View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001269 | Main CAcert Website | certificate issuing | public | 2014-04-16 00:19 | 2014-05-04 15:54 |
| Reporter | necrose99 | Assigned To | |||
| Priority | low | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Platform | Main CAcert Website | OS | N/A | OS Version | stable |
| Product Version | 2014 Q2 | ||||
| Summary | 0001269: CSR SHA3 | ||||
| Description | csr sha 3 requests for sha-3 backed ssl keys heart bleed anyone ? , as a security tester I'd prefer sha-3 now instead of the next heart bleed like hole or sha 1 or 2 weakness, why not harden the crypto now. | ||||
| Steps To Reproduce | #<<lonewolfis_com.-genssl.cmd >> openssl req -new -config lonewolfis_com.cnf -keyout lonewolfis_com.key -out lonewolfis_com.csr #(lonewolfis_com.cnf) [ req ] default_bits = 4096 prompt = no encrypt_key = no default_md = SHA-3 distinguished_name = dn req_extensions = req_ext [ dn ] CN = lonewolfis.com emailAddress = mike@lonewolfis.com O = Lonewolf Information Systems Services LLC L = Indianapolis ST = IN C = US 0.OU= IT/MIS countryName_default = US [ req_ext ] subjectAltName = DNS:lonewolfis.com, DNS:lonewolfis.net | ||||
| Additional Information | had I used my own ca cert gen in the chain it dose indeed work as a self signed ca. however I prefer cacert , and if need be am willing to use a notary public on id's etc to get class 3's etc. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
|
|
Please provide the final specification for SHA-3. AFAIK this has not been finalized yet nor is it implemented anywhere in a reasonably stable environment. Furthermore: SHA-2-512 should provide more than enough collission resistence for most applications you would protect by 1000€. |
|
|
http://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided http://crypto.stackexchange.com/questions/7895/weaknesses-in-sha-256d Their are means to weaken a webapp , and inject into the cipher known values. IE "Mary had a little lamb" or the like . Pre-pending and side channel "The magical cryto dust and the webapp is safe"........ nope not really , You could have the best encryption tech , Implementation Implementation ah yes Implementation...... nothing Like Pen-testing to start the day...... http://www.wgu.edu/online_it_degrees/information_security_assurance_degree With CEH & CHFI included. https://www.owasp.org/index.php/Indianapolis Spider Labs @ Trustwave. https://www.trustwave.com/Services/SpiderLabs-Services/ The topic of the Day was Breaking the "magical Crypto dust" and p'owning the database. this guy {@Spider Labs}Guest speaker has quite a number of practical pen-tests more than I for the year . I just try to keep my servers safe. however getting the both keys from DB hacks on a pen-test is well gold. alot of his local customers use the Crpto very poorly oracle attacks, etc. http://keccak.noekeon.org/ https://github.com/gvanas/KeccakCodePackage Keccak has been selected as the SHA-3 standard: http://csrc.nist.gov/groups/ST/hash/sha-3/ Elliptic Curve Diffie-Hellman http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331 sha3 forces the IT Security auditor away from the usual URL encoding attacks. since most of the tools will not regenerate the keys. It's not Likely that Most will break Sha2-512. but I'm Paranoid enough to rather go for SHA3-512 as it's not susceptible to most of the usual attacks. the other aspect is quantum computers , the usual rules of thousands of years to reverse keys do not apply. http://security1.win.tue.nl/~bskoric/physsec/files/slides_10_Shor.pdf http://rt.com/usa/quantum-computer-nsa-encryption-100/ No one yet offers PKI with SHA-3-512 , not a one. But I doubt seriously that The NSA bedfellows hear will Issue SSL-SHA-3-512 keys anytime soon. I'd love to really stick it to em buy deploying PKI SSL-SHA3 as an option now than latter. even if experimental , I'd rather test now see it's Considerably more or Less secure, and see if it holds water. if it dose , then make it available before anyone else dose. I Don't care for politics, But I do care for Privacy and FREEDOM, I'm not to sure on the commercial PKI Key places here in the USA of late. Just with Crappy Crypto being touted as king and sold commercially here.....with a side order of NSA.... I'm also Partly Native American.and an US Army Vet....sure you CAN trust Your Government.... Epic Fail..... As a Security Analyst/Specialist it Pays to be Paranoid , in fact it's job security. That being said hopefully the trust in making sha3 available for testing advances. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2014-04-16 00:19 | necrose99 | New Issue | |
| 2014-04-29 22:44 | MartinGummi | Priority | high => low |
| 2014-05-04 11:54 | BenBE | Note Added: 0004772 | |
| 2014-05-04 11:54 | BenBE | Status | new => needs feedback |
| 2014-05-04 15:54 | necrose99 | Note Added: 0004773 | |
| 2014-05-04 15:54 | necrose99 | Status | needs feedback => new |
