View Issue Details

IDProjectCategoryView StatusLast Update
0001269Main CAcert Websitecertificate issuingpublic2014-05-04 15:54
Reporternecrose99 Assigned To 
PrioritylowSeverityminorReproducibilityalways
Status newResolutionopen 
PlatformMain CAcert WebsiteOSN/A 
Product Version2014 Q2 
Summary0001269: CSR SHA3
Descriptioncsr sha 3 requests for sha-3 backed ssl keys

heart bleed anyone ? , as a security tester I'd prefer sha-3 now instead of the next heart bleed like hole or sha 1 or 2 weakness,
why not harden the crypto now.
Steps To Reproduce#<<lonewolfis_com.-genssl.cmd >>
openssl req -new -config lonewolfis_com.cnf -keyout lonewolfis_com.key -out lonewolfis_com.csr
#(lonewolfis_com.cnf)
[ req ]
default_bits = 4096
prompt = no
encrypt_key = no
default_md = SHA-3
distinguished_name = dn
req_extensions = req_ext

[ dn ]
CN = lonewolfis.com
emailAddress = mike@lonewolfis.com
O = Lonewolf Information Systems Services LLC
L = Indianapolis
ST = IN
C = US
0.OU= IT/MIS
countryName_default = US

[ req_ext ]
subjectAltName = DNS:lonewolfis.com, DNS:lonewolfis.net
Additional Informationhad I used my own ca cert gen in the chain it dose indeed work as a self signed ca.

however I prefer cacert , and if need be am willing to use a notary public on id's etc to get class 3's etc.
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

BenBE

2014-05-04 11:54

updater   ~0004772

Please provide the final specification for SHA-3. AFAIK this has not been finalized yet nor is it implemented anywhere in a reasonably stable environment.

Furthermore: SHA-2-512 should provide more than enough collission resistence for most applications you would protect by 1000€.

necrose99

2014-05-04 15:54

reporter   ~0004773

http://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided
http://crypto.stackexchange.com/questions/7895/weaknesses-in-sha-256d

Their are means to weaken a webapp , and inject into the cipher known values.

IE "Mary had a little lamb" or the like . Pre-pending and side channel
"The magical cryto dust and the webapp is safe"........
nope not really , You could have the best encryption tech , Implementation Implementation ah yes Implementation......
nothing Like Pen-testing to start the day......
http://www.wgu.edu/online_it_degrees/information_security_assurance_degree
With CEH & CHFI included.
https://www.owasp.org/index.php/Indianapolis
Spider Labs @ Trustwave. https://www.trustwave.com/Services/SpiderLabs-Services/

The topic of the Day was Breaking the "magical Crypto dust" and p'owning the database. this guy {@Spider Labs}Guest speaker has quite a number of practical pen-tests more than I for the year .
I just try to keep my servers safe.
however getting the both keys from DB hacks on a pen-test is well gold.
alot of his local customers use the Crpto very poorly oracle attacks, etc.

http://keccak.noekeon.org/ https://github.com/gvanas/KeccakCodePackage
Keccak has been selected as the SHA-3 standard:
http://csrc.nist.gov/groups/ST/hash/sha-3/
Elliptic Curve Diffie-Hellman
http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331
sha3 forces the IT Security auditor away from the usual URL encoding attacks.

since most of the tools will not regenerate the keys.

It's not Likely that Most will break Sha2-512.

but I'm Paranoid enough to rather go for SHA3-512 as it's not susceptible to most of the usual attacks.
 
the other aspect is quantum computers , the usual rules of thousands of years to reverse keys do not apply. http://security1.win.tue.nl/~bskoric/physsec/files/slides_10_Shor.pdf
http://rt.com/usa/quantum-computer-nsa-encryption-100/


No one yet offers PKI with SHA-3-512 , not a one.
But I doubt seriously that The NSA bedfellows hear will Issue SSL-SHA-3-512 keys anytime soon.

I'd love to really stick it to em buy deploying PKI SSL-SHA3 as an option now than latter. even if experimental , I'd rather test now see it's Considerably more or Less secure, and see if it holds water. if it dose , then make it available before anyone else dose.

I Don't care for politics, But I do care for Privacy and FREEDOM,
I'm not to sure on the commercial PKI Key places here in the USA of late.
Just with Crappy Crypto being touted as king and sold commercially here.....with a side order of NSA....
I'm also Partly Native American.and an US Army Vet....sure you CAN trust Your Government.... Epic Fail.....

As a Security Analyst/Specialist it Pays to be Paranoid , in fact it's job security.

That being said hopefully the trust in making sha3 available for testing advances.

Issue History

Date Modified Username Field Change
2014-04-16 00:19 necrose99 New Issue
2014-04-29 22:44 MartinGummi Priority high => low
2014-05-04 11:54 BenBE Note Added: 0004772
2014-05-04 11:54 BenBE Status new => needs feedback
2014-05-04 15:54 necrose99 Note Added: 0004773
2014-05-04 15:54 necrose99 Status needs feedback => new