WebApp Sec mailing list archives

Re: Using SSL private key for cookie's HMAC

From: Peter Conrad <conrad () tivano de>
Date: Mon, 6 Sep 2004 10:41:44 +0200

Hi,

On Mon, Sep 06, 2004 at 12:45:10AM +0000, Jason Coombs PivX Solutions wrote:

The simplest, most direct path to discovering an SSL server's private/public key pair is to precompute every possible 
key pair and then do a lookup when the server gives you its public key. Every other attack on SSL cryptography that 
seeks to discover the server's private key *should* be more difficult to accomplish, since it would involve factoring 
or finding a needle (a discernable pattern that should not exist) in a ciphertext haystack.


erm... factoring is better than brute force, isn't it?

Bye,
        Peter
-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg

Germany

Current thread:

Using SSL private key for cookie's HMAC Simon Zuckerbraun (Aug 27)
- Re: Using SSL private key for cookie's HMAC Andrew Steingruebl (Sep 05)
- Re: Using SSL private key for cookie's HMAC Jeff Williams (Sep 05)
  - Re: Using SSL private key for cookie's HMAC Adam Shostack (Sep 05)
- <Possible follow-ups>
- Re: Using SSL private key for cookie's HMAC Jason Coombs PivX Solutions (Sep 05)
  - Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 06)
    - Re: Using SSL private key for cookie's HMAC Jason Coombs PivX Solutions (Sep 07)
    - Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 07)
    - Webserver problems John Fisher (Sep 09)
    - RE: Webserver problems Dinis Cruz (Sep 10)
    - Re: Webserver problems Mike Kalinovich (Sep 11)
- RE: Using SSL private key for cookie's HMAC Michael Silk (Sep 05)