Home Explore Help
Sign In
maker
/
bachelor
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
bachelor
/
reports
/
report1.org

report1.org 3.7 KB
Permalink History Raw

The last two weeks were centred only on retrieving nformations about general attacks over ssl and think about some ideas to better define the project.

DONE accumulate materials about common and studied attacks on RSA

Twenty Years of Attacks on the RSA Cryptosystem paper

Ron was wrong, Whit is right. paper

Tesi Noemi bad thesis

Beautiful Testing - how to test a random number generator book

Is the SSLiverse a safe place? video 27c3 eff

    * [ ] Prove Fact 1: given the public key and the private key it is possible to factorize N=pq.
  • ssl certificates scanning 0.0.0.0/0:443
  • the database, uncompressed, is about 10G.
  • filesystems like ext4 are no good.
  • takes one day to load.

    • TODO ask for policies and access to cluster.science.unitn.it

    DONE ask EFF™ about a possible collaboration with the observatory, or ideas.

    DONE ask hellais about ideas and cool projects

      Having to (i) scrape the web and (ii) process a lot of attacks at random, it is needed to have a database and hopefully a cluster to compute on a remote machine with a long-run job.
    • [X] CISCA operator said to write to Alessandro Villani about it.
      • Follows a summary of the most interesting ideas that came out from the conversation.
    • Teus Hagen:
      • «investigations done by the observatory were merely technical, not *conidering which category the organizations belong to*.» Analyze if the security matches the organization's purpose:
    • bandwith of cert revocation
    • use of DNSSEC of the SSL website
    • revocation service
    • certificates erial number schema
    • reviews patterns used by CAs (some for examples may offer EV for money)
    • is the secrecy of the certificate really checked by the CA?
    • Tom Ritter:
      • «just some random ideas»
    • low-exponent DH surveys, with folowup investigations Hasty PRISM proofing considered harmful];
    • test servers not supporting parts of TLS;
    • timing and cache attacks on AES-GCM
    • unsafe defaults: a survey on ssl implementations and defaults which are
      • just wrong
    • Philip William-Baker:
      • «we need a more rigorous examination of the trust models. Assuming that we just cannot pretend that every sysadmin will ever make mistakes in signing certificates, we should *create a metric* for evaluating trust networks».
    • the metric shall be sililar to the metric used for evaluating algorithminc
      • complexity.
    • the measure could be based on how big is the effort (in social engenering)
      • to get the key;
    • consider the CA trust mode and keysigning as a form of endorsment for
      • CAs. [[[https://datatracker.ietf.org/doc/draft-hallambaker-prismproof-trust/][PRISM Proof Trust Model]]] hellais has some interesting papers to show me personally, but on mail aswered with two cool proejct named [[https://pki.net.in.tum.de/][Crossbear]], which held [[https://github.com/crossbear/Crossbear][a video]] @ 28C3 about identifying man in the middle attacks and discovering the affected hop