Thread: Cleaning up an old table saw
View Single Post
  #171   Report Post  
Posted to rec.woodworking
Swingman Swingman is offline
external usenet poster
  
Posts: 10,043
Default Cleaning up an old table saw
On 2/17/2012 1:08 PM, Scott Lurndal wrote:
writes:
On 2/16/2012 10:57 AM, Scott Lurndal wrote:
Han wrote:


Well, in my book, you can brainstorm an idea, formulate a(n)
hypothesis, perform experiments trying to prove the hypothesis, and
if supported formulate a theory. Then once totally vetted, tested,
and pulled through the wringer, if nothing untowards appears, it
becomes "law". Even then you need to be careful, as shown by the
recent instance of (not so) random number generation in the RSA
algorithm involved in money transactions via the internet.

To be more precise, the recent issue with RSA factoring related to
weak PRNG implementations was primarily limited to embedded devices
such as routers and gateways.

See below:

None of the factorable (and they used
a rather clever method using GCD to factor the keys) keys were associated
with any major website, or with any key signed by a trusted certification
authority (e.g. verisign et. al.). It seems the bulk of the bad keys were
generated on embedded devices, when first powered on, when the PRNG hadn't
had enough entropy to guarantee randomness.

Been following this on ArsTechnica for awhile.

And with regard to the above, some argue that this distribution of weak
keys is even of greater concern:

quote
"Meanwhile, Hughes, one of the co-writers of the original paper, says he
remains convinced that the weak keys represent a threat to people using
webmail and e-commerce.

"I hate to say it but this does have implications for web-based commerce
because people can mount man-in-the-middle attacks," he said. "People
know, for instance, there have been man-in-the-middle attacks mounted
against websites by foreign countries. Embedded systems matter to
e-commerce because they're the infrastructure that goes between you and
the site you're trying to go to."
/quote

While this could be a case of protecting/justifying your initial
assessment, the fact remains that, as you noted above, many of the weak
keys were indeed embedded in routing equipment.

However, those keys were primarily SSH keys, not SSL keys, and were used
to protect the administration interfaces on said routing equipment. Can't
be used for a MIM attack at all, since it is completely orthogonal.

snip of much informative stuff

So Hughes is indeed all wet?

--
www.eWoodShop.com
Last update: 4/15/2010
KarlCaillouet@ (the obvious)
http://gplus.to/eWoodShop
Reply With QuoteReply With Quote