

No one knows anything about how you go about factoring huge composite numbers...

Mathematics has the problem that the general population has listened to claims that "math is hard" and has learnt to ignore any attempt at understanding mathematics beyond useless trivia and professional sports statistics.

To help make some sense of what they are discussing:

Some factoring theory and source code by Paul Herman and Ami Fischman.

From RSA Labs' FAQ - What are the best factoring methods in use today? a fairly technical but readable description of advanced factoring algorithms, and What improvements are likely in factoring capability?

RSA-576

Prize: $10,000

Status: Not Factored

Decimal Digits: 174

188198812920607963838697239461650439807163563379 41
738270076335642298885971523466548531906060650474 30
453173880113033967161996923212057340318795506569 96
221305168759307650257059

Digit Sum: 785

In order to win the prize, you must submit your result to RSA, they don't actively seek out winners. That's why RSA's page hasn't been updated.

They can submit their answer here.

You may be comparing two different types of encryption. For block algorithms such as DES and AES, 128 bit is still fairly reasonable, however not for RSA (and other public key algorithms). Currently, 1024 bit RSA is considered reasonably secure and 576 is, as we can clearly see, quite insecure. I won't go into the details of why different algorithms need such drastically different key sizes here, but if you'd like to know more, the Crypto-FAQ is a good place to start.

The algorithm Javascrypt implements is absolutely useless for what you're talking about. AES is a symmetric encryption algorithm, which means that if you're going to send the data to some server using Javascrypt, at some point you need to communicate the key. If you send the key with the data (not to mention the .js for decryption), you've just royally wasted your time. This could only be useful if you agree to a key in advance using some non-internet connection method, in which case you're not going to go with a "cheap ass" encyption technique like this.

There are more than a few out there already (not surprisingly!):

RSA Crypto-J

BouncyCastle

Cryptix

Flexiprovider

There's a bunch more too - just google for them.

Some of these are free, some are Free and some are neither. Personally, I've written banking software using the RSA libs (I tried to get use BouncyCastle but management didn't like the name!).

A few weeks ago, an article floated that RSA had designed an "RFID-Blocker", which intelligently blocks out RFID tags.

I guess it won't take long before the first investments are made in this little machine...

How is this different from server systems currently offered from the likes of companies such as RSA and Entrust?

They are shifting the complexity from the client to the server, which is good. But it has been done before.

Rainbow Tech makes these for their ikey and Sentinel products. You can use these for authentication as well as storing files. The problem remains that they are not 100% compatible with what's out there. If you don't have a screen to see what's on the fob, you then require an LCD screen. At that point you're talking about a PDA. I understand RSA Security has modules for PDAs

"The key is that most anti-gambling laws prohibit playing games of chance for money. Governments do not consider gold currency systems like Pecunix to be money."

TimeZone

Here, here, and here are just some of the reasons! ;-)

That isn't the whole story, and the running backwards analogy is just plain wrong.

Have you heard of something called parallel computation? RSA is doing it right here with DNA computing.

I suggest you read some background on what this means in terms of the nature of modern day computing, there's a good article here. Here's something from the second page of the article:


Now let's consider how you would solve a nontrivial example of the traveling salesman problem (# of cities > 10) with silicon vs. DNA. With a von Neumann computer, one naive method would be to set up a search tree, measure each complete branch sequentially, and keep the shortest one. Improvements could be made with better search algorithms, such as pruning the search tree when one of the branches you are measuring is already longer than the best candidate. A method you certainly would not use would be to first generate all possible paths and then search the entire list. Why? Well, consider that the entire list of routes for a 20 city problem could theoretically take 45 million GBytes of memory (18! routes with 7 byte words)! Also for a 100 MIPS computer, it would take two years just to generate all paths (assuming one instruction cycle to generate each city in every path). However, using DNA computing, this method becomes feasible! 10^15 is just a nanomole of material, a relatively small number for biochemistry. Also, routes no longer have to be searched through sequentially. Operations can be done all in parallel.


This is a huge deal for computing. Huge.

I went to Berkeley too. Have you heard of The Berkeley Initiative in Soft Computing (BISC)? Read their website, it will also increase your understanding as to how fuzzy logic translates into efficiencies and more to the point, performance. Not to mention the potential for efficent and high levels of data storage in DNA. The possibilites are amazing! A detailed understanding of evolutionary biology in the context of fuzzy logic and modern day computer computation (especially parallel) will blow your mind in terms of how things came to be, and how they fit so perfectly with certain operations. This is really the next big thing.

G.R. Bouchard, PhD
Associate Professor of Biophysics

your boss would be right

he isn't confusing the two, he happens to be doing bioinformatics and m. biology research, but his questions are very much focused on the covergence of biology and computing.

i agree with you to the extent that, up to today, both have been used as tools to forward one another. HOWEVER, every indiciation in leading edge research at high-end labs in genomics and proteomics (such as the one I work at in the UK) shows that the two will converge. we're getting close to points where silicon just doesn't cut it anymore. and all though i do realise that the bio stuff has a long way to go, we will see much more convergence in our life time. case in point: molecular computing. it's been done, and it uses DNA. it isn't simply a tool forwarding computing, it is a new type of computing -- one example is the convergence of modern day encryption technology with DNA computing.

A large Unifying Theory may not exist, but don't be mistaken that some sort of unification won't take place in the long long-run. It's already happening, these things just take time.

two different beasts?

you're absolutely wrong, and projects like this prove that, and there are far better examples as well.

the questions were good, the problem is a lot more needs to be known before they can be fully answered in terms of actual potential of the convergence of biology and computing. however, most reasonable estimates even indicate tremendous potential does indeed exist, and examples of molecular computing even from today, while not doing the full potential justice, exemplify that.

i'd agree to hang on to your segate stock, but the rest is just tunnel vision. biology can and will be controlled to allow for further "computing" capability and we will see the two converge. it's just a matter of when and how much convergence -versus- absolute change in the way we do things.

Regarding your first question, some applications combining our knowledge of computing in biology is already being considered. See the following link DNA Computing

Unfortunately, your proposal is completely irrelevant. In the cases I know, the communication channel between the ISP and ARIN was not compromised. The ISP just sent bogus data, acting on forged customer requests.

No shit the channel was not compromised, but it was misused. So how do we solve the problem of determining if a message is authentic. *snaps fingers* I know! We use public key cryptography!

There isn't any cryptographic protocol that can solve such a problem, and that's why S-BGP and other "secure" BGP successors are almost completely irrelevant. Cryptography is not the answer to all attacks.

You are sadly mistaken. Cryptography is not just about obscuring the message, but also proving that the message is authentic.

Here's how the process works:
1. message is run through a digest
2. the digest is encrypted using the sender's private key against the recipient's public key (this is called the signature)
3. the message is sent with the signature attached
4. the recipient decrypts the signature to get the digest and performs the same digest operation on the message.
If the signature cannot be decrypted, or the digests do not match, the message cannot be authenticated.

Both parties must trust the other's public key, so they met in person and signed the other's key. before they performed any transactions. Afterwards, if they can successfully encrypt and decrypt messages to and from the other, the authentication mechanism above works.

In general, cryptography is used for authentication in all kinds of places. You know hash function is a type of cypher? Passwords are *nix systems are stored hashed. Every time you enter a password, the system runs it through a hash function (likely MD5) and compares that to what is stored on disk. MD5 sums are used to validate the authenticity of software packages. Of course, the list of sums is often authenticated as described above (using PGP/GPG).

So please, come up to speed on these things!

What the fuck are you talking about? Have you even the slightest comprehension of how the protocols PGP uses work?

Please, I emplore you to go read this introduction and maybe supplement it with this document before your brain conjours up another thought.

You do have the right idea, however. Public key authentication is useful for so many things and this is one of them. Basically, all parties involved have public and private key pairs established before any transactions take place. After that, all messages for transactions are then signed so the sender can prove their identity to the recipient. If the signature of the message is invalid, the message is ignored. The adversary in this case, spammers, are probably not sophisticated enough to acquire the private key of either party (assuming good cryptographic policy is adhered to) or solve the factoring dillema on which public key cryptography is based.

It all comes down to authentication. If you have a system in place where a message can be authenticated, you have that much more security. If not, you get situations like these where the stakes are high and forgeries are nearly trivial.

Why are there so many variants of crypto key formats?

Not only the PKCS series, but also the various encoding methods. And clearly these are inadequate for everyone, so we get PGP formats, SSH/OpenSSH/PuTTY formats, etc.

If there had been a much smaller, more universal set of key formats, interoperable crypto would have been far easier.

On my paranoid days, I begin to suspect the TLA agencies on the standards committees deliberately introduced complexity to limit take-up.

Late posting moderation multiplier=2