Re: Generating a large sequence of unique, random numbers

From: Kevin Buhr (buhr_at_telus.net)
Date: 05/30/03

• Next message: Paul Rubin: "Re: Any desires for a "big poly" polynomial basis GF(2)[x] library?"
• Previous message: Tom St Denis: "Re: new factoring algorithm"
• In reply to: Kevin Buhr: "Re: Generating a large sequence of unique, random numbers"
• Next in thread: Ernst Lippe: "Re: Generating a large sequence of unique, random numbers"
• Reply: Ernst Lippe: "Re: Generating a large sequence of unique, random numbers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 29 May 2003 23:08:56 GMT

Kevin Buhr <buhr@telus.net> writes:
>
> The main attacks against this serial number / verification hash scheme:

Oh, I guess that in a world of poorly secured web servers, it's stupid
not to point out:

4. An attacker who can compromise the web server to determine the
    secret key K can generate valid codes with it.

It would be nice if there was a scheme that included a public key
cryptography component---the private key would be used to construct
the 53-bit numbers, the "public" key to verify them. The public key
would be protected on the web server but, even if it was compromised,
an attacker could not use it to generate valid numbers only to check
the validity of existing numbers.

The problem is that I don't know of a public key cryptosystem that
can be made secure using a block size of only 53 bits.

A technical solution to make attack (4) more difficult would be to
have the web server(s) verify keys by passing them to a more carefully
secured system (one that does nothing but accept a code, verify it,
and return the result of the verification).

-- 
Kevin <buhr@telus.net>

---

• Next message: Paul Rubin: "Re: Any desires for a "big poly" polynomial basis GF(2)[x] library?"
• Previous message: Tom St Denis: "Re: new factoring algorithm"
• In reply to: Kevin Buhr: "Re: Generating a large sequence of unique, random numbers"
• Next in thread: Ernst Lippe: "Re: Generating a large sequence of unique, random numbers"
• Reply: Ernst Lippe: "Re: Generating a large sequence of unique, random numbers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Generating a large sequence of unique, random numbers ... An attacker who can compromise the web server to determine the ... > It would be nice if there was a scheme that included a public key ... there exists no really "secure" system to verify ... (sci.crypt) [NT] Poisoning Cached HTTPS Documents in Internet Explorer ... Get your security news from a reliable source. ... "poison" a user's browser cache with a malicious document that will later ... The attacker can exploit this vulnerability for "replacing" HTML ... to communicate with a malicious web server over HTTPS without the browser ... (Securiteam) [NEWS] Fingerprinting Port 80 Attacks: A Look into Web Server, and Web Application Attack Signatures ... Subject: Fingerprinting Port 80 Attacks: A Look into Web Server, ... most of the known and unknown holes an attacker may use against you. ... it is something you may want to look for in your logs. ... (Securiteam) Cgisecurity.com Paper #3: Fingerprinting Port 80 Attacks: A look into web server, and web applicatio ... Common Fingerprints ... These holes can allow an attacker to gain either administrative access to the website, ... or even the web server itself. ... and what to look for in your logs. ... (Vuln-Dev) [REVS] Fingerprinting Port 80 Attacks: A Look into Web Server, and Web Application Attack Signatures ... Port 80 Attacks: A Look into Web Server, ... These holes can allow an attacker to gain either administrative access to ... This section has examples of more common fingerprints used in exploitation ... (Securiteam)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > sci.crypt  > 2003-05