search for: cryptosystems

Dear OpenSSH devs, I came accross this paper yesterday. http://eprint.iacr.org/2011/232 It states that they were able to recover ECDSA keys from TLS servers by using timing attacks agains OpenSSL's ECDSA implementation. Is that known to be exploitable by OpenSSH ? (In my understanding, it's easy to get a payload signed by ECDSA during the key exchange so my opinion is that it is).

Greetings; I've been reading the OpenSSH source code and have a question about the des_ssh1_setiv function in cipher.c. (cut-n-pasted here from cipher.c v1.47) : static void des_ssh1_setiv(CipherContext *cc, const u_char *iv, u_int ivlen) { memset(cc->u.des.iv, 0, sizeof(cc->u.des.iv)); } This doesn't use the *iv parameter. Compare with: static void

I've expressed several concerns with enabling UpdateHostKeys by default, none of which were even commented on, so this topic seems to not be in any way open for discussion, but I'll still add one more thing here. Peter Stuge wrote: > Subject: Re: UpdateHostkeys now enabled by default > Date: Mon, 5 Oct 2020 11:22:29 +0000 .. > I do not disagree with progressive key management, we

Hi All, On several of my servers I seem to have a high rate of server crashes do to file system errors. So I have some questions related to this: Is there any Mean Time Between Failure ( MTBF) data for the ext3 file-system? Does increased partition size cause a higher risk of the partition being corrupted? If so, is there any data on the ratio between partition size and the likely hood of

Samba4 4.0.5, CentOS 6.4. How does one enable DES enctypes in Samba? I need these to be available for each user when they log in to enable access to a Kerberized NFSv4 export. Steve

Just a quick heads up, I'm currently working on this. It's building on -CURRENT. Yet to be done, testing on -CURRENT, build & test on -STABLE, and verification of pkg-plist currency. I will post patches to the krb5 port to -security and -ports and assuming I don't get negative feedback, I will commit sometime late Saturday or on Sunday when I return from my trip Vancouver. As

The following applies to Samba used as domain controller only. (Both as classic/NT4-style and active direcory DC.) Samba users have reported that the exploit for "ZeroLogin" passes against Samba. Samba has some protection for this issue because since Samba 4.8 we have set a default of 'server schannel = yes'. Users who have changed this default are hereby warned that

The following applies to Samba used as domain controller only. (Both as classic/NT4-style and active direcory DC.) Samba users have reported that the exploit for "ZeroLogin" passes against Samba. Samba has some protection for this issue because since Samba 4.8 we have set a default of 'server schannel = yes'. Users who have changed this default are hereby warned that

Hi, I saw https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/ and https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 today and I am wondering what impact if any this has on samba AD domains in particular and samba in general? Is samba using the "vulnerable Netlogon secure channel connection"? Will samba continue to

Hi everyone, Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ . should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? : " MD5 has not yet (2001-09-03) been broken, but sufficient attacks have been made that its security is in some doubt. The attacks on MD5 are in the