Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Possibly a stupid question RPC over HTTP
From: "Airey, John" <John.Airey () rnib org uk>
Date: Tue, 26 Oct 2004 16:47:21 +0100

-----Original Message-----
From: Kyle Maxwell [mailto:krmaxwell () gmail com]
Sent: 25 October 2004 04:30
To: Airey, John
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Possibly a stupid question RPC 
over HTTP


You're talking about solving a problem that DOESN'T EXIST BY
DEFINITION. Re-read my response -- this time without being stupid --
and you'll see that I was trying to explain to you that the problem is
the general factoring of large numbers (into primes for what should be
obvious reasons). This is NOT the same as factoring large primes as
that's a solved problem. If this is still difficult to understand, any
handy grade-school maths book should provide additional explanation.
Testing for primality, which is a related but different problem, is
solved, but proving that a number is composite is unfortunately not
the same as knowing its factors.

As to the question of whether this is a solved problem: we may have to
agree to disagree; if it were the NSA, given their past interactions
with the crypto community, I think it likely that they'd have over
time moved to another type of cryptography. BTW, brute forcing a key
does not break the system -- and as others have shown in this thread,
it's impossible to precompute all the keys unless you've broken every
single PRNG out there, and that's even less likely.

What is it with this list that people can't reply without being rude? Is it the phase of the moon or something? OK, so 
we can rule out brute force, as storing every prime that's possible with 512bit keys isn't possible in this universe. 
Anyway, to quote RSA Laboratories:

"The RSA algorithm works as follows: take two large primes, p and q, and compute their product n = pq; n is called the 
modulus. Choose a number, e, less than n and relatively prime to (p-1)(q-1), which means e and (p-1)(q-1) have no 
common factors except 1. Find another number d such that (ed - 1) is divisible by (p-1)(q-1). The values e and d are 
called the public and private exponents, respectively. The public key is the pair (n, e); the private key is (n, d). 
The factors p and q may be destroyed or kept with the private key.

It is currently difficult to obtain the private key d from the public key (n, e). However if one could factor n into p 
and q, then one could obtain the private key d. Thus the security of the RSA system is based on the assumption that 
factoring is difficult" (http://www.rsasecurity.com/rsalabs/node.asp?id=2214)

Therefore my point still stands that if someone does possess a mathematical solution to the above, then all bets are 
(Whoever it was who disagreed about my statements on encryption, please remember the context of the thread is about SSL 
security, not one-time keys).

Getting back to the original question, you can't discover if someone is sending RPC over https unless you have a 
solution to the RSA hard problem above. Nor is it a major security issue if someone is using RPC over https either, 
unless there are flaws in the implementation of SSL or RPC that could be exploited by someone else.

This is my last post on the matter which is solely for the purpose of making at least one post in this thread sensible 
and useful for future readers of the archive. All future abusive emails on my mathematical abilities will be deleted 
without response.

John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk 

Tag line temporarily removed due to several people being unable and/or unwilling to comprehend what I'm talking about.


NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged.  If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system.

RNIB endeavours to ensure that emails and any attachments generated by
its staff are free from viruses or other contaminants.  However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent
those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]