It looks like it exploits what Vaudenay warned against in 2004 : "Digital Signature Schemes with Domain Parameters" ( https://lasec.epfl.ch/pub/lasec/doc/Vau04b.pdf … )https://twitter.com/NSAGov/status/1217152211056238593 …
Prikaži ovu nit
-
1. Find an ecc root cert C 2. Create C' with the same public key and curve but set the generator to the public key of C 3. Create a normal signing cert C'' with key pair (pk'',sk'') and sign software/cert with sk'' 4. Sign C'' with sk=1 5. Ship software/cert with C'' and C'
Prikaži ovu nit
This degenerate case was just confirmed to work by @reaperhulk , thank you! (@kennyog @kennwhite )
-
-
-
When comparing a received cert to cached root certs, windows only compared the public keys, but not the parameters, and would therefore assume that a received fake root cert C' with different parameters was the same as a cached root cert C, using C' to verify the cert chain.
Prikaži ovu nit -
By choosing the right parameters for C', you can know the private key for C' -- even when you don't know the private key for C -- as Vaudenay noted in 2004.
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
Can you go even further and put p=2 (the prime)? Then one of (0,1) and (1,1) should be valid for any key (depends on what checks they implemented).
-
That might work -- it should be relatively easy to check now that there is PoC code out there, e.g.,
@saleemrash1d (thanks@Dennis__Jackson )
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.