Then you would have to think of a new messenger tag line :) -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Saturday, 17 November 2007 8:31 AM To: ISAPros Mailing List Subject: [isapros] Re: OT: Breaking RSA: Totient indirect factorization What if hypothetical questions didn't exist? :) -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland Sent: Friday, November 16, 2007 5:23 PM To: ISAPros Mailing List Subject: [isapros] Re: OT: Breaking RSA: Totient indirect factorization "because any password may eventually be cracked, all passwords are equally weak". Riiight so my password he was working on and was within two days of cracking (assuming he lived till he was 24 million years old) which happened to be changed/disabled/computer formatted c: by the IT bots of the future 3 days before he would have got it... So now there is one password he will never crack.. You're analogy of "because I can imagine it, it is good" is quite right. Many times at work I get emails or calls asking about potential/hypothetical situations and scenarios, part of the job I guess but 9/10 times the answer is always the same, what is the perceived risk and what is the actual risk. How much are you willing to spend on a perceived risk just for the sake of it when it may only pose 3% of the attack surface or overall outlook. The majority of the time it also involves a considerable cost, otherwise it would have been done already. I once had a guy who wanted to put a fingerprint scanner on the entry to the server room. Great idea, the stuff movies are made around, BUT, as I said to him, who cares, does a separate key do they same thing and save you allot of money? Do we have a problem of breakins-no, is there a risk-yes always but did they want to spend the Johnny cash, well maybe it can be better served in other areas! g -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Friday, 16 November 2007 6:35 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: OT: FW: Breaking RSA: Totient indirect factorization There was a similar discussion on an internal alias regarding password entropy and "crackability". The sad outcome is that the customer that started the discussion is still convinced that (get this): "because any password may eventually be cracked, all passwords are equally weak". They also want to "proxy" a set of credentials within the SSL session key from a completely different SSL session (shared session keys). "because I can imagine it; it is good" -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Thursday, November 15, 2007 11:54 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] OT: FW: Breaking RSA: Totient indirect factorization I love guys like this ;) (The OP was how to break RSA ;) t -----Original Message----- From: Clifton Royston [mailto:cliftonr@xxxxxxxx] Sent: Thursday, November 15, 2007 8:59 AM To: gandlf Cc: bugtraq@xxxxxxxxxxxxxxxxx Subject: Re: Breaking RSA: Totient indirect factorization On Wed, Nov 14, 2007 at 10:59:42PM +0100, gandlf wrote: .. > Algorithm > --------- > > - Repeat "a = a^n mod m" with n from 2 to m, saving all the results in > a table until a == 1 (Statement 4). Do I understand correctly that this step of your proposed algorithm can identify the private key corresponding to (e.g.) a 1024 bit public key, but only by doing on the order of Sum(2..2^1024) = ~ 2^1025 modular exponentiations and storing the results? If so, that would come to approximately 1E307 modular exponentiation operations. Divide that out by (for example) teraflops and the expected lifetime of the universe, and I don't think you will get a pleasing result. -- Clifton -- Clifton Royston -- cliftonr@xxxxxxxxxxxxxxxxxx / cliftonr@xxxxxxxx President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services