L’home dibuixat

El proper dia 11, a Monte Porzio Catone (Itàlia), conferència sobre el manuscrit Voynich en ocasió del centenari del seu descobriment: «Voynich 100: A Hundred Years from the Re-discovery at Villa Mondragone».

A Hundred Years from the Re-discovery at Villa Mondragone

L'EFF avisa que, literalment, «desenes de milers de certificats utilitzats a servidors SSL /TLS no donen cap garantia de seguretat per culpa de l'ús d'algoritmes deficients per a la generació de nombres aleatoris»

While we have observed and warned about vulnerabilities due to insufficient randomness in the past, Lenstra's group was able to discover more subtle RNG bugs by searching not only for keys that were unexpectedly shared by multiple certificates, but for prime factors that were unexpectedly shared by multiple publicly visible public keys. This application of the 2,400-year-old Euclidean algorithm turned out to produce spectacular results.

In addition to TLS, the transport layer security mechanism underlying HTTPS, other types of public keys were investigated that did not use EFF's Observatory data set, most notably PGP. The cryptosystems that underlay the full set of public keys in the study included RSA (which is the most common class of cryptosystem behind TLS), ElGamal (which is the most common class of cryptosystem behind PGP), and several others in smaller quantities. Within each cryptosystem, various key strengths were also observed and investigated, for instance RSA 2048 bit as well as RSA 1024 bit keys. Beyond shared prime factors, there were other problems discovered with the keys, which all appear to stem from insufficient randomness in generating the keys. The most prominently affected keys were RSA 1024 bit moduli. This class of keys was deemed by the researchers to be only 99.8% secure, meaning that 2 out of every 1000 of these RSA public keys are insecure. Our first priority is handling this large set of tens of thousands of keys, though the problem is not limited to this set, or even to just HTTPS implementations.

We are very alarmed by this development. In addition to notifying website operators, Certificate Authorities, and browser vendors, we also hope that the full set of RNG bugs that are causing these problems can be quickly found and patched. Ensuring a secure and robust public key infrastructure is vital to the security and privacy of individuals and organizations everywhere.

[The Telegraph] Satellite phone encryption cracked. Es tracta dels algoritmes GMR-1 i GMR-2 utilitzats per alguns serveis de telefonia per satèl·lit. I es pot interceptar el tràfic d'una forma relativament econòmica.

Mr Driessen told The Telegraph that the equipment and software needed to intercept and decrypt satellite phone calls from hundreds of thousands of users would cost as little as $2,000. His demonstration system takes up to half an hour to decipher a call, but a more powerful computer would allow eavesdropping in real time, he said.

By publishing details of how to break the encryption, the researchers hope to prompt ETSI, the organization that sets the standards, to create stronger algorithms. A major problem with GMR-1 and GMR-2, Mr Driessen said, was that their details were kept secret so security experts cannot test them.

A partir de 12 de gener es podrà seguir un curs gratuït de criptografia impartit per la Stanford University. Consistirà en una sèrie de lliçons a càrrec de Dan Boneh, cap del grup de criptografia aplicada

sslyze és una eina (escrita en Python i provada en Windows 7 i Linux) per verificar el correcte funcionament de la configuració SSL/TLS d'un servidor. Pensada per trobar errors en la configuració (com poden ser l'ús de versions obsoletes del protocol, sistemes de xifrat de hash febles en la cadena de negociació, renegociació no segura o els paràmetres de represa de la sessió).