Full Disclosure
mailing list archives
RE: Possibly a stupid question RPC over HTTP
From: "Airey, John" <John.Airey () rnib org uk>
Date: Tue, 26 Oct 2004 16:47:21 +0100
Original Message
From: Kyle Maxwell [mailto:krmaxwell () gmail com]
Sent: 25 October 2004 04:30
To: Airey, John
Cc: fulldisclosure () lists netsys com
Subject: Re: [Fulldisclosure] Possibly a stupid question RPC
over HTTP
[snip]
You're talking about solving a problem that DOESN'T EXIST BY
DEFINITION. Reread my response  this time without being stupid 
and you'll see that I was trying to explain to you that the problem is
the general factoring of large numbers (into primes for what should be
obvious reasons). This is NOT the same as factoring large primes as
that's a solved problem. If this is still difficult to understand, any
handy gradeschool maths book should provide additional explanation.
Testing for primality, which is a related but different problem, is
solved, but proving that a number is composite is unfortunately not
the same as knowing its factors.
</flame>
As to the question of whether this is a solved problem: we may have to
agree to disagree; if it were the NSA, given their past interactions
with the crypto community, I think it likely that they'd have over
time moved to another type of cryptography. BTW, brute forcing a key
does not break the system  and as others have shown in this thread,
it's impossible to precompute all the keys unless you've broken every
single PRNG out there, and that's even less likely.
What is it with this list that people can't reply without being rude? Is it the phase of the moon or something? OK, so
we can rule out brute force, as storing every prime that's possible with 512bit keys isn't possible in this universe.
Anyway, to quote RSA Laboratories:
"The RSA algorithm works as follows: take two large primes, p and q, and compute their product n = pq; n is called the
modulus. Choose a number, e, less than n and relatively prime to (p1)(q1), which means e and (p1)(q1) have no
common factors except 1. Find another number d such that (ed  1) is divisible by (p1)(q1). The values e and d are
called the public and private exponents, respectively. The public key is the pair (n, e); the private key is (n, d).
The factors p and q may be destroyed or kept with the private key.
It is currently difficult to obtain the private key d from the public key (n, e). However if one could factor n into p
and q, then one could obtain the private key d. Thus the security of the RSA system is based on the assumption that
factoring is difficult" (http://www.rsasecurity.com/rsalabs/node.asp?id=2214)
Therefore my point still stands that if someone does possess a mathematical solution to the above, then all bets are
off.
(Whoever it was who disagreed about my statements on encryption, please remember the context of the thread is about SSL
security, not onetime keys).
Getting back to the original question, you can't discover if someone is sending RPC over https unless you have a
solution to the RSA hard problem above. Nor is it a major security issue if someone is using RPC over https either,
unless there are flaws in the implementation of SSL or RPC that could be exploited by someone else.
This is my last post on the matter which is solely for the purpose of making at least one post in this thread sensible
and useful for future readers of the archive. All future abusive emails on my mathematical abilities will be deleted
without response.

John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk
Tag line temporarily removed due to several people being unable and/or unwilling to comprehend what I'm talking about.

DISCLAIMER:
NOTICE: The information contained in this email and any attachments is
confidential and may be privileged. If you are not the intended
recipient you should not use, disclose, distribute or copy any of the
content of it or of any attachment; you are requested to notify the
sender immediately of your receipt of the email and then to delete it
and any attachments from your system.
RNIB endeavours to ensure that emails and any attachments generated by
its staff are free from viruses or other contaminants. However, it
cannot accept any responsibility for any such which are transmitted.
We therefore recommend you scan all attachments.
Please note that the statements and views expressed in this email and
any attachments are those of the author and do not necessarily represent
those of RNIB.
RNIB Registered Charity Number: 226227
Website: http://www.rnib.org.uk
_______________________________________________
FullDisclosure  We believe in it.
Charter: http://lists.netsys.com/fulldisclosurecharter.html
By Date
By Thread
Current thread:
 RE: Possibly a stupid question RPC over HTTP, (continued)
