471400+ entries in 0.317s
ascii_field: Hasimir: understand, someone can create a key containing an rsa modulus of
the kind described here using a modified copy of your, e.g., el gamal, key
mircea_popescu: if he also has a rsa key by
the same name, he will be in
the list of rsa keys.
mircea_popescu: in general, one's at liberty
to create a Patented Leather Assymetric Key and give it his name
ascii_field: mircea_popescu: he appears
to be
taking issue with interchangeable use of 'keys' and 'moduli'
Hasimir: you only deal with rsa, you only claim
to have rsa priv keys, but you list dsa/elgamal keys as broken ...
mircea_popescu: the way
text works is
that
the reader has
the job of forming a mental image
that does not contradict
the
text.
Hasimir: ok, let me see if I'm reading
the article correctly
mircea_popescu: the way
text works is not
that reader is free
to make whatever assumptions he wishes and it is
the responsibility of
the
text
to explicitly dispel
them
ascii_field: and go apply pollard rho, and lenstra, you will have
the private. you don't even need us for
this
Hasimir: alright, if it's not, what method did you use
to crack el-gamal?
ascii_field: Hasimir: private key naturally would correspond
to
the phony key
Hasimir: "Are you on
this list ? We probably have your private key"
ascii_field: barring some entirely unknown and very interesting number-theoretical result,
the word-doubling is overwhelmingly likely
to yield an 'easy' modulus.
Apocalyptic: and yes if found in
the wild,
the assumption you are making is a safe assumption
Hasimir: ascii_field,
then claiming
to have derived
the private key is a wee bit disingenuous
ascii_field: Apocalyptic:
there is a reason why generating proper rsa keys is cpu-expensive
mircea_popescu: Apocalyptic well sure,
theoretical
theory. but if you run a factorizing algo on any of
the keys you'll see
they break apart.
Hasimir: ascii_field, just
the signing subkey?
Apocalyptic: <mircea_popescu> Apocalyptic finding a small factor is not inherently breaking a specially crafted key
that was made
to have
that one small factor, yes. //
this is all i was arguing :)
Hasimir: which means no getting
the private cert or decryption
ascii_field: Hasimir: we don't deal with
the rest of it.
Apocalyptic: ascii_field, as
the poeple whose key you're listing probably didn't craft it
this way, it's very probable
that it's further broken, yes
mircea_popescu: Apocalyptic finding a small factor is not inherently breaking a specially crafted key
that was made
to have
that one small factor, yes.
Apocalyptic: i'm just
trying
to show
that finding a small factor is not inherently breaking
the key
Apocalyptic: <ascii_field> Apocalyptic: except
that
this is not how it was done // exactly
Apocalyptic: but
the key is still as strong as my original
ascii_field: Apocalyptic: bugger
took every other 32-bit word and copied over neighbour.
Apocalyptic: I submit it
to phuctor, its screams "Moduli factored !"
ascii_field: Apocalyptic: except
that
this is not how it was done
Apocalyptic: I multiply
then
the modulus N by 3 (or any other small prime,
the value doesn't matter)
☟︎ Hasimir: well, let's see
there's Rob Hansen's key
Apocalyptic: let's say I
take
the
two secret primes of my present key
mircea_popescu: anyway, you could just run a probabilistic
test on it.
ascii_field: thing about small factors is
that we have
them here because
the moduli are essentially random shots in
the integer dark.
Apocalyptic: mircea_popescu, it is breakage in
the sense it reduces
the apparent security,
the key may still be pretty much alright
ascii_field: given as
the bulk of
the samples consist of
the owner's own moduli with every other 32-bit word doubled (overwriting its neighbour) -
the amount of 'crafting' appears
to be minimal. in
this particular case (there were other breakable keys.)
mircea_popescu: Apocalyptic well, "totally broken". depends what you're
trying
to do and so on. having a known small factor is already breakage
ascii_field: hanbot: and clearly
the process, whatever it was, did not want
to be found. but it does appear
to consist of fucking with purported -public- keys and
therefore intrinsically findable.
ascii_field: afaik
the only possible point of crafting
these -was-
to disseminate
them publicly as spurious copies of
the real
thing
hanbot: maybe
this is
the iceberg
tip of some sort of process not really intended
to be visible
hanbot: how do you know you're even seeing all/most of
the magic keys? maybe
they were not intended
to show up in public servers, and end
there
through some error/leak
ascii_field: and see what happens when one actually
tries
to verify
the signature with 'magic' key (and its bizarre composite mega-exponent) as reference
ascii_field: at
the moment, i would like
to collect a sample of material signed with one of
the -legit- keys for which a 'magic' key exists
ascii_field: comment out
the bit with 'giant exponents'
ascii_field: incidentally you can run
the heuristic finder yourself
ascii_field: Apocalyptic: at least
two, iirc, had valid sigs.
The remainder divide into ones with invalid selfsigs and ones with absent ones entirely (stripped)
Apocalyptic: ascii_field, of
the 19 broken moduli so far how many are actually valid subkeys ?
ascii_field: which was
the intent of whoever crafted it, yes.
Apocalyptic: ascii_field, ok, would love
to compare
the results when you're done, i'm
throwing some stuff at it atm
Apocalyptic: (note
that
this isn't even stricly a RSA key anymore)
ascii_field: Apocalyptic: properly lenstra-ing
these is certainly on
the agenda
Apocalyptic: anyway mircea it was just
to say
that in
this case I would call it factor only if modulus is
totally broken into primes, something i've referred as full factoring, otherwise not much you can do
ascii_field: is almost certainly because statistically -
these are -easy-
to break apart.
ascii_field: but
the reason why malefactor did
this 'random' bit,
Apocalyptic: <ascii_field> conceivably some of
the resulting moduli are even... prime. // would be
trivial
to check
ascii_field: conceivably some of
the resulting moduli are even... prime.
ascii_field: i.e., likely
to be pollard-rho-able and/or lenstra-able.
Apocalyptic: i'm just commenting on
the first invalid subkey
that was discussed
ascii_field: Apocalyptic: you can actually create
them on your own, given
the info
mircea_popescu: Apocalyptic iirc shcneier actually was recommending e=3 (d is
the private
traditionally)
ascii_field: Apocalyptic: read mircea_popescu's latest article
to learn how
the bulk of
the booby keys were generated
Apocalyptic: someone "factors" it, finds
the 3, but
the key is still as strong as
the sane one you started with
Apocalyptic: I mean you can get a standard 4096-bit sane RSA key, multiply N by 3 and
there you go
Apocalyptic: in
the sense of finding a prime factor of a modulus
that has more
than 2
Apocalyptic: anyway "factored" in
this sense doesn't mean much
Landgull: Oh,
thank you. I don't really have anything
to say,
though, I'm here
to listen.
ben_vulpes: <davout> i'm afraid if i
try on an ec2 box i'll accidentally break
the internet << "we can
therefore we must"
davout: i'm afraid if i
try on an ec2 box i'll accidentally break
the internet
davout: fucking around with C,
this confuses me
mircea_popescu: notrly valgrind's problem,
this. if system reports it as allocated, it's allocated as far as its concerned
ascii_field: davout: iirc he was
tracking whole box, not bitcoind per se
davout: can someone explain
to me how i'm able
to malloc into existence more
than 1tb, fill
the first byte with some random int, and have valgrind report
the massive allocated space. all
this with a whopping 4gb ram and 512gb hdd?
mats: fun fact: windows 8.1 will sometimes
triple fault when bugchecking when a kernel debugger is attached
mircea_popescu: bitstein honestly,
the blowing up of
the entire "car dealers" bs is pretty much
the only
thing i actually like about mr
tesla.