Abbiamo visto a lezione un esempio di algoritmo "sicuro" (incremento pseudorandom dello Initial Sequence Number in TCP); tutti convinti che è davvero "sicuro", dopo N anni qualcuno si accorge che si erano sbagliati tutti.
Abbiamo detto che queste cose si sono verificate più volte (ad esempio in Kerberos, con il protocollo Needham-Schroeder).
E' appena successo un altro esempio (Marzo 2009). Meno grave perché si riferisce ad un algoritmo utilizzato solo nei laboratori, ma concettualmente la situazione è la stessa:
In 2008, a generalized ring signature scheme based on the original ElGamal signature scheme was proposed for the first time. The authors claimed that the proposed generalized ring signature scheme is convertible. It enables the actual message signer to prove to a verifier that only she is capable of generating the ring signature. Through cryptanalysis, the convertibility of the generalized ring signature scheme can not be satisfied. Everyone in the ring signature has the ability to claim that she generates the generalized ring signature.
"Cryptanalysis of a Generalized Ring Signature Scheme," IEEE Transactions on Dependable and Secure Computing, 11 Mar. 2009. IEEE computer Society Digital Library. IEEE Computer Society,
http://www2.computer.org/portal/web/csdl/doi/10.1109/TDSC.2009.13
(pochi giorni dopo ho aggiunto ancora un altro esempio, qui di seguito)
On the Security of an Efficient Time-Bound Hierarchical Key Management Scheme
Recently, Bertino et al. proposed a new time-bound key management scheme for broadcasting. The security of their scheme is planted on the hardness breaking of elliptic curve discrete log problem, HMAC, and tamper-resistance devices. They claimed that as long as the three assumptions hold, their scheme is secure. By means of secure, users cannot access resources that they are not granted, even if users collude. In this paper, we demonstrate that this scheme is insecure against the collusion attack. We also provide some possible amendments to this scheme.
Commenti