|
Marc Stevens
@
realhashbreaker
RWC2020
|
|
Cryptologist. Highlights: first SHA-1 collision, SVP&MQ records, exposed FLAME's collision attack, MD5 rogue CA.
|
|
|
409
Tweetovi
|
48
Pratim
|
1.590
Osobe koje vas prate
|
| Tweetovi |
| Marc Stevens proslijedio/la je tweet | ||
|
VUSec
@vu5ec
|
27. sij |
|
Another day, another #RIDL embargo and addendum! “New” (not really!) variants of the day: L1D evictions (Fig 6, RIDL paper) or #L1DES and vector registers or #VRS. See mdsattacks.com. As a bonus: a faster RIDL exploit that leaks a root hash in 4s: youtube.com/watch?v=4DQAcC…
|
||
|
|
||
|
Marc Stevens
@realhashbreaker
|
21. sij |
|
|
||
|
Marc Stevens
@realhashbreaker
|
21. sij |
|
Hardened SHA-1 won't detect all CP coll attacks (e.g. not 2^80 birthday CP coll). But it will detect any collision attack using one of 32 listed 'disturbance vectors'. Based on our current understanding, it won't give 80 bits of security back, but something like 70.
|
||
|
|
||
|
Marc Stevens
@realhashbreaker
|
21. sij |
|
Not supporting continued use of SHA-1, but look at the papers. The counter-cryptanalysis was invented to solve the problem of detecting chosen-prefix collisions.
|
||
|
|
||
| Marc Stevens proslijedio/la je tweet | ||
|
Ben Lincoln
@0x00C651E0
|
14. sij |
|
The NSA immediately prior to hitting the submit button to report CVE-2020-0601: pic.twitter.com/rPTFp2pDJt
|
||
|
|
||
| Marc Stevens proslijedio/la je tweet | ||
|
Filippo Valsorda
@FiloSottile
|
14. sij |
|
> Certificates with named elliptic curves, […], can be ruled benign. […] Certificates with explicitly-defined parameters […] which fully-match those of a standard curve can similarly be ruled benign.
So it's a vulnerability in ECDSA verification of custom curves. twitter.com/NSAGov/status/…
|
||
|
|
||
| Marc Stevens proslijedio/la je tweet | ||
|
briankrebs
@briankrebs
|
14. sij |
|
...and CERT's take on CVE-2020-0601: Crypt32.dll fails to validate ECC certificates in a way that properly leverages protections that ECC should provide. As a result, an attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root CA twitter.com/tababodash/sta…
|
||
|
|
||
| Marc Stevens proslijedio/la je tweet | ||
|
briankrebs
@briankrebs
|
14. sij |
|
Microsoft has released an advisory for this vulnerability in Win10, Server 2016 and '19. It rated this as a "spoofing" flaw that is "important" in severity, but puts exploitability rating at 1, it's second most severe, i.e. "exploitation more likely." portal.msrc.microsoft.com/en-US/security…
|
||
|
|
||
| Marc Stevens proslijedio/la je tweet | ||
|
briankrebs
@briankrebs
|
13. sij |
|
Sources say Microsoft on Tuesday will fix an extraordinarily scary flaw in all Windows versions, in a core cryptographic component that could be abused to spoof the source of digitally signed software. Apparently DoD & a few others got an advance patch krebsonsecurity.com/2020/01/crypti…
|
||
|
|
||
|
Marc Stevens
@realhashbreaker
|
13. sij |
|
For background, see also the (dutch) text of the Amendment by @KeesVee funding this: tweedekamer.nl/kamerstukken/a…
|
||
|
|
||
| Marc Stevens proslijedio/la je tweet | ||
|
Gaëtan Leurent
@cryptosaurus6
|
10. sij |
|
Congrats for the well deserved prize!
We couldn't have done the Shambles attack without all the work that came before on MD5 and SHA1, by you and many others...
|
||
|
|
||
|
Marc Stevens
@realhashbreaker
|
10. sij |
|
So many developed tools aren't being made public. This is quite a loss for the community. Public tools help in verification of results and helps new work: many implementation details never get into the paper + avoids researchers spending precious time reimplementing prior work.
|
||
|
|
||
|
Marc Stevens
@realhashbreaker
|
10. sij |
|
Thanks Gaëtan! This is also exactly why I think it is important for cryptanalytic tools to get published to further the community. E.g., our tools have already helped others in a number of publications including SLOTH and SHAmbles.
|
||
|
|
||
|
Marc Stevens
@realhashbreaker
|
8. sij |
|
The only issue is that the final total lengths have to be identical, otherwise the two paddings will be different and break the collision in the end. This is why there is a same length requirement on the prefixes.
|
||
|
|
||
|
Marc Stevens
@realhashbreaker
|
8. sij |
|
So there we can just directly append anything after the internal collision, as long as the suffix is identical for both.
|
||
|
|
||
|
Marc Stevens
@realhashbreaker
|
8. sij |
|
The SHA-1 attacks don't specifically rely on the length extension attack, because it is an internal state collision.
(Length extension doesn't hold for truncated/wide-pipe hashes)
|
||
|
|
||
|
Marc Stevens
@realhashbreaker
|
8. sij |
|
First, strengthened MD is still vulnerable to a length extension attack, you just have to include the original padding in the extension.
|
||
|
|
||
| Marc Stevens proslijedio/la je tweet | ||
|
Cards Against Cryptography
@CrdsAgnstCrypto
|
8. sij |
|
We hear there might be a deck of cards up for grabs at the #realworldcrypto 2020 lightning talks tomorrow.
|
||
|
|
||
|
Marc Stevens
@realhashbreaker
|
8. sij |
|
Thanks Hugo!
|
||
|
|
||
|
Marc Stevens
@realhashbreaker
|
8. sij |
|
Thanks!
|
||
|
|
||