Tag Archives: crypto

對 SHA-3 的攻擊

隔壁棚剛順利打趴 SHA-1 (Google 與 CWI Amsterdam 合作,找到 SHA-1 第一個 collision),還是有人在針對比較新的演算法在攻擊:「SymSum: Symmetric-Sum Distinguishers Against Round Reduced SHA3」。 完整的 SHA-3 是 24 rounds,這次打的是 9 rounds 版本,雖然有段距離,但這等於是大進展: Based on this we propose a new distinguisher called SymSum for the SHA3 family which penetrates … Continue reading

Posted in Computer, Murmuring, Security | Tagged , , , , , , , | Leave a comment

Google 與 CWI Amsterdam 合作,找到 SHA-1 第一個 collision

Google 與 CWI Amsterdam 正式攻陷 SHA-1:「Announcing the first SHA1 collision」,然後也沒什麼意外的,現在大家都喜歡針對各種安全問題註冊一個 domain 來介紹:「SHAttered」。 把 shattered-1.pdf 與 shattered-2.pdf 下載下來確認,可以看出來兩個不一樣的檔案有同樣的 SHA-1 value: gslin@home [/tmp] [21:33/W4] sha1sum *.pdf 38762cf7f55934b34d179ae6a4c80cadccbb7f0a shattered-1.pdf 38762cf7f55934b34d179ae6a4c80cadccbb7f0a shattered-2.pdf gslin@home [/tmp] [21:33/W4] sha256sum *.pdf 2bb787a73e37352f92383abe7e2902936d1059ad9f1ba6daaa9c1e58ee6970d0 shattered-1.pdf d4488775d29bdef7993367d541064dbdda50d383f89f0aa13a6ff2e0894ba5ff shattered-2.pdf 直接拿 pdf 來打,表達的是「一次到位」以及「既然可以攻擊 … Continue reading

Posted in Computer, Murmuring, Network, Security, WWW | Tagged , , , , , , , , , , , , | 3 Comments

NIST 開始徵求 Post-Quantum Cryptography 演算法

現有常見的幾個加密基礎在量子電腦上都有相當快速的解 (像是整數質因數分解、離散對數),只是現在建不出對應夠大台的量子電腦... 但畢竟只是時間的問題了,所以 NIST 照著慣例對外尋求能夠抵抗量子電腦的演算法:「NIST Asks Public to Help Future-Proof Electronic Information」、「Announcing Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms」。 類似於 Google 先前在 Google Chrome 上實做的 CECPQ1,對 key exchange 的部份加上保護 (Google Chrome 引入 CECPQ1,開始測試 Post-Quantum Cryptography),這次 NIST 是針對 public key … Continue reading

Posted in Computer, Murmuring, Network, Security | Tagged , , , , , , , , , , , , , | Leave a comment

OpenSSL 1.1.0

看到「OpenSSL 1.1.0 released」這篇得知大家期待已久的 OpenSSL 1.1.0 出了,在 1.1.0 的重要新功能中,對 ChaCha20 + Poly1305 的支援算是大家等很久的: Support for ChaCha20 and Poly1305 added to libcrypto and libssl 由於 RC4 已經被證明不安全,OpenSSL 內變成沒有堪用的 stream cipher,這邊總算要補上來了... 另外兩個也頗有趣的: Support for scrypt algorithm Support for X25519 多了些東西...

Posted in Computer, Murmuring, Network, Programming, Security, Software, WWW | Tagged , , , , , , , , , , , , , , | Leave a comment

Libgcrypt 與 GnuPG 的安全性問題

在「Security fixes for Libgcrypt and GnuPG 1.4 [CVE-2016-6316]」這邊看到這個歷史悠久的 bug: Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the … Continue reading

Posted in Computer, Murmuring, Security, Software | Tagged , , , , , , , , , , , | Leave a comment

密碼系統的 Monoculture

這篇文章講到最近密碼系統的現象:「On the Impending Crypto Monoculture」。 目前常在用的密碼系統包括了 RSA、DH、ECDH、ECDSA、SHA-2、AES 這些演算法,而最近這幾年大家在推廣使用的演算法都出自於同一個人手裡,Dan Bernstein,也就是 djb: A major feature of these changes includes the dropping of traditional encryption algorithms and mechanisms like RSA, DH, ECDH/ECDSA, SHA-2, and AES, for a completely different set of mechanisms, including … Continue reading

Posted in Computer, Murmuring, Security | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , | 1 Comment

Love your country, but never trust its government

從 Hacker News Daily 上看到的,在 Sun-2 的 bootloader 裡可以看到「Love your country, but never trust its government」這樣的字串:「Why the Sun 2 has the message "Love your country, but never trust its government"」。 這段字串是由 John Gilmore 當時在 Sun 開發時所放入的,John Gilmore 同時也是後來 EFF 創辦人之一,不過當初放入這段字串的目的是為了抓到盜版: … Continue reading

Posted in Computer, Hardware, Murmuring, Political, Programming, Security, Social, Software | Tagged , , , , , , , , , , , , , , , , , , , , , | Leave a comment

還有超過 20% 的網站使用 SHA-1 憑證

依照 Netcraft 的說明,還有超過 20% 的網站使用 SHA-1 certificate:「One million SSL certificates still using “insecure” SHA-1 algorithm」。 雖然轉換速度算是很快了,不過本來依照進度,2015 年底瀏覽器就應該要把 SHA-1 certificate 認為不安全 (於是失效): 照目前速度,今年年底應該只能掉到 10% 左右吧...

Posted in Computer, Murmuring, Network, Security, WWW | Tagged , , , , , , , , | Leave a comment

在攻擊時總是挑最弱的一環:NSA 對 DH 的攻擊

在「How is NSA breaking so much crypto?」這邊提到了 2012 年有文章說明 NSA 有能力解開部份的加密通訊,而後來 Snowden 所提供的資料也證實了這點: In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a “computing breakthrough” that gave them “the ability to … Continue reading

Posted in Computer, Murmuring, Network, Security, VPN, WWW | Tagged , , , , , , , , , , , , | Leave a comment

對 SHA-1 的攻擊進展

在 Bruce Schneier 這邊看到對 SHA-1 的攻擊又有新的進展了:「SHA-1 Freestart Collision」。 這次的論文不是真的找出 collision,而是對 internal compression function 攻擊,不過即使如此,這是首次攻擊完整的 80 rounds: We present in this article a freestart collision example for SHA-1, i.e., a collision for its internal compression function. This is the first practical … Continue reading

Posted in Computer, Hardware, Murmuring, Programming, Security | Tagged , , , , , , , , | 2 Comments