Think about what you're saying for a second. If it is possible, using any sort of method whatsoever, to extract an RSA private key from a device that has only a public key, RSA is completely broken in general. In this particular example, I just build an X-box, substituting my adversary's public key for Microsoft's public key, perform whatever hocus pocus you're suggesting, and get my adversary's private key.
The fact is that the timing attack given in the article involves timing decryption, an activity where the private key is used. For the reasons I outlined above, it would make no sense to have a timing attack where what you're timing only involves the public key.
In general, since X-boxes do not have the private key, the private key cannot be found given unrestricted access to X-boxes unless RSA is broken.
Microsoft's private key isn't on the X-box, but rather their public key is. This is because the public key is what the box needs to verify that a game is signed by Microsoft. It certainly does not need the private key. Hence, there is no private key on the box to extract.
X-box security is actually extremely different from Palladium. For Palladium, it is inherently necessary to have a private key (that is, a private key inaccessible to the end user) with every computer, so that computers can authenticate the trusted kernel (aka Nexus) that they are running to third parties. If they use an RSA implementation vulnerable to a timing-based attack, a local user could easily perform such an attack, extract the key, and forge any desired authentication.
No, they'd have to get you to decrypt chosen ciphertext (but they don't need the result of the decryption, just the timing). PGP uses public-key cryptography, so anyone can encrypt chosen plaintext.
That's a ridiculous conclusion. Suppose I put someone's eye out (who didn't die) and was convicted of murder. That verdict had damn well better be overturned, but no one would conclude that the court that reversed the verdict thought putting eyes out is ok. Also, if you read the thing you linked to, it specifically mentioned that coercion is a crime. But this wasn't a criminal case. The protestors were sued by NOW and some others for RICO violations that involved extortion.
They said that coercion doesn't violate the Hobbs Act or the RICO laws. They didn't say that the protesters action were non-criminal, but they reversed the judgment that they committed extortion. Saying that someone did not commit some particular crime is different from saying that they did nothing illegal.
I think it was a joke. He was saying that the presence of urine tests or hokey personality tests is a good way for employees to filter out bad employers.
Ok, but I didn't say there's such a program A that works for ANY program B, that's exactly my point -- maybe for each program B, there exists a (unique) corresponding program A that does what you describe.
Program A in my argument is a trivial simulator, a.k.a. a Universal Turing Machine. It is well known that it exists. I understood your claim perfectly: for every program M there exists some program N that decides whether M halts on given input. Such a program N cannot exist for the the program A that I described, which takes programs as input and runs them, because then that particular program N would solve the halting problem. I clearly never said that any program would be required to algorithmically find such programs N, but merely that the existence of such a program N for every program N implies that the halting problem is decidable.
Bad wording on my part. When I said "no one proved THIS is impossible" I meant you can generate HP given P, not that *there is* such generic algorithm: this would clearly be impossible.
Before you said "algorithmically generate", which is clearly impossible as you admit. Now you say "you can generate HP given P". Are you trying to say that humans can do things that cannot be done algorithmically? In any case, it is still false. As I proved earlier, HP does not even exist for every P, so it is not possible to generate HP given P in general. This is true for any entity whatsoever, regardless of its intelligence, computational resources, creativity, omnipotence, etc.
Still, it might be possible that exists an algorithm that generates HP given any P up to some defined size.
Sure, as long as the size is small enough that HP actually exists for every P in question. Then, since you'll be dealing with a finite problem, you can just do a table lookup.
It's still possible (I don't think it has been proved) that each program P has an associated function HP that decides if P halts or not (it may be the case that HP is bigger than P, hence Turing's proof don't apply).
It is not possible. Consider the program A that takes as input the description of a program B and input W to the program B, and simulates B on input W, thus halting iff B halts on input W. Then, the associated program HA is exactly the program H which does not exist. (I assume what you mean is that the program HP takes a given input and returns TRUE or FALSE depending on whether P halts on that input. If we're talking about programs that don't take input, then of course HP exists because either the program that always returns TRUE or the program that always returns FALSE is HP for given P.)
(well, if you have pen and infinite paper AND you know some algorithm to genereate HP given P (again, no one proved THIS is impossible) you could generate an H of any size
This is more obviously impossible. If you have an algorithm C that generates HP given P, then I can exhibit an H: on input P, run C on P to get HP, and then execute HP. However, H does not exist, so C does not exist.
Yeah, the shuttle can travel as fast as the shuttle, and bullets can travel as fast as bullets, but that doesn't mean I can fire a gun and hit a previously fired bullet mid-flight. The problem with shooting down missiles is targeting, not speed.
/dev/urandom is good enough unless you're worried about SHA being successfully cryptanalyzed, in which case you can use a different PRNG based on the hardness of factoring or the hardness of the discrete log problem.
What the hell are you talking about? RC-72 requires 256 times as much computation as RC-64, so once computers are 256 times faster, the faster computers will be able to solve RC-72 in the same length of time that current computers could solve RC-64. The fact that the previous poster forgot to take into account that work can be done while you're ramping up to speed means that the correct answer should be smaller than the previous poster's answer, not larger.
In fact, if we do as you did and let C be the Moore doubling time, let P be the number of computations to solve RC-64, let t be time in years, with 0 being now, let f(t) be the instantaneous computation speed in units of P/year, and let f0 be the time it would take to solve RC-64 now if computers remained at constant speed, then we have f(t) = (1/f0)*2^(t/C).
Starting now, we can solve RC-72 in time t, such that the integral of f(x) from 0 to t is 256.
The integration gives us C/(f0*ln(2))*(2^(t/c)-1)=256.
So, if we plug in C=1.5 and f0=1, then t=10.3 years.
Of course I propose everything be done in terms of 60984. This number is divisible be everything under 12, and is the smallest one. Let's be honest who does any other sort of division.
The academic community today would have had a hard time breaking Enigma (assuming the wirings were not known) even with the computing power available to us.
Uh, the Enigma had a few billion keys, tops. You could brute force it in minutes.
The thing is, Jabber supports purely internal use. There's even a section in the administrator's guide on Intranet Setup. Windows/Linux and Linux businesses can just run the free jabberd server on a Linux box, and use free Jabber clients on all sorts of platforms.
It seems smart if you can afford the risk. Not only will you pay less on average, but you'll probably drive more carefully if you're insuring yourself.
ReiserFS doesn't have fixed-size inodes and it can pack a varying number of small inodes into a single block, depending on the actual size of the inodes.
Well, there's a flag in the ELF header to indicate whether the file is big or little endian. Of course, you still couldn't actually run the file on a big endian system, simply because no such system executes x86 machine code, AFAIK.
Without the right signature for DRM, you can't run a piece of software that isn't licensed to run on that hardware. IE, not "I don't have my 30 day license," but "I wrote some software, and didn't pay the company that made the OS so I could write it." In other words, bye bye Linux.
That is incorrect. With Palladium, you can run any software you wish. Moreover, you can even run your own trusted kernel. The DRM scheme is that content providers could choose not to give you content unless you're running a kernel they trust to support DRM.
There is really no relation between Palladium and X-box style security that requires signed apps.
Will simply avoiding scheduled jobs between 2 and 3am solve most of our problems?
If your goal is to avoid the DST crossover, you should avoid 1am to 3am because it changes from 2am to 3am in the spring and from 2am to 1am in the fall.
Slashdot Mirror
Think about what you're saying for a second. If it is possible, using any sort of method whatsoever, to extract an RSA private key from a device that has only a public key, RSA is completely broken in general. In this particular example, I just build an X-box, substituting my adversary's public key for Microsoft's public key, perform whatever hocus pocus you're suggesting, and get my adversary's private key.
The fact is that the timing attack given in the article involves timing decryption, an activity where the private key is used. For the reasons I outlined above, it would make no sense to have a timing attack where what you're timing only involves the public key.
In general, since X-boxes do not have the private key, the private key cannot be found given unrestricted access to X-boxes unless RSA is broken.
Microsoft's private key isn't on the X-box, but rather their public key is. This is because the public key is what the box needs to verify that a game is signed by Microsoft. It certainly does not need the private key. Hence, there is no private key on the box to extract.
X-box security is actually extremely different from Palladium. For Palladium, it is inherently necessary to have a private key (that is, a private key inaccessible to the end user) with every computer, so that computers can authenticate the trusted kernel (aka Nexus) that they are running to third parties. If they use an RSA implementation vulnerable to a timing-based attack, a local user could easily perform such an attack, extract the key, and forge any desired authentication.
No, they'd have to get you to decrypt chosen ciphertext (but they don't need the result of the decryption, just the timing). PGP uses public-key cryptography, so anyone can encrypt chosen plaintext.
That's a ridiculous conclusion. Suppose I put someone's eye out (who didn't die) and was convicted of murder. That verdict had damn well better be overturned, but no one would conclude that the court that reversed the verdict thought putting eyes out is ok. Also, if you read the thing you linked to, it specifically mentioned that coercion is a crime. But this wasn't a criminal case. The protestors were sued by NOW and some others for RICO violations that involved extortion.
They said that coercion doesn't violate the Hobbs Act or the RICO laws. They didn't say that the protesters action were non-criminal, but they reversed the judgment that they committed extortion. Saying that someone did not commit some particular crime is different from saying that they did nothing illegal.
I think it was a joke. He was saying that the presence of urine tests or hokey personality tests is a good way for employees to filter out bad employers.
Ok, but I didn't say there's such a program A that works for ANY program B, that's exactly my point -- maybe for each program B, there exists a (unique) corresponding program A that does what you describe.
Program A in my argument is a trivial simulator, a.k.a. a Universal Turing Machine. It is well known that it exists. I understood your claim perfectly: for every program M there exists some program N that decides whether M halts on given input. Such a program N cannot exist for the the program A that I described, which takes programs as input and runs them, because then that particular program N would solve the halting problem. I clearly never said that any program would be required to algorithmically find such programs N, but merely that the existence of such a program N for every program N implies that the halting problem is decidable.
Bad wording on my part. When I said "no one proved THIS is impossible" I meant you can generate HP given P, not that *there is* such generic algorithm: this would clearly be impossible.
Before you said "algorithmically generate", which is clearly impossible as you admit. Now you say "you can generate HP given P". Are you trying to say that humans can do things that cannot be done algorithmically? In any case, it is still false. As I proved earlier, HP does not even exist for every P, so it is not possible to generate HP given P in general. This is true for any entity whatsoever, regardless of its intelligence, computational resources, creativity, omnipotence, etc.
Still, it might be possible that exists an algorithm that generates HP given any P up to some defined size.
Sure, as long as the size is small enough that HP actually exists for every P in question. Then, since you'll be dealing with a finite problem, you can just do a table lookup.
It's still possible (I don't think it has been proved) that each program P has an associated function HP that decides if P halts or not (it may be the case that HP is bigger than P, hence Turing's proof don't apply).
It is not possible. Consider the program A that takes as input the description of a program B and input W to the program B, and simulates B on input W, thus halting iff B halts on input W. Then, the associated program HA is exactly the program H which does not exist. (I assume what you mean is that the program HP takes a given input and returns TRUE or FALSE depending on whether P halts on that input. If we're talking about programs that don't take input, then of course HP exists because either the program that always returns TRUE or the program that always returns FALSE is HP for given P.)
(well, if you have pen and infinite paper AND you know some algorithm to genereate HP given P (again, no one proved THIS is impossible) you could generate an H of any size
This is more obviously impossible. If you have an algorithm C that generates HP given P, then I can exhibit an H: on input P, run C on P to get HP, and then execute HP. However, H does not exist, so C does not exist.
Yeah, the shuttle can travel as fast as the shuttle, and bullets can travel as fast as bullets, but that doesn't mean I can fire a gun and hit a previously fired bullet mid-flight. The problem with shooting down missiles is targeting, not speed.
Oh, that'll be fun. Maybe we should set up a pool on how long it takes until 95% of legitimate DNS servers are banned due to spoofing.
A hard drive is not an abstract mathematical entity. A 0 written over a 0 is magnetically distinguishable from a 0 written over a 1.
/dev/urandom is good enough unless you're worried about SHA being successfully cryptanalyzed, in which case you can use a different PRNG based on the hardness of factoring or the hardness of the discrete log problem.
What the hell are you talking about? RC-72 requires 256 times as much computation as RC-64, so once computers are 256 times faster, the faster computers will be able to solve RC-72 in the same length of time that current computers could solve RC-64. The fact that the previous poster forgot to take into account that work can be done while you're ramping up to speed means that the correct answer should be smaller than the previous poster's answer, not larger.
In fact, if we do as you did and let C be the Moore doubling time, let P be the number of computations to solve RC-64, let t be time in years, with 0 being now, let f(t) be the instantaneous computation speed in units of P/year, and let f0 be the time it would take to solve RC-64 now if computers remained at constant speed, then we have f(t) = (1/f0)*2^(t/C).
Starting now, we can solve RC-72 in time t, such that the integral of f(x) from 0 to t is 256.
The integration gives us C/(f0*ln(2))*(2^(t/c)-1)=256.
So, if we plug in C=1.5 and f0=1, then t=10.3 years.
Of course I propose everything be done in terms of 60984. This number is divisible be everything under 12, and is the smallest one. Let's be honest who does any other sort of division.
60984 isn't divisible by 5 or 10. You want 27720.
Dman, I didn't think about the wirings not being known. Disregard my message. Sorry.
The academic community today would have had a hard time breaking Enigma (assuming the wirings were not known) even with the computing power available to us.
Uh, the Enigma had a few billion keys, tops. You could brute force it in minutes.
And I'm sure the NSA's public web server isn't physically separate from any networks used for classified data.
The thing is, Jabber supports purely internal use. There's even a section in the administrator's guide on Intranet Setup. Windows/Linux and Linux businesses can just run the free jabberd server on a Linux box, and use free Jabber clients on all sorts of platforms.
It seems smart if you can afford the risk. Not only will you pay less on average, but you'll probably drive more carefully if you're insuring yourself.
ReiserFS doesn't have fixed-size inodes and it can pack a varying number of small inodes into a single block, depending on the actual size of the inodes.
It will still use at least one page of RAM, so that would be 4K.
Well, there's a flag in the ELF header to indicate whether the file is big or little endian. Of course, you still couldn't actually run the file on a big endian system, simply because no such system executes x86 machine code, AFAIK.
Without the right signature for DRM, you can't run a piece of software that isn't licensed to run on that hardware. IE, not "I don't have my 30 day license," but "I wrote some software, and didn't pay the company that made the OS so I could write it." In other words, bye bye Linux.
That is incorrect. With Palladium, you can run any software you wish. Moreover, you can even run your own trusted kernel. The DRM scheme is that content providers could choose not to give you content unless you're running a kernel they trust to support DRM.
There is really no relation between Palladium and X-box style security that requires signed apps.
Will simply avoiding scheduled jobs between 2 and 3am solve most of our problems?
If your goal is to avoid the DST crossover, you should avoid 1am to 3am because it changes from 2am to 3am in the spring and from 2am to 1am in the fall.
Who sells key pairs...
Verisign.
You don't make the certificate show that, but IE doesn't check correctly. That's the point.
I have a horrible feeling this is a +5 troll... anyone got a link to prove me wrong?
Yes, this explains in more detail.