Re: RSA conference
William, > I've been notified that we had a paper accepted for the > cryptographers' track. If you're concerned about that track, > you could try contacting Masayuki Abe, the PC Chair, > directly. If you're interested in other tracks I'm not sure > what to suggest. thanks for your mail, but my concern was in fact the main RSA conference. Might be though that the crypto mailing list is the wrong place to ask that kind of question... Best regards Erik -- Dr. Erik Zenner Phone: +45 39 17 96 06Cryptico A/S Chief Cryptographer Mobile: +45 60 77 95 41Fruebjergvej 3 [EMAIL PROTECTED] www.cryptico.com DK 2100 Copenhagen This e-mail may contain confidential information which is intended for the addressee(s) only and which may not be reproduced or disclosed to any other person. If you receive this e-mail by mistake, please contact Cryptico immediately and destroy the e-mail. Thank you. As e-mail can be changed electronically, Cryptico assumes no responsibility for the message or any attachments. Nor will Cryptico be responsible for any intrusion upon this e-mail or its attachments. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: RSA conference
I've been notified that we had a paper accepted for the cryptographers' track. If you're concerned about that track, you could try contacting Masayuki Abe, the PC Chair, directly. If you're interested in other tracks I'm not sure what to suggest. William > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Erik Zenner > Sent: Tuesday, September 19, 2006 2:57 AM > To: cryptography@metzdowd.com > Subject: RSA conference > > Hi all! > > Has anyone heard any new about the RSA conference US 2007? > > The notification of authors should have been in August, now we are in > the second half of September without having heard anything from the > organizers. > > At the same time, their mail server keeps rejecting all mails that are > sent to the RSA conference addresses [EMAIL PROTECTED] and > [EMAIL PROTECTED] Since these are the only contact > options offered, the conference organizers basically can not > be reached. > > > For a minor conference, I would consider this to be a very > bad sign, but > since this is RSA conference, I assume that things go as planned. Has > anyone heard about problems or delays in organizing the conference? > > Thanks > > Erik > > -- > Dr. Erik Zenner Phone: +45 39 17 96 06Cryptico A/S > Chief Cryptographer Mobile: +45 60 77 95 41Fruebjergvej 3 > [EMAIL PROTECTED] www.cryptico.com DK 2100 Copenhagen > > This e-mail may contain confidential information which is intended for > the addressee(s) only and which may not be reproduced or disclosed to > any other person. If you receive this e-mail by mistake, > please contact > Cryptico immediately and destroy the e-mail. Thank you. > > As e-mail can be changed electronically, Cryptico assumes no > responsibility for the message or any attachments. Nor will > Cryptico be > responsible for any intrusion upon this e-mail or its attachments. > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to > [EMAIL PROTECTED] > - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RSA conference
Hi all! Has anyone heard any new about the RSA conference US 2007? The notification of authors should have been in August, now we are in the second half of September without having heard anything from the organizers. At the same time, their mail server keeps rejecting all mails that are sent to the RSA conference addresses [EMAIL PROTECTED] and [EMAIL PROTECTED] Since these are the only contact options offered, the conference organizers basically can not be reached. For a minor conference, I would consider this to be a very bad sign, but since this is RSA conference, I assume that things go as planned. Has anyone heard about problems or delays in organizing the conference? Thanks Erik -- Dr. Erik Zenner Phone: +45 39 17 96 06Cryptico A/S Chief Cryptographer Mobile: +45 60 77 95 41Fruebjergvej 3 [EMAIL PROTECTED] www.cryptico.com DK 2100 Copenhagen This e-mail may contain confidential information which is intended for the addressee(s) only and which may not be reproduced or disclosed to any other person. If you receive this e-mail by mistake, please contact Cryptico immediately and destroy the e-mail. Thank you. As e-mail can be changed electronically, Cryptico assumes no responsibility for the message or any attachments. Nor will Cryptico be responsible for any intrusion upon this e-mail or its attachments. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Exponent 3 damage spreads...
On Fri, 15 Sep 2006, Jostein Tveit wrote: > [EMAIL PROTECTED] (Peter Gutmann) writes: > > > What's more scary is that if anyone introduces a parameterised hash > > (it's quite possible that this has already happened in some fields, > > and with the current interest in randomised hashes it's only a > > matter of time before we see these anyway) [...] > > Both Rivest and Shamir said that they want a parameterised hash > according to Paul Hoffman's "Notes from the Hash Futures Panel". > http://www.proper.com/lookit/hash-futures-panel-notes.html > Having a standard parametised hash function does not necessitate that ASN.1 instances of their output have to be parametised too. IMO it would make more sense to pick a progression of sizes similar to SHA{1,256,...} -d - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Why the exponent 3 error happened:
-- imon Josefsson wrote: > Again, there is no problem in ASN.1 or PKCS#1 that is > being exploited here, only an implementation flaw, > even if it is an interesting one. But why did several people independently implement the same or similar flaws? The answer is in Jack Lloyd's post: > I wrote a decoder for PKCS#1 v1.5, realized it > probably had bugs I wouldn't figure out until too > late, [...] my PSS verification code is probably > around twice the length of the PSS generation code, > due to the need to check every stupid little thing. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG kcayKvWlPFXTPP9oNsxdS/f7Cu706I0sQMBSZJUj 4578L9TLcVLPN7c++p1/Un4LFV6ugOy6Pb/SpWw2u - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [cryptography] Re: Why the exponent 3 error happened:
On Sep 16, 2006, at 11:31 PM, Eric Young wrote: This is a question I would not mind having answered; while the exponent 3 attack works when there are low bits to 'modify', there has been talk of an attack where the ASN.1 is correctly right justified (hash is the least significant bytes), but incorrect ASN. 1 encoding is used to add 'arbitrary' bytes before the hash. So in this case some of the most significant bytes are fixed, the least significant bytes are fixed, but some in the middle can be modified. Does the exponent 3 attack work in this case? My personal feel is that his would be much harder, but is such an attack infeasible? This issue about ASN.1 parameters being an evil concept goes away if the attack can only work when the least significant bytes need to be modifiable. Hi Eric, the attack indeed is not infeasible. Although if you do not want to violate the padding specifications (minimum of eight 0xFF bytes), you need moduli longer than 1024 bits. My colleague Andrei Pyshkin had the following idea: In the following, we will assume to public exponent e=3. Let s be the signature of a message m. The message can be broken down into 3 parts: m := f_1 || v || f_2 with f_1, f_2 being fixed and v variable. Note that f_2 denotes the lowermost bits of the message. Furthermore let d=bitlength(f_2). In order to calculate a signature s such that m is a perfect cube, we carry out the following steps: 1. Calculate an x such that f_2 = x^3 mod 2^d with x < 2^d. This will succeed with probability > 1/2. 2. Calculate s_0 = floor(cuberoot(m)) 3. Calculate the signature s = s_0 + x - (s_0 mod 2^d) Calculating the bounds for which moduli and fixed data structures this attack will succeed is left as an excercise to the inclined reader. Unfortunately we only found out that there has been prior art by Yutaka Oiwa et al. *AFTER* we successfully forged a certificate using this method (we being Andrei Pyshkin, Erik Tews and myself). The certificate we forged however adheres to the padding specifications unlike the one by Yutaka Oiwa that Simon Josefsson forwarded to the list a couple of days ago: -BEGIN CERTIFICATE- MIICgzCCAWugAwIBAgIBFzANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYw ODE5MTY1MTMwWhcNMDYxMDE4MTY1MTMwWjARMQ8wDQYDVQQDEwZIYWNrZXIwgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKSu6ChWttBsOpaBrYf4PzyCGNe6DuE7 rmq4CMskdz8uiAJ3wVd8jGsjdeY4YzoXSVp+9mEF6XqNgyDf8Ub3kNgPYxvJ28lg QVpd5RdGWXHo14LWBTD1mtFkCiAhVlATsVNI/tjv2tv7Jp8EsylbDHe7hslA0rns Rr2cS9bvpM03AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEF BQADggEB ADLL/Up63HkFWD15INcW Xd1nZGI+gO/whm58ICyJ1Js7ON6N4NyBTwe8513CvdOlOdG/Ctmy2gxEE47HhEed ST8AUooI0ey599t84P20gGRuOYIjr7c= -END CERTIFICATE- Broken implementations can successfully verify it using the Starfield Class 2 Certification Authority: https://certificates.starfieldtech.com/repository/sf-class2-root.crt Cheers, Ralf - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]