The cryptographic algorithm called INCrypt32 is a MAC algorithm to authenticate participants, RFID cards and readers, in HID Global's iCLASS systems. HID's iCLASS cards are widely used contactless smart cards for physical access control. Although INCrypt32 is a heart of the security of HID's iCLASS systems, its security has not been evaluated yet since the specification has not been open to public. In this paper, they reveal the specification of INCrypt32 by reverse engineering an iCLASS card and investigate the security of INCrypt32. As a result, we show that the secret key of size 64 bits can be recovered using only 218 MAC queries if the attacker can request MAC for chosen messages of arbitrary length. If the length of messages is limited to pre-determined values by the authentication protocol, the required number of MAC queries grows to 242 to recover the secret key.
ee33f7e2da98c62d3b33c6294941bbe8This document is version 1.0, as adopted by the CA/Browser Forum on 22 Nov. 2011 with an Effective Date of 1 July 2012. These Baseline Requirements describe an integrated set of technologies, protocols, identity-proofing, lifecycle management, and auditing requirements that are necessary (but not sufficient) for the issuance and management of Publicly-Trusted Certificates; Certificates that are trusted by virtue of the fact that their corresponding Root Certificate is distributed in widely-available application software. The Requirements are not mandatory for Certification Authorities unless and until they become adopted and enforced by relying–party Application Software Suppliers.
63d03aa7d401de867cf392a08b47eb93This paper covers a conjecture of equivalence between a statement regarding Ξ matrix and Zeta.
ffeb0704f3a4f742f8cdc662a27b89a1This document covers the introduction of the R-sequence, i.e. the sequence of numbers closely related to the distribution of the prime numbers. The paper contains its connection to ζ and Mobius function.
7eb0b52dfcf76b9629a1e7004f39e0caThis report gives general recommendations as to how to configure SSL/TLS in order to provide state of the art authentication and encryption. The options offered by SSL engines grew from the early days since Netscape developed SSL2.0. The introduction of TLS made matters more challenging as servers and clients offer different sets of available options depending on which SSL engine (OpenSSL, NSS, SCHANNEL, etc.) they use. Finding the middle ground has proven difficult especially as the supported protocols and cipher suites are mostly not documented. To make matters more complicated Browsers may not use all functionality offered by the SSL stack, this report will only list functionality used by current Browsers. This report provides an overview of the currently available TLS options across Servers and Clients and allows you to offer support for a wide variety of Browsers an offer "good enough" security.
ea3ba9ca23ddccb36b094184551e503dWhitepaper called Biclique Cryptanalysis of the Full AES. Since Rijndael was chosen as the Advanced Encryption Standard, improving upon 7-round attacks on the 128-bit key variant or upon 8-round attacks on the 192/256-bit key variants has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. This paper discusses shortcut attacks on AES.
709a1f2c8b9ff655ca735589dc58c746This whitepaper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. They use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, they mount a lattice attack that recovers the private key. Finally, they describe and implement an effective countermeasure.
4558b899d97a106def3ba064ab5eadfeWhitepaper called Elliptic Curve Cryptography Anomalous Curves. Written in Spanish.
2b639c3df334eaf5d930ef387fb86c6cThis whitepaper is a comparison of the security provider by Window's Local Area Network Manager and Message Digest Five hashes in the application of personal and business computers.
8ce3495b25e25aefeec5867bb6f68765Whitepaper called Cryptography - The Magic Of The Asymmetric. Written in German.
7a1072950ad30ae37a0f62a304949013Whitepaper called SSL Sniffing. It discusses the basic use of SSL and what types of attack tools and methodologies exist.
ccc23804455e187b044d226ff6feca5aWhitepaper titled Breaking RSA: Totient indirect factorization.
05bb3993fce0e3665a7a454a31c6c7a1Whitepaper entitled Application Level Cryptography: Combination Stream And Block Ciphering Using Double Encryption Algorithms.
afc7aedcfa978bac8776fd03f43ea6a5Practical Applications of Public-key Cryptography: Securing Email Communications with PGP. An 11 page tutorial that discusses practical uses of PGP desktop, the commercial version of PGP.
81761434a44e7b3e64b6930079905871Brief paper discussing the basics of cryptography and the difference between symmetric and asymmetric cryptography.
1fb7d951e26e627eb3917c88148cf3eaWhite paper discussing the new ASH family of hashing algorithms. They are based off of modifications to the existing SHA-2 family and were designed with two main goals in mind: Providing increased collision resistance and increasing mitigation of security risks post-collision.
cfc40a525aab63b7075b6e7b4760d13aWhite paper discussing the misuse of RC4 in Microsoft Word and Excel, where the initialization vector of RC4 remains the same when an encrypted document gets modified and saved,
4b51c7d51729aa139604ffad57258c26Stripwire is a tool which demonstrates vulnerabilities in md5 checks described in this paper. Contains a perl script which proves that if md5(x) == md5(y), then md5(x+q) == md5(y+q) (assuming length(x) and length(y) are 0 mod 64, and q is any arbitrary data). This is true because once two blocks converge upon the same hash, the nature of them being different has thereafter been lost.
aa5a1a01f2f6e05656fff5d5304c59b2Collision vulnerabilities in MD5 Checksums - It is possible to create different executables which have the same md5 hash. The attacks remain limited, for now. The attack allows blocks in the checksumm'd file to be swapped out for other blocks without changing the final hash. This is an excellent vector for malicious developers to get unsafe code past a group of auditors, perhaps to acquire a required third party signature. Alternatively, build tools themselves could be compromised to embed safe versions of dangerous payloads in each build. A tool to demonstrate these vulnerabilities is available here.
5e1605409d78efd92cdce0d11489010bWhitepaper written on MD5 collisions that have been discovered.
7667d184375a8d968e9e107217f7e8eaA paper written on timing attacks against OpenSSL 0.9.7. In this experiment, it shows that the extraction of private keys from an OpenSSL-based webserver is realistic. Monitoring about a million queries allows an attackers to remotely extract a 1024-bit RSA private key.
9eb9fc68b5cfe5c2d74a8becdf30b267Stenographied File Transfer Using Posix File Locks - How to transfer information to other users on secure systems by communicating with locked files. Includes some sample code that uses 32 locked files to transfer data on Posix systems.
ea8bbd42018156e448eecba1b68a89b8Substitution Ciphers - This paper discusses the five classic substitution ciphers and how they are solved.
34f7299219516aa6383c1b2658d339c7Basic Transposition Ciphers - All they do is shuffle the characters.
165b8a06000834eb71e1c0229c59017cTiming Analysis of Keystrokes and Timing Attacks on SSH - Watching the timing between keystrokes sent over SSH and other encrypted protocols, some information can be obtained about the contents of the packet.
3c0c3a2b81c3ccd3486d881d24be8460
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed