07-01-2009 18:49 New Attack on AES There's a new cryptanalytic attack on AES that is better than brute force: Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher complexity. The second attack is the first cryptanalysis of the full AES-192. Both our attacks are boomerang attacks, which are based on the recent idea of finding local collisions in block ciphers and enhanced with the boomerang switching techniques to gain free rounds in the middle.In an e-mail, the authors wrote: We also expect that a careful analysis may reduce the complexities. As a preliminary result, we think that the complexity of the attack on AES-256 can be lowered from 2119 to about 2110.5 data and time.We believe that these results may shed a new light on the design of the key-schedules of block ciphers, but they pose no immediate threat for the real world applications that use AES. Agreed. While this attack is better than brute force -- and some cryptographers will describe the algorithm as "broken" because of it -- it is still far, far beyond our capabilities of computation. The attack is, and probably forever will be, theoretical. But remember: attacks always get better, they never get worse. Others will continue to improve on these numbers. While there's no reason to panic, no reason to stop using AES, no reason to insist that NIST choose another encryption standard, this will certainly be a problem for some of the AES-based SHA-3 candidate hash functions. OWASP :: Povezani zapisi: 03-12-2010 0:05 A new version of Safari is out. Looks like for Mac and Windows. Plenty of security fixes (mostly for Windows Safari users http://support.apple.com/kb/HT4070), (Thu, Mar 11th) ISC 03-11-2010 21:50 New version of foxit pdf reader available. http://www.foxitsoftware.com/downloads/index.php, (Thu, Mar 11th) ISC 03-11-2010 9:07 New IE Zero-Day Exploit (CVE-2010-0806)  Hot on the heels of this month’s security bulletin, a new vulnerability exploit surfaces with a malware in tow. The new zero-day vulnerability, as described in a previous post, prompted Microsoft to release Security Advisory (981374) while investigations are still underway. This Internet Explorer (IE) vulnerability exists due to an invalid pointer reference bug within IE, which, under certain conditions, could be exploited to execute hostile code. This vulnerability primarily affects IE 6 and 7. Internet Explorer 8 is not affected. Users using the affected browsers are advised to follow the workarounds in Microsoft’s advisory until the applicable patches are released. Systems using the latest Windows versions—Windows 7 and Server 2008 — are automatically immune from this threat since the said OS versions are shipped with IE 8. Those using earlier versions, however, would benefit from upgrading their browsers to IE 8. In relation to this vulnerability, Trend Micro currently detects a malicious JavaScript file as JS_SHELLCODE.CD, which exploits CVE-2010-0806 and allows unauthorized download of files onto affected machines. Trend Micro™ Smart Protection Network™ protects customers from this threat by blocking user access to the malicious website the JavaScript connects to via the Web reputation service. It also detects and prevents the download of JS_SHELLCODE.CD via the file reputation service. Trend Micro Deep Security™ and Trend Micro OfficeScan™ likewise protect business users via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF10-011 release, rule number IDF10011. Post from: TrendLabs | Malware Blog - by Trend Micro trendmicro 03-10-2010 18:47 Microsoft re-release of KB973811 - attacks on Extended Protection for Authentication, (Wed, Mar 10th) Yesterday Microsoft re-released KB973811 ==http://www.microsoft.com/technet/security/advisory/973811.mspx This relates back to the original KB973917 == http://support.microsoft.com/kb/973917 and advisory MS09-071 ==http://www.microsoft.com/technet/security/bulletin/ms09-071.mspx This affects the Extended Protection for Authentication functions within XP, Vista and Server 2003 ==http://support.microsoft.com/kb/968389 It didn't show up in yesterday's Patch Tuesday review because Microsoft is classifying it as a non-security upgrade. This is confusing to me, because the update actually includes mitigation against a credential forwarding attack, which you might see on an unencrypted, unsigned connection (yes, there's still a lot of that going around ! ) This update affects XP, Vista and Server 2003. Windows 7 and Server 2008 are not affected. Thanks to our readers on letting us know about this one. I'm still puzzled as to why this wasn't on Microsoft's list of security updates ... =============== Rob VandenBrink Metafore =============== ISC |
