cryptography – Hand Coding

As mentioned on Slashdot the Distributed.net effort has found the key in RSA’s RC5-64 challenge!

For those not familiar with the project, the security and encryption company RSA sponsored a contest to find a “key” to one of their cyphers. And, due to the nature of electronic cryptography, the only way to find the correct key was to try all the possible keys in the lock.

This technique would be similar to going to a Make-A-Key kiosk and having all the possible key combinations made for a padlock, then trying each key one-by-one. Eventually, you’ll find the right key to that lock. Because the method was only trial-and-error, even though you would have found the key to that particular padlock, the padlocks of the type would be no less secure.

RSA held this contest to demonstrate the power of a coordinated group of volunteers, and to encourage companies and governments to use the company’s more complicated cyphers. After all, you wouldn’t want your business’ secrets encrypted by an algorithm to which a group of volunteers found the key, eh? ;)

From The Register, anyone with a valid VeriSign SSL site certificate can forge any other VeriSign SSL site certificate in IE and Konqueror:

A chain is formed when an intermediate certificate is trusted between server and client. Supposedly, the intermediate is accepted only if it’s signed by the certificate authority as safe for the purpose. If it’s merely signed by another certificate’s key, it ought not to be trusted, or at least the user should be warned. Unfortunately, due to a preposterous security engineering oversight, IE and Konqueror don't bother to check this [&hellip]

Mozilla isn’t affected, as usual, though the author chides Mozilla as if maybe it’s a Mozilla quirk that is preventing the exploit. I would hope that The Register’s authors wouldn’t have such uninformed preconceptions :-/.

Tag: cryptography

RC5-64 Success!

SSL Defeated in IE and Konqueror