«For those asking «who uses private keys generated by untrusted sources» — this could be implemented in hardware, for example a smart card. Binaries you don't have the source for or didn't compile yourself could also be affected.»
That would apply then to any algorithm, operating system, random number generator, or anything you use in life, not just RSA. Pretty weak argument against RSA
David Knight: You are quite correct to advocate " walk gently in to that dark night" Perhaps, humankind will be attuned to that collective consciousness through engaging in acts such as these: Just as flying was thought of as an impossible dream till just a century ago, but might be in everyone's reach now, due to the computational and coordination achievements of this century; it is not unthinkable to use those very same approaches to fly-through our existential cornucopia without having to ruffle the feathers of anyone else. I am quite certain the humanities are very close to achieving this singularity as well as parity with all other sciences.
I wrote the Python implementation that this article is based on. I was too lazy to do a proper write-up, and I think this one is pretty good.
This port does have some subtle implementation errors, though.
The embedded key is the master *private* key, so anyone with this code can recover any RSA keys generated with it. I submitted a pull request on github that fixes it.
For those asking «who uses private keys generated by untrusted sources» — this could be implemented in hardware, for example a smart card. Binaries you don't have the source for or didn't compile yourself could also be affected.
I think the idea is this one: What if your closed source Super Encryption Enterprise Edition generates keys on your own desktop, with this backdoor built in?
People had always known that sort of thing could be abused, but this is a method of doing so which isn't overly obvious.
Joozek got the point. When you activate even the cheapest https server/domain you generate the private key locally with your openssl apache tool, then register the only public key to the Certification Authority.
If I understood this correctly, you're saying that someone can decrypt your data if you use private key THEY generated. But who uses private keys obtained from untrusted sources?
Perhaps. I would ask the customer and take their direction. I assume as a freelancer, you're being paid by the hour/day, so it doesn't matter what is asked of you.
You don't know how deep that hacker's rabbit hole goes, so you should have simply recovered/backedup the user's data, configuration files, etc, and filled the rabbit hole with cement — the format and reinstall the OS kind of cement.
That would apply then to any algorithm, operating system, random number generator, or anything you use in life, not just RSA. Pretty weak argument against RSA
Mugur Constantin, 28 years old, from Radauti, Romania. He is a Computer Technician in London.
www.facebook.com/profile.php?id=100006897076995
twitter.com/ravenul same nickname, face and constitution
rav3n.3x.ro «Raven Love to Hack Your Sistem!»
rav3n.3x.ro/aboutme.htm name, age(17 in 2002 when the page was created) and sign matches with profiles on other websites
rav3n.3x.ro/favorite.htm is friends with «sageata» and is from Radauti
ravenul.3x.ro/ «Raven & Popa Lucian-Constantin» aka (sageata)
www.facebook.com/CinemaStar.net Popa Lucian-Constantin aka «sageata» also from Radauti
www.facebook.com/profile.php?id=100006897076995&and=CinemaStar.net Mugur Constantin and Popa Lucian-Constantin are friends
www.sfatulmedicului.ro/profil/ravenul_141487 this «ravenul» is 28 yo
www.bascalie.ro/ravenul this «ravenul» is 28 yo and a taurus
1337day.com/author/19589 this «ravenul» likes hacking
groups.google.com/forum/#!topic/linux.redhat.rpm/EEYsVl-dDMI this «ravenul» is interested in linux and security
This port does have some subtle implementation errors, though.
The embedded key is the master *private* key, so anyone with this code can recover any RSA keys generated with it. I submitted a pull request on github that fixes it.
For those asking «who uses private keys generated by untrusted sources» — this could be implemented in hardware, for example a smart card. Binaries you don't have the source for or didn't compile yourself could also be affected.
en.wikipedia.org/wiki/Dual_EC_DRBG
You don't know how deep that hacker's rabbit hole goes, so you should have simply recovered/backedup the user's data, configuration files, etc, and filled the rabbit hole with cement — the format and reinstall the OS kind of cement.
Cool story though.