Corrections after meeting in 2014/02/10.

Still to be done:
 - rewrite wiener's part on cf, since Boneh acted differently
 - add references in ssl versions comparaisons
 - continued fractions, add domain of 'a's, and specify that we are delaing only
 with finite cf.

book/fermat.tex

@@ -85,25 +85,26 @@ aforementioned.
 
 \paragraph{How to chose the upper limit?}  Our choice of keeping straight with
 the limits of the standard is a mere choice of commodity: we are interested in
-finding public keys  not respecting it. Though, it it worth noting that what this
-limit \emph{states} is that at least one of the most significant $100$ bits
-should be different between the two primes:
+finding public keys  not respecting the standard.
+Though, it is worth noting that what this limit \emph{states} is that at least
+one of the most significant $100$ bits should be different between the two
+primes:
 
 \begin{bytefield}[
   endianness=big,
-  bitwidth=1.5em,
-%  bitformatting=\fakerange,
+  bitwidth=1.4em,
+  % bitformatting=\fakerange,
   ]{16}
   \\
-%  \bitheader{}
+  % \bitheader{}
   \\[1px]
-  \begin{rightwordgroup}{$2^{\frac{\log N}{2}-100}$}
+  \begin{rightwordgroup}{\small{$2^{\frac{\log N}{2}-100}$}}
     \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} &
     \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} &
     \bitbox{3}{\tiny $\cdots$} &
     \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} & \bitbox{1}{0} &
     \bitbox{1}{0} & \bitbox{1}{1} & \bitbox{1}{0} & \bitbox{1}{0} &
-    \bitbox{5}{\tiny $\cdots$}    & \bitbox{1}{0} & \bitbox{1}{0} &
+    \bitbox{3}{\tiny $\cdots$}    & \bitbox{1}{0} & \bitbox{1}{0} &
   \end{rightwordgroup}
   \\[1ex]
   \wordbox[]{1}{} &&
@@ -116,7 +117,7 @@ should be different between the two primes:
     \bitbox{1}{0} &
     \colorbitbox{lightgray}{1}{1} & \colorbitbox{lightgray}{1}{0} &
     \colorbitbox{lightgray}{1}{0} &
-    \colorbitbox{lightgray}{6}{\tiny{$\cdots$ least signif. bits $\cdots$}} &
+    \colorbitbox{lightgray}{4}{\tiny{$\cdots$ LSB $\cdots$}} &
     \colorbitbox{lightgray}{1}{0} &
   \end{rightwordgroup}
   \\[1ex]
@@ -128,11 +129,11 @@ should be different between the two primes:
     \bitbox{1}{0} &
     \colorbitbox{lightgray}{1}{0} & \colorbitbox{lightgray}{1}{0} &
     \colorbitbox{lightgray}{1}{0} &
-    \colorbitbox{lightgray}{6}{\tiny{$\cdots$ least signif. bits $\cdots$}} &
+    \colorbitbox{lightgray}{4}{\tiny{$\cdots$ LSB $\cdots$}} &
     \colorbitbox{lightgray}{1}{0} &
   \end{rightwordgroup}
 \end{bytefield}
-\vspace{20pt}
+\vfill
 
 For example, in the case of a RSA key $1024$, the binary difference between $p$
 and $q$ has to be greater than $2^{412}$, which means that, excluding corner-cases
@@ -143,14 +144,14 @@ top 100 most significant bits for the key to be considered safe.
 \section{Thoughts about a parallel solution}
 
 At first glance we might be willing to split the entire interval
-$\{ \ceil{\sqrt{N}}, \ldots, N-1 \}$ in equal parts, one assigned to per each
+$\{ \ceil{\sqrt{N}}, \ldots, N-1 \}$ in equal parts, one per each
 node. However, this would not be any more efficient than the trial division
-algorithm, and nevertheless it is worth noting that during each single iteration,
-the computational complexity is dominated by the square root $\dsqrt$ function,
-which belongs to the class \bigO{\log^2 N}, as we saw in section
-~\ref{sec:preq:sqrt}. Computing separatedly $x^2$ would add an overhead of the
-same order of magnitude \bigO{\log^2 N}, and thus result in a complete waste of
-resources.
+algorithm, and nevertheless during each single iteration, the computational
+complexity is dominated by the square root $\dsqrt$ function, which belongs to
+the class \bigO{\log^2 N}, as we saw in section ~\ref{sec:preq:sqrt}.
+Computing separatedly $x^2$ would add an overhead of the same order of magnitude
+\bigO{\log^2 N}, and thus result in a complete waste of resources.
+
 %%% Local Variables:
 %%% TeX-master: "question_authority.tex"
 %%% End:

book/library.bib

@@ -37,7 +37,7 @@
 
 @misc{rfc4158,
   title = {Certification Path Building},
-  author = {Cooper, et al.},
+  author = {Cooper et al.},
   publisher = {RFC Editor},
   url = {http://tools.ietf.org/html/rfc4158}
 }

book/math_prequisites.tex

@@ -18,7 +18,7 @@ $a \idiv b = \floor{\frac{a}{b}}$, as usual in the python language.
 $\naturalPrime \subset \naturalN$ is the set containing all prime intgers.
 \\
 The binary operator $\getsRandom$, always written as $x \getsRandom S$, has the
-meaning of ``taking a random element $x$ from the set $S$''
+meaning of ``pick a uniformly distributed random element $x$ from the set $S$''.
 % XXX.  following Dan Boneh notation
 
 \section{Algorithmic Complexity Notation}

book/ssl_prequisites.tex

@@ -2,20 +2,20 @@
 
 Transport Layer Security, formerly known as SSL (Secure Socket Layer), aims
 to bring some security features over a communication channel, specifically
-providing \strong{integrity} and \strong{confidentiality} of the message, \strong{authenticity} of the server and
-optionally the client.
+providing \strong{integrity} and \strong{confidentiality} of the message,
+\strong{authenticity} of the server and optionally the client.
 %% fuck osi layers: there is no code explicitly structuring the internet in 7
 %% layers.
 Many ancient application protocols wrapped themselves to be over TLS/SSL, with
 the only difference of the ``s'' appended to the protocol name (such as HTTPs,
-IMAPs).It is nowadays widely adopted all over the world, becoming the de-facto standard for
-end-to-end  encryption.
+IMAPs). It is nowadays widely adopted all over the world, becoming the de-facto
+standard for end-to-end  encryption.
 
 \paragraph{Certification Authorities} are authorities to whom it is granted the
 power to \emph{authenticate} the peer. Pragmatically, they are public keys
-pre-installed on your computer that decide who and who not to trust employing
+pre-installed on your computer that decide who and who not to trust by employing
 a digital signature.
-In order to overcome the proliferation of keys to distribute, and satisfy the
+In order to overcome the proliferation of keys to be distributed, and satisfy the
 use-case of a mindless user willing to accomplish a secure transaction on the
 internet, the following, hierarchical trust model proliferated (~\cite{rfc4158},
 Fig.2):
@@ -24,7 +24,7 @@ Fig.2):
 %% E` BELLISSIMO QUESTO COSO
 \begin{center}
 \begin{tikzpicture}[
-  scale=0.9,
+  scale=0.8,
   align=center,
   level/.style={sibling distance=60mm/#1}]
 \node [draw] (z){Root CA}
@@ -52,7 +52,7 @@ Fig.2):
       child {node [circle,draw] (o) {EE}}
       child {node [circle,draw] (p) {EE}
         child [grow=right] {node (q) {$\Rightarrow$} edge from parent[draw=none]
-          child [grow=right] {node (q) {End Entities} edge from
+          child [grow=right, xshift=1cm] {node (q) {End Entities} edge from
             parent[draw=none]
             child [grow=up] {node (r) {$\vdots$} edge from parent[draw=none]
               child [grow=up] {node (s)
@@ -95,8 +95,8 @@ certificate whose identity has been verified.
 
 Upon connecting, the client will check to see if the certificate presented was issued
 by a CA present in the trust store (root CA); otherwise it will check to see if
-it has been issued by a truested CA, and so on until either a trusted CA is
-found or no
+it has been issued by a trusted CA, and so on until either a trusted CA is
+found or no trusted authority is found. In the latter case, the connection is aborted.
 
 \paragraph{The protocol} is actually a collection of many sub-protocols:
 \begin{itemize}
@@ -116,9 +116,9 @@ found or no
   subsequent records will be protected under the just negotiated keys and
   \texttt{Cipher Spec}.
 \end{itemize}
-We will proceed with a brief synopsis of the first two of these protocols,due to
-their relevant role inside the connection and furthermore, because they are the
-only two we actually made use of during our investigations.
+We will proceed with a brief synopsis of the first two of these protocols, due to
+their relevant role inside the connection and furthermore, because they were the
+only two we actually used during our investigations.
 
 
 \section{The \texttt{handshake} protocol}
@@ -126,7 +126,8 @@ As mentioned above, the handshake occurs whenever a machine attempts to start
 a TLS connection. If there is no session identifier, a new one is being build
 up; otherwise the client will include the session-id in the initial
 communication and the server will eventually skip the key agreement phase since
-it has already happened recently.\footnote{``recently'' is not well-defined in
+%% XXX. check the use of verb happened
+it has happened recently.\footnote{``recently'' is not well-defined in
   the standard - it is suggested an upper limit of 24-hours lifetime, but the
   only constraint is that both client and server shall agree on it.}\\
 A new session-id identifier gets built via a challenge-response mechanism: the
@@ -140,19 +141,19 @@ certificate and finally ask for it (client authentication).
 
 \vfill
 \section{The \texttt{record} protocol}
-All TLS protocol messages moves in records of up to 16K, containing 3
+All TLS protocol messages move in records of up to 16K, containing 3
 main components: MAC-data, data, and padding.
 \\
 {MAC-data} is no other than the Message Authentication Code over the
 encrypted \emph{data} sent
-(SSL performs the encrypt-than-mac mode of operation).
+(SSL performs the encrypt-then-mac mode of operation).
 It provides \strong{authenticity} and \strong{integrity} of the message.
 Failure to authenticate, decrypt will result in I/O error and a close of the
 connection.
 \\
 {Data} is the actual message, compressed and encrypted. Compression comes
-for free in order to fasten cryptanalysis of the cipher, since protocols such
-as HTTP have a common set of standard message.
+for free in order to mitigate the cryptanalysis of the cipher, since protocols
+such as HTTP have a common set of standard messages.
 \\
 The {Padding} section contains informations about the padding algorithm
 adopted, and the padding size.
@@ -160,7 +161,7 @@ adopted, and the padding size.
 \section{What's inside a certificate \label{sec:ssl:x509}}
 SSL certificates employed the X.509 PKI standard, which specifies, among other
 things, the format for revocation lists, and certificate path validation
-algorithms:
+algorithms.
 \\
 \begin{center}
   \scalebox{0.7}{
@@ -189,7 +190,7 @@ Born before HTTP, it was initially thought \emph{in abstracto} to be
 extremely flexible and general\footnote{
   \textit{``X.509 certificates can contain just anything''} ~\cite{SSLiverse}
 }.
-And precisely this flexibility and its adaptation to the SSL/TLS protocol
+And precisely for this flexibility and its adaptation to the SSL/TLS protocol
 without a very-well defined structure have been its major flaws: it is still
 difficult to write good, reliable software parsing a X.509 certificate.
 
@@ -202,8 +203,8 @@ SSLv2 would allow a connection to be closed via a not-authenticated TCP segment
 with the \texttt{FIN} flag set. Padding informations are sent in clear, and the
 payload is not compressed before encrypting, allowing a malicious attacker
 traffic analysis capabilities. The ciphersuite is negotiated using
-non-authenticated informations, allowing an attacker to influence to choice and
-weaken the security of the communication.
+non-authenticated informations, allowing an attacker to influence the choice of
+the \texttt{Cipher Spec} and weaken the security of the communication.
 Most of these vulnerabilities have been addressed by the later SSLv3, which
 introduced compression and protection against truncation attacks.
 Its standardized twin, TLS 1.0, only differs on the cipher suite and key

book/wiener.tex

@@ -4,7 +4,7 @@ Wiener's attack was first published in 1989 as a result of cryptanalysis on the
 use of short RSA secret keys ~\cite{wiener}. It exploited the fact that it is
 possible to find the private key in \emph{polynomial time} using continued fractions
 expansions whenever a good estimate of the fraction $\frac{e}{N}$ is known.
-More specifically, given $d < \frac{1}{3} ^{4}\sqrt{N}$ one can efficiently
+More specifically, given $d < \frac{1}{3} \sqrt[4]{N}$ one can efficiently
 recover $d$ only knowing $\angular{N, e}$.
 
 The scandalous implication behind Wiener's attack is that, even if there are
@@ -17,9 +17,9 @@ RSA key-pair immune to this attack, namely
 (i) making $e > \sqrt{N}$ and
 (ii) $gcd(p-1, q-1)$ large.
 
-\section{Continued Fractions background \label{sec:wiener:cf}}
+\section{A background on Continued Fractions \label{sec:wiener:cf}}
 
-Let us call ``continued fraction'' any expression of the form:
+Let us call \emph{continued fraction} any expression of the form:
 %% why \cfrac sucks this much. |-------------------------|
 \begin{align*}
 a_0 + \frac{1}{a_1
@@ -27,10 +27,11 @@ a_0 + \frac{1}{a_1
     + \frac{1}{a_3
     + \frac{1}{a_4 + \ldots}}}}
 \end{align*}
-hereby described as a series for convenience:
+From now on, we eill consider only hereby described as a finite sequence of integers for convenience:
 $\angular{a_0, a_1, a_2, a_3,  \ \ldots, a_n}$.
-Any floating point number $x$ can be represented as a continued fraction, and
-for each $i < n$ there exists fraction $\rfrac{h_i}{k_i}$ approximating $x$.
+Any number $x \in \mathbb{Q}$ can be represented as a finite continued fraction,
+and for each $i < n$ there exists a fraction $\rfrac{h_i}{k_i}$ approximating
+$x$.
 By definition, each new approximation is recursively defined as:
 
 \begin{align}
@@ -53,15 +54,14 @@ By definition, each new approximation is recursively defined as:
   \end{cases}
 \end{align}
 
-After a small digression into the properties of continued fractions, Wiener, in
+After a small digression concerning the properties of continued fractions, Wiener, in
 ~\cite{wiener}, shows that, if a continued fraction $f'$ is an underestimate of
-another one $f$:
+another one $f$, i.e.
 \begin{align}
   f' = f(1-\delta)
 \end{align}
-
-Then it is possible to recover $f$, having $f'$, if $\delta$ is small
-enough, where small enough means:
+then it is possible to recover $f$, having $f'$, if $\delta$ is ``small
+enough'', where small enough means:
 \begin{align}
   \label{eq:wiener:cf_approx}
   \delta = 1 - \frac{f'}{f} < \frac{1}{\rfrac{3}{2}{h_1}{k_1}}
@@ -79,7 +79,7 @@ following:
   \item check whether $\rfrac{h_i}{k_i}$ is equal to $f$
 \end{enumerate}
 
-\section{The actual attack}
+\section{Constructing the attack}
 
 As we saw in ~\ref{sec:preq:rsa}, by construction the two exponents are such that
 $ed \equiv 1 \pmod{\varphi(N)}$. This implies that there exists a
@@ -94,7 +94,7 @@ the same problem we formalized in ~\ref{sec:wiener:cf}:
 Now we proceed by substituting $\eulerphi{N}$ with $N$, since for large $N$, one
 approximates the other. We consider also the difference of the two, limited by
 $\abs{\cancel{N} + p + q - 1 - \cancel{N}} < 3\sqrt{N}$.
-For the last step, remember that $k < d < \rfrac{1}{3} {}^4\sqrt{N}$:
+For the last step, remember that $k < d < \rfrac{1}{3}\sqrt[4]{N}$:
 
 \begin{align*}
   \abs{\frac{e}{N} - \frac{k}{d}} &= \abs{\frac{ed - kN}{Nd}} \\
@@ -102,8 +102,8 @@ For the last step, remember that $k < d < \rfrac{1}{3} {}^4\sqrt{N}$:
   &= \abs{\frac{1-k(N-\eulerphi{N})}{Nd}} \\
   &\leq \abs{\frac{3k\sqrt{N}}{Nd}}
   = \frac{3k}{d\sqrt{N}}
-  < \frac{3(\rfrac{1}{3}\ {}^4\sqrt{N})}{d\sqrt{N}}
-  = \frac{1}{d{}^4\sqrt{N}} < \frac{1}{2d^2}
+  < \frac{3(\rfrac{1}{3}\ \sqrt[4]{N})}{d\sqrt{N}}
+  = \frac{1}{d\sqrt[4]{N}} < \frac{1}{2d^2}
 \end{align*}
 
 This demonstrates the conditions of ~\ref{eq:wiener:cf_approx} holds, and allows
@@ -116,8 +116,8 @@ $\frac{e}{N}$, and for each convergent $\frac{k}{d}$,
 %% XXX. verify this
 which by contruction is already at the lowest terms, we verify if it produces a
 factorization of $N$.
-First we chack that $\eulerphi{N} = \frac{ed-1}{k}$ is
-integer. Then we solve ~\ref{eq:wiener:pq} in $x$ in order to find $p, q$:
+First we check that $\eulerphi{N} = \frac{ed-1}{k}$ is
+an integer. Then we solve ~\ref{eq:wiener:pq} in $x$ in order to find $p, q$:
 \begin{align}
   \label{eq:wiener:pq}
   x^2 - (N - \eulerphi{N} + 1)x + N = 0
@@ -143,7 +143,7 @@ A Continued fraction structure may look like this:
     BN_CTX* ctx;
   } cf_t;
 \end{minted}
-where \texttt{bigfraction\_t} is jsut a pair of \texttt{BIGNUM} \!s
+where \texttt{bigfraction\_t} is just a pair of \texttt{BIGNUM} \!s
 $\angular{h_i, k_i}$. Whenever we need to produce a new convergent, we increment
 $i \pmod{3}$ and apply the definitions given. The fresh convergent must be
 tested with very simple algebraic operations. It is worth noting here that
@@ -163,7 +163,7 @@ convergent, we provide an algorithm for attacking the RSA cipher via Wiener:
   \begin{algorithmic}[1]
     \State $f \gets  \texttt{cf\_init}(e, N)$
     \State $i \gets \ceil{\log N}$
-    \While{$i--$}
+    \While{$i-- > 0$}
     \State $k, d \gets \texttt{cf\_next}(f)$
     \If{$k \nmid ed-1$} \strong{continue} \EndIf
     \State $\eulerphi{N} \gets (ed - 1)\ //\ k$