Twitter | Pretraživanje | |
Cas Cremers 14. sij
It looks like it exploits what Vaudenay warned against in 2004 : "Digital Signature Schemes with Domain Parameters" ( )
Prikaži podatke · Reply Retweet Označi sa "sviđa mi se"
Cas Cremers 14. sij
Odgovor korisniku/ci @CasCremers
Pre-patch, a cert can be used if the hash of the public key matches one in the cert root, after which the parameters of the new cert get used, enabling Vaudenay's attack. The patch requires the curve parameters to be the same, preventing this attack.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Cas Cremers 14. sij
Odgovor korisniku/ci @CasCremers
This is ultimately similar to Pornin and Stern (2005). (Which we built on for )
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Cas Cremers 15. sij
Odgovor korisniku/ci @CasCremers
Based on what I know now, I think the attack fits into a single tweet, including references:
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Cas Cremers 15. sij
Odgovor korisniku/ci @CasCremers
1. Find an ecc root cert C with pk 2. Apply Vaudenay|(Pornin&Stern) 2004 get C' with sk',params' for that pk 3. Create a normal code signing cert C'' with key pair (pk'',sk'') and sign software with sk'' 4. Sign C'' with sk' 5. Present software,C'',C' to windows' sigcheck64.exe
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Cas Cremers 15. sij
Odgovor korisniku/ci @kennyog @Dennis__Jackson i 2 ostali
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Cas Cremers 15. sij
Odgovor korisniku/ci @kennyog @Dennis__Jackson i 4 ostali
Can someone please confirm/deny if this degenerate version works? (It is still Vaudenay 2004 but with d' the identity) It would be easier to detect in logs of course.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Cas Cremers
1. Find an ecc root cert C 2. Create C' with the same public key and curve but set the generator to the public key of C 3. Create a normal signing cert C'' with key pair (pk'',sk'') and sign software/cert with sk'' 4. Sign C'' with sk=1 5. Ship software/cert with C'' and C'
10:14 - 15. sij 2020.
Reply Retweet Označi sa "sviđa mi se" More
Cas Cremers 15. sij
Odgovor korisniku/ci @reaperhulk @kennyog @kennwhite
This degenerate case was just confirmed to work by , thank you! ( )
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Cas Cremers 16. sij
Odgovor korisniku/ci @reaperhulk @kennyog @kennwhite
Curve Validation Error
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Cas Cremers 18. sij
Odgovor korisniku/ci @reaperhulk @kennyog @kennwhite
When comparing a received cert to cached root certs, windows only compared the public keys, but not the parameters, and would therefore assume that a received fake root cert C' with different parameters was the same as a cached root cert C, using C' to verify the cert chain.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Cas Cremers 18. sij
Odgovor korisniku/ci @reaperhulk @kennyog @kennwhite
By choosing the right parameters for C', you can know the private key for C' -- even when you don't know the private key for C -- as Vaudenay noted in 2004.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
3-5 30-50x elves in a trench coat 16. sij
Odgovor korisniku/ci @CasCremers
for context: A defined curve has an order n [prime number] and a generator point G [point] privKey ≡ random number [integer] pubKey ≡ privKey * generator [scalar * point = point] the part I don't quite get yet is where the generator/"curve" is stored and if it is modifiable
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
3-5 30-50x elves in a trench coat 16. sij
Odgovor korisniku/ci @CasCremers
because I thought the "curve" was a fixed thing, so which part is stored in the cert if any? can you have custom ones and it will still accept them? source on terms:
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"