DSA requirements for random k value

November 19, 2010November 19, 2010 ~ Nate Lawson ~ 16 Comments

Most public key systems fail catastrophically if you ignore any of their requirements. You can decrypt RSA messages if the padding is not random, for example. With DSA, many implementation mistakes expose the signer’s private key. Many crypto protocols use a nonce. The traditional requirements of a nonce is that it never be repeated. So … Continue reading DSA requirements for random k value

Recovering a private key with only a fraction of the bits

September 20, 2011October 28, 2012 ~ Nate Lawson ~ 3 Comments

Ever since my first post on breaking DSA, I’ve been meaning to write a clear description of how to recover a private key if you only have a fraction of the bits. For example, power analysis attacks may allow you to derive a few bits of the random k value on each measurement. It turns … Continue reading Recovering a private key with only a fraction of the bits

Crypto 2010 rump session

August 18, 2010 ~ Nate Lawson ~ 2 Comments

One of the leading indicators of upcoming advances in cryptography is the rump session at the CRYPTO conference. Speakers are given 3 minutes to introduce works in progress or crack jokes. For example, I remember Paul Kocher’s groundbreaking presentation on extremely low exponent RSA (e=1). Here is more history of this casual, but important, event … Continue reading Crypto 2010 rump session

Smart meter crypto flaw worse than thought

January 11, 2010 ~ Nate Lawson ~ 10 Comments

Travis Goodspeed has continued finding flaws in TI microcontrollers, branching out from the MSP430 to ZigBee radio chipsets. A few days ago, he posted a flaw in the random number generator. Why is this important? Because the MSP430 and ZigBee are found in many wireless sensor systems, including most Smart Meters. Travis describes two flaws: … Continue reading Smart meter crypto flaw worse than thought

NaCl: DJB’s new crypto library

July 14, 2009November 14, 2010 ~ Nate Lawson ~ 8 Comments

NaCl is a new crypto library, courtesy of Dan Bernstein of qmail fame and Tanja Lange. After my series of posts on why crypto libraries have seriously hurt web security by offering an API that is too low-level, I was pleased to find NaCl’s main interface is high-level. In addition to the kind of fanatical … Continue reading NaCl: DJB’s new crypto library

The Debian PGP disaster that almost was

May 17, 2009May 17, 2009 ~ Nate Lawson ~ 3 Comments

A year ago, I wrote about the Debian OpenSSL PRNG bug that reduced the entropy of its random seed to 15 bits. There was a little-noticed part of the advisory that said all DSA keys used on the affected systems should be considered compromised. In the rush to find and replace SSL certs and SSH … Continue reading The Debian PGP disaster that almost was