ZaiRoN

August 2nd, 2007, 16:35

The title says all. Enjoy the paper by Evilcry:

__http://www.reteam.org/papers/e77.pdf__View Full Version : Reverse Engineering of Strong Crypto Signature Schemes

ZaiRoN

August 2nd, 2007, 16:35

The title says all. Enjoy the paper by Evilcry:

__http://www.reteam.org/papers/e77.pdf__

JMI

August 2nd, 2007, 17:06

Thanks again for sharing with our readers.

Regards,

Regards,

evilcry

August 3rd, 2007, 02:26

Ehehe many thanks to you Zairon, for posting it for me

Hope all Enjoys this paper

FeedBacks are appreciated

Best Regards,

Evilcry

Hope all Enjoys this paper

FeedBacks are appreciated

Best Regards,

Evilcry

evilcry

August 6th, 2007, 10:32

In preparation the Second Version of the paper, with included a basical

ECC Cracker

Best Regards,

Evilcry

ECC Cracker

Best Regards,

Evilcry

NoLoader

August 29th, 2007, 18:38

Hi,

I'm not sure what to make of this. Perhaps I am missing something. Is the author claiming he can forge signatures? Otherwise, it appears he is reversing a Big Integer/ECC package. There is no need for that - we can get the stuff open source.

I'd be interested in reading a paper on forging signatures and RE (ECDSA for example). But I don't believe it is feasible at the moment.

In a Signature Scheme, the document to be signed goes through three steps. The most important of which is:

Decrypt the message (the actual plain text or hash of the plain text) as if it were an instance of cipher text.

Since this is decryption, it uses the Private Key.

Verification would use the Public Key. Depending on whether the the SS used Appendix or Recovery, the original plain text (or hash) would be presented to the verifier function (Appendix); or the message would be pulled from the signature and presented to the verifier function (Recovery). Again, the verifier function uses the Public Key.

So, to forge a message, the adversary would need the Private Key. The Private Key is not exposed in the software, since the software only needs the Public Key for verification. In addition, if the Signature System supports Recovery, the original message does not need to be present either.

Finally, when using ECC, the curve is of little importance presuming you are using recommended curves. For our discussion, one could use NIST P192 or P256. What is important is the point on the curve one chooses. This should be kept secret.

Jeff

Quote:

[Originally Posted by ZaiRoN;67554]The title says all. Enjoy the paper by Evilcry:http://www.reteam.org/papers/e77.pdf |

I'm not sure what to make of this. Perhaps I am missing something. Is the author claiming he can forge signatures? Otherwise, it appears he is reversing a Big Integer/ECC package. There is no need for that - we can get the stuff open source.

I'd be interested in reading a paper on forging signatures and RE (ECDSA for example). But I don't believe it is feasible at the moment.

In a Signature Scheme, the document to be signed goes through three steps. The most important of which is:

Decrypt the message (the actual plain text or hash of the plain text) as if it were an instance of cipher text.

Since this is decryption, it uses the Private Key.

Verification would use the Public Key. Depending on whether the the SS used Appendix or Recovery, the original plain text (or hash) would be presented to the verifier function (Appendix); or the message would be pulled from the signature and presented to the verifier function (Recovery). Again, the verifier function uses the Public Key.

So, to forge a message, the adversary would need the Private Key. The Private Key is not exposed in the software, since the software only needs the Public Key for verification. In addition, if the Signature System supports Recovery, the original message does not need to be present either.

Finally, when using ECC, the curve is of little importance presuming you are using recommended curves. For our discussion, one could use NIST P192 or P256. What is important is the point on the curve one chooses. This should be kept secret.

Jeff

evilcry

August 30th, 2007, 01:54

Quote:

Is the author claiming he can forge signatures? |

I'm not claming that i can forge Signatures , the only purpose of the paper is to give an idea of Elliptic Curve Cryptography and to expose the general mechanism of ECC protections in Software, aspect that will be further deeply explained with other Practical RCE Applications over Crackmes/Sw which that uses.

Quote:

Otherwise, it appears he is reversing a Big Integer/ECC package. |

My paper is divided into a Theory part and a Practical part, the Reverse Engineering of some ECC Crackme, i'm not reversing a Big/Ecc package, i'm not so stupid to reverse an open library.

Quote:

There is no need for that - we can get the stuff open source. |

Just put this shit unuseful piece of paper in the trash

Have a Nice Day

PS: Thanks for your feedback

PPS: Sad to see that one of the few feedback 've received is negative, but hey is a feedback

NoLoader

August 30th, 2007, 08:22

Hi evilcry,

My apologies. I did not mean to offend you. From the title of the document I was under a different impression.

Jeff

Quote:

[Originally Posted by evilcry;68202]PPS: Sad to see that one of the few feedback 've received is negative, but hey is a feedback |

My apologies. I did not mean to offend you. From the title of the document I was under a different impression.

Jeff

Maximus

August 30th, 2007, 08:46

Well, I just discovered it, and gave it a partial read -it looks very nice. Will read it in full later on.

I looked everywhere time ago about ECC, from simple docs to the harsh ones.

Your one looks like a true promising entry point on ECC -much better than i.e. the tutorial on certicom.

...but to criticize (what feedback would it be ) a bit...

...maybe using a white background for the PDF would be better?

Maximus

I looked everywhere time ago about ECC, from simple docs to the harsh ones.

Your one looks like a true promising entry point on ECC -much better than i.e. the tutorial on certicom.

...but to criticize (what feedback would it be ) a bit...

...maybe using a white background for the PDF would be better?

Maximus

evilcry

September 1st, 2007, 01:56

Hi,

Nope NoLoader , about the title i partially agree with you, my previsions is to enlarge the paper with more material and techniques (not only Sw protections)

@Maximus: Eheh it's truly ugly the gray background it's true , next issue will have a better looking

Have a nice Day

Nope NoLoader , about the title i partially agree with you, my previsions is to enlarge the paper with more material and techniques (not only Sw protections)

@Maximus: Eheh it's truly ugly the gray background it's true , next issue will have a better looking

Have a nice Day

NoLoader

September 1st, 2007, 12:44

Hi Evilcry,

If you would like to look at am implementation of Product Keys and ECC, see 'Product Keys Based on Elliptic Curve Cryptography' (http://www.codeproject.com/cpp/ECIESProductKey.asp). Another of interest may be 'Product Keys Based on the Advanced Encryption Standard (AES)' (http://www.codeproject.com/cpp/AESProductKey.asp).

I know five comanies are using this systems, since they contatced me with questions regarding the implementation.

Both articles encode a feature matrix and wrap it in strong encryption. Neither article addresses RE. I try not to engage in the debate. In the end Crackers are like Virus Researchers - the analyst will _always_ figure out what is going on since thay have the machine code to examine.

Since the analyst will reverse engineer the system, one should assume a KeyGen exists. This leads to an 'Activation Server' which can distinguish between forged keys and company issued keys. Again, the protection scheme is not detailed (with the Activation process being 'choke point'). It is left as an exercise to the reader . My personal opinion is simply due diligence - since the analyst will always win...

Jeff

If you would like to look at am implementation of Product Keys and ECC, see 'Product Keys Based on Elliptic Curve Cryptography' (http://www.codeproject.com/cpp/ECIESProductKey.asp). Another of interest may be 'Product Keys Based on the Advanced Encryption Standard (AES)' (http://www.codeproject.com/cpp/AESProductKey.asp).

I know five comanies are using this systems, since they contatced me with questions regarding the implementation.

Both articles encode a feature matrix and wrap it in strong encryption. Neither article addresses RE. I try not to engage in the debate. In the end Crackers are like Virus Researchers - the analyst will _always_ figure out what is going on since thay have the machine code to examine.

Since the analyst will reverse engineer the system, one should assume a KeyGen exists. This leads to an 'Activation Server' which can distinguish between forged keys and company issued keys. Again, the protection scheme is not detailed (with the Activation process being 'choke point'). It is left as an exercise to the reader . My personal opinion is simply due diligence - since the analyst will always win...

Jeff

NoLoader

September 4th, 2007, 12:32

Hi evilcry,

I wanted to learn more about 'EFFICACIA', but I'm drawing blanks in Google. Do you have any links that may be useful? Or is this a term which you are coining?

Jeff

Quote:

Sintetically, aspects of the same agorithm assumes different terms, if referred to the "EFFICACIA" which they have on DLP or ECDLP. |

I wanted to learn more about 'EFFICACIA', but I'm drawing blanks in Google. Do you have any links that may be useful? Or is this a term which you are coining?

Jeff

NoLoader

September 4th, 2007, 12:42

Hi evilcry,

In my humble opinion, I think the wording is 'melding' two concepts. ECC was independently discovered by Koblitz and Miller. Lenstra used ECC for Integer Factorization (for example, RSA moduli). Basically, when the equation is rewritten in in terms of y = ..., a divide by zero means one has found a non trivial factor of N. Personally, I would make a greater distinction between the points. Put another way, it appears ECC was borne out of Lenstra's work on factoring.

I don't have my copy of Handbook of Applied Cryptography (http://www.cacr.math.uwaterloo.ca/hac/) with me, so I can't cite anything for you.

Also, please consider this constructive, rather than negative.

Jeff

Quote:

The beautiful story of ECC, begins in 1984 thanks to Hendrik Lenstra, who coded a factorization algorithm based on the mathematical proprieties of Elliptic Curves, called Lenstra Elliptic Curve Factorization. |

In my humble opinion, I think the wording is 'melding' two concepts. ECC was independently discovered by Koblitz and Miller. Lenstra used ECC for Integer Factorization (for example, RSA moduli). Basically, when the equation is rewritten in in terms of y = ..., a divide by zero means one has found a non trivial factor of N. Personally, I would make a greater distinction between the points. Put another way, it appears ECC was borne out of Lenstra's work on factoring.

I don't have my copy of Handbook of Applied Cryptography (http://www.cacr.math.uwaterloo.ca/hac/) with me, so I can't cite anything for you.

Also, please consider this constructive, rather than negative.

Jeff

NoLoader

September 4th, 2007, 14:21

Hi evilcry,

I would also mention the isomorphism of F_p* (-{0}) to F_p+. This is generally the most often cited example.

Also, you might want to talk about Pairing Based Cryptography a bit since you introduced Weil Pairing. It is basically roots of unity over an EC. It is in an ANSI committee now for standardization. I am aware of one PBC library from a graduate student at Stanford - I'm sure there are others. It is based on GMP. See http://crypto.stanford.edu/pbc/.

I needed a short signature scheme with recovery. PBC did not fit the bill for me (lack of recovery), but it is in my back pocket of tools.

Please take this as constructive rather than negative.

Jeff

Quote:

There are also other category of attacks, called Isomorphism Attacks that try to reduce ECDLP to DLP, most known are Weil and Tate Pairing Attacks, these kind of attacks can be used only in presence of Anomalous Prime Fields. |

I would also mention the isomorphism of F_p* (-{0}) to F_p+. This is generally the most often cited example.

Also, you might want to talk about Pairing Based Cryptography a bit since you introduced Weil Pairing. It is basically roots of unity over an EC. It is in an ANSI committee now for standardization. I am aware of one PBC library from a graduate student at Stanford - I'm sure there are others. It is based on GMP. See http://crypto.stanford.edu/pbc/.

I needed a short signature scheme with recovery. PBC did not fit the bill for me (lack of recovery), but it is in my back pocket of tools.

Please take this as constructive rather than negative.

Jeff

evilcry

September 12th, 2007, 08:53

Hi NoLoader,

First of all thanks for your feedbacks

The word "Efficacia" means "Efficiency", it's an Italian term, that i forgot to translate.

I'll take a look at your links, thanks again!

Best Regards,

Evilcry

First of all thanks for your feedbacks

The word "Efficacia" means "Efficiency", it's an Italian term, that i forgot to translate.

I'll take a look at your links, thanks again!

Best Regards,

Evilcry

NoLoader

September 20th, 2007, 16:54

Quote:

[Originally Posted by evilcry;68443]The word "Efficacia" means "Efficiency", it's an Italian term, that i forgot to translate. |

Every time I open my mouth, I show the world how little I know... I thought I got out of the habit in college, when a lot of people who were much smarter than me showed me just how little I thought I knew.

NoLoader

September 20th, 2007, 17:42

Quote:

[Originally Posted by NoLoader;68278]If you would like to look at am implementation of Product Keys and ECC, see 'Product Keys Based on Elliptic Curve Cryptography' (http://www.codeproject.com/cpp/ECIESProductKey.asp). Another of interest may be 'Product Keys Based on the Advanced Encryption Standard (AES)' (http://www.codeproject.com/cpp/AESProductKey.asp). |

This fellow got the 'big picture'... He's attempting to use a signature, which leads to this endeavor. http://groups.google.com/group/cryptopp-users/browse_thread/thread/5226443664bb6b35

Jeff

evilcry

September 25th, 2007, 01:29

Hi,

I've read the two articles and are truly intersing and well written

In these days I've discovered another good Crypto Lib, for C# but should be usable also in Managed C++, lib is called**BouncyCastle** and can be downloaded at:

http://bouncycastle.org/csharp/

Is also implemented ECIES, but i'm not sure about its performances

Have a nice day!

I've read the two articles and are truly intersing and well written

In these days I've discovered another good Crypto Lib, for C# but should be usable also in Managed C++, lib is called

http://bouncycastle.org/csharp/

Is also implemented ECIES, but i'm not sure about its performances

Have a nice day!

Powered by vBulletin® Version 4.2.2 Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.