Raw RSA

[Alexander Klimov]

Hi.

If an attacker is given access to a raw RSA decryption oracle (the
oracle calculates c^d mod n for any c) is it possible to extract the
key (d)?

It is known, that given such an oracle, the attacker can ask for
"decryption"  of all primes less than B, and then he will be able to
sign PKCS-1 encoded messages if the representative number is B-smooth,
but is there any way to actually recover d itself?

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Locating private keys in RAM?

[Thomas]

Am Dienstag 05 September 2006 03:14 schrieb Douglas F. Calvert:
> Hello,
>  I remember seeing a paper about identifying private keys in RAM. I
> thought it was by Rivest but I can not locate it for the life of me.
> Does anyone remember reading something like this? The basic operation
> was to identify areas in RAM that had certain characteristics such as
> random bits and identifiable key headers...
> Any help would be greatly appreciated...

This one?
http://www.ncipher.com/products/files/papers/anguilla/keyhide2.pdf

and code for it: http://www.thc.segfault.net/releases/keyfinder.c

-- 
Tom <[EMAIL PROTECTED]>
fingerprint = F055 43E5 1F3C 4F4F 9182  CD59 DBC6 111A 8516 8DBF

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Locating private keys in RAM?

[Andrew Tucker]

Did you mean this article by Gutmann?
http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms.txt
 



From: [EMAIL PROTECTED] on behalf of Douglas F. Calvert
Sent: Mon 9/4/2006 6:14 PM
To: cryptography@metzdowd.com
Subject: Locating private keys in RAM?



Hello,
 I remember seeing a paper about identifying private keys in RAM. I
thought it was by Rivest but I can not locate it for the life of me.
Does anyone remember reading something like this? The basic operation
was to identify areas in RAM that had certain characteristics such as
random bits and identifiable key headers...
Any help would be greatly appreciated...


--
--dfc
[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Locating private keys in RAM?

[Mike Lisanke]

Douglas,Many applications using RSA make use of a private key
in its ASN.1 BER form. In this format, the surrounding encoding of a
private key becomes very easily recognizable. The follow is an excerpt from RFC3447 (PKCS#1)
-- Representation of RSA private key with information for the CRT
-- algorithm.
--
RSAPrivateKey ::= SEQUENCE {
version   Version,
modulus   INTEGER,  -- n
publicExponentINTEGER,  -- e
privateExponent   INTEGER,  -- d
prime1INTEGER,  -- p
prime2INTEGER,  -- q
exponent1 INTEGER,  -- d mod (p-1)
exponent2 INTEGER,  -- d mod (q-1)
coefficient   INTEGER,  -- (inverse of q) mod p
otherPrimeInfos   OtherPrimeInfos OPTIONAL
}

Version ::= INTEGER { two-prime(0), multi(1) }
(CONSTRAINED BY {
-- version must be multi if otherPrimeInfos present --
})

OtherPrimeInfos ::= SEQUENCE SIZE(1..MAX) OF OtherPrimeInfo

OtherPrimeInfo ::= SEQUENCE {
prime INTEGER,  -- ri
exponent  INTEGER,  -- di
coefficient   INTEGER   -- ti
}


In ASN.1 BER each integer, a sequence, a version, etc. all have well
defined form of octet (bytes) which represent both the type of object,
its size, as well as its value.On 9/4/06, Douglas F. Calvert <[EMAIL PROTECTED]> wrote:> Hello,>  I remember seeing a paper about identifying private keys in RAM. I
> thought it was by Rivest but I can not locate it for the life of me.> Does anyone remember reading something like this? The basic operation> was to identify areas in RAM that had certain characteristics such as
> random bits and identifiable key headers...> Any help would be greatly appreciated...> > > --> --dfc> [EMAIL PROTECTED]
> > -> The Cryptography Mailing List> Unsubscribe by sending "unsubscribe cryptography" to 
[EMAIL PROTECTED]> Best regards,-- Mike 

Re: signing all outbound email

[Jon Callas]

On 5 Sep 2006, at 2:40 AM, Massimiliano Pala wrote:

This approach is MTA-to-MTA... if you want something more MTA-to- 
MUA


Not precisely. It is *primarily* MTA-to-MTA, for a number of very  
good reasons, like privacy. However, a number of people will be  
implementing DKIM verification in the MUA, including Yahoo!. (I've  
seen UI mockups, but they may have it shipping for all I know.) The  
protocol itself is completely agnostic on that. The signature travels  
with the message and the signing key is in the network. As long as  
you have both, you can verify the signatures.


Jon


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: signing all outbound email

[Paul Hoffman]

At 11:40 AM +0200 9/5/06, Massimiliano Pala wrote:

Jon Callas wrote:


On 4 Sep 2006, at 4:13 AM, Travis H. wrote:


Has anyone created hooks in MTAs so that they automagically

[...]

Go look at  for many more details.


This approach is MTA-to-MTA...


No, it's not. The receiving MTA *and/or* MUA can verify signatures. 
That is clearly covered in the protocol document.


--Paul Hoffman, Director
--VPN Consortium

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Locating private keys in RAM?

[Florian Weimer]

* Douglas F. Calvert:

> I remember seeing a paper about identifying private keys in RAM. I
> thought it was by Rivest but I can not locate it for the life of me.
> Does anyone remember reading something like this? The basic operation
> was to identify areas in RAM that had certain characteristics such as
> random bits and identifiable key headers...
> Any help would be greatly appreciated...

>From findkey.c in The Coroner's Toolkit:

/*  A. Shamir and N. van Someren, Playing Hide and Seek With Stored
/*  Keys, 1998.
/*  http://www.ncipher.com/products/files/papers/anguilla/keyhide2.pdf.

(The web page no longer exists, though.)

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Locating private keys in RAM?

[Leandro Meiners]

Maybe you mean 
http://www.trapkit.de/research/sslkeyfinder/keyfinder_v1.0_20060205.pdf

Regards,

Leandro

On 9/4/06, Douglas F. Calvert <[EMAIL PROTECTED]> wrote:

Hello,
 I remember seeing a paper about identifying private keys in RAM. I
thought it was by Rivest but I can not locate it for the life of me.
Does anyone remember reading something like this? The basic operation
was to identify areas in RAM that had certain characteristics such as
random bits and identifiable key headers...
Any help would be greatly appreciated...


--
--dfc
[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]




--
Leandro Federico Meiners

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

A lack of US cryptanalytic security before Midway?

[Steven M. Bellovin]

The conventional wisdom is that the successful US cryptanalytic efforts
against Japanese naval codes was a closely-held secret.  I've just
stumbled on a source that disputes that.  In "The Unknown Battle of
Midway: The Destruction of the American Torpedo Squadrons" (Alvin Kernan,
Yale University Press, 2005), the author states:

Rumors began to circulate that the Japanese were planning to invade
little Midway Atoll and draw our ships out to fight the great sea
battle their strategy had long anticipated.  Our information, we
heard, at the scuttlebutt, came from code breakers...

Unbelievably, the Japanese never tumbled throughout the entire war
to the fact that their codes had been broken, and the U.S. Navy,
equally blindly, continued to believe that its ability to read one
after another of the Japanese codes remained a deep, dark secret
from its own sailors. But when the American carriers sailed from
Pearl Harbor to the Battle of Midway everyone aboard knew what was
in the wind and how we knew it.

The source for this statement isn't clear.  The author himself was an
enlisted sailor on one of the American carriers (he was an ordnanceman for
a torpedo squadron), so it may be first person knowledge.  Later in the
second paragraph, there's a footnote to Prange et al's "Miracle at
Midway", but I don't have that reference.


--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Locating private keys in RAM?

[Steven M. Bellovin]

On Mon, 4 Sep 2006 21:14:05 -0400, "Douglas F. Calvert"
<[EMAIL PROTECTED]> wrote:

> Hello,
>  I remember seeing a paper about identifying private keys in RAM. I
> thought it was by Rivest but I can not locate it for the life of me.
> Does anyone remember reading something like this? The basic operation
> was to identify areas in RAM that had certain characteristics such as
> random bits and identifiable key headers...
> Any help would be greatly appreciated...
> 
It was by Shamir and van Someren.  See
http://citeseer.ist.psu.edu/vansomeren98playing.html

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Locating private keys in RAM?

[Whyte, William]

Adi Shamir and Nicko Van Someren, Playing Hide and Seek with Stored Keys:

http://citeseer.ist.psu.edu/vansomeren98playing.html 

Shamir, not Rivest. Easy mistake...

William


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Douglas 
> F. Calvert
> Sent: Tuesday, September 05, 2006 2:14 AM
> To: cryptography@metzdowd.com
> Subject: Locating private keys in RAM?
> 
> Hello,
>  I remember seeing a paper about identifying private keys in RAM. I
> thought it was by Rivest but I can not locate it for the life of me.
> Does anyone remember reading something like this? The basic operation
> was to identify areas in RAM that had certain characteristics such as
> random bits and identifiable key headers...
> Any help would be greatly appreciated...
> 
> 
> -- 
> --dfc
> [EMAIL PROTECTED]
> 
> -
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to 
> [EMAIL PROTECTED]
> 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]