Crown Sterling Claims to Factor RSA Keylengths First Factored Twenty Years Ago

Earlier this month, I made fun of a company called Crown Sterling, for...for...for being a company that deserves being made fun of.

This morning, the company announced that they "decrypted two 256-bit asymmetric public keys in approximately 50 seconds from a standard laptop computer." Really. They did. This keylength is so small it has never been considered secure. It was too small to be part of the RSA Factoring Challenge when it was introduced in 1991. In 1977, when Ron Rivest, Adi Shamir, and Len Adelman first described RSA, they included a challenge with a 426-bit key. (It was factored in 1994.)

The press release goes on: "Crown Sterling also announced the consistent decryption of 512-bit asymmetric public key in as little as five hours also using standard computing." They didn't demonstrate it, but if they're right they've matched a factoring record set in 1999. Five hours is significantly less than the 5.2 months it took in 1999, but slower than would be expected if Crown Sterling just used the 1999 techniques with modern CPUs and networks.

Is anyone taking this company seriously anymore? I honestly wouldn't be surprised if this was a hoax press release. It's not currently on the company's website. (And, if it is a hoax, I apologize to Crown Sterling. I'll post a retraction as soon as I hear from you.)

EDITED TO ADD: First, the press release is real. And second, I forgot to include the quote from CEO Robert Grant: "Today's decryptions demonstrate the vulnerabilities associated with the current encryption paradigm. We have clearly demonstrated the problem which also extends to larger keys."

People, this isn't hard. Find an RSA Factoring Challenge number that hasn't been factored yet and factor it. Once you do, the entire world will take you seriously. Until you do, no one will. And, bonus, you won't have to reveal your super-secret world-destabilizing cryptanalytic techniques.

EDITED TO ADD (9/21): Others are laughing at this, too.

EDITED TO ADD (9/24): More commentary.

EDITED TO ADD (10/9): There's video of the "demo." And some history of Crown Sterling's CEO Robert Grant.

Posted on September 20, 2019 at 12:50 PM • 56 Comments

Comments

MarkHSeptember 20, 2019 2:14 PM

The first Crown Sterling post in this blog received a comment earlier in the week, which unfortunately was soon deleted, so I only saw it one time.

It appeared to be an invitation to a demonstration, presumably the one that just took place. The bottom of the comment was signed Robert E. Grant, though the "Name" field at the top was something like "James Doe" ... which seemed especially odd, because their lawsuit for "booing" at Black Hat names several Doe defendants!

I thought the invite was probably genuine, which prompted two reactions:

1. These guys have a lot of stones, posting this in a place where they had just been trashed up hill and down dale.

2. The invite said something like (rough paraphrase) there will be an independent person/agency present to confirm that we're really doing it.

I haven't a clue who attended ... but if a crypto geek were present, s/he could have pointed out that presenting a factor of previously unsolved large RSA challenge number would prove that they had made an advance, without any need for an "independent" auditor.

I'm a bit surprised that their demonstration was so pathetic ... but really, what else could they show?

For me, the drama of this is, "how much farther will these guys push this?"
____________________________________

@Anders:

Probably they have solved ROTx for values of x which are squares of primes, and are working on solutions for the other 23 variants!

Dave C.September 20, 2019 3:11 PM

I would recommend someone publishing an N on this website where N = pq and p and q are both 1024 bit primes and seeing if they can factor that.

Vesselin BontchevSeptember 20, 2019 3:50 PM

LULZ. No, Bruce, they didn't demonstrate even that. They didn't factor it on a laptop - or it would have taken a couple of minutes, instead of 50 seconds. Nope, the laptop was used only as a terminal to SSH to an AWS instance with 32 cores and 200 Gb of RAM. Also, they didn't use their own oh-so-advanced method - they used an open source factoring program that implements the NFS factoring method. (They used CADO-NFS, to be precise.)

Oh, and they took down from YouTube the video of the press conference where all these facts can be easily seen.

They are frauds, trying to scam investors.

Dave C.September 20, 2019 3:50 PM

@ Anders - thanks!!

Try factoring this:
5,998,490,465,869,535,958,493,457,351,726,585,769,768,780,414,997,827,819,458,162,457,365,131,278,468,842,516,733,150,612,150,020,222,444,199,271,535,713,836,705,106,165,363,816,940,972,785,296,134,153,108,270,095,125,037,429,065,753,489,390,743,788,249,433,982,879,002,728,397,181,012,226,608,631,723,752,258,738,079,635,407,385,665,857,943,917,136,911,564,807,480,973,854,047,760,344,144,861,445,967,101,625,999,152,002,875,057,899,164,813,532,726,121,437,267,279,809,037,677,032,771,686,333,393,479,670,023,626,669,656,286,448,596,616,752,216,293,521,499,749,737,800,846,524,363,691,459,902,238,665,732,702,744,582,185,179,531,226,365,443,974,338,304,593,978,784,281,864,220,016,019,189,495,513,322,532,654,236,388,570,230,078,722,101,944,994,358,570,309,218,509,180,305,727,137,122,851,736,117,179,378,654,706,701,977

I have the two primes p and q which are both 1024 bits

TatütataSeptember 20, 2019 4:14 PM

Meanwhile...

As reported in the German broadsheet Der Tagesspiegel, quoting Numberphile, a solution was found by University of Bristol researcher Andrew Booker for the equation k = x³ + y³ + z³, with k taking the very very very special value of 42, which in addition for its profound philosophical meaning, was until now the last remaining number below 100 which could not be expressed as the sum of three cubes. According This search had begun in 1954. This solution was found on a fairly serious piece of hardware.

Here we go:
42 =
80435758145817515^3+
12602123297335631^3-
80538738812075974^3

The number 3 will be revisited to see if there are interesting solutions beyond the trivial 1³+1³+1³ and 4³+4³-5³. Above 100, the next candidate is 114.

Now that's some really interesting number gazing.

TatütataSeptember 20, 2019 4:43 PM

My big fat greasy fingers flubbed. (I wore off today my all my motor skills reserve trying to navigate a tiny weeny touch screen UI on a scanner machine at the public library.) This time should be right.

If these folks want a challenge, maybe they could crack some public keys of famous people or institutions.

So, as I wrote: Meanwhile...

As reported in the German broadsheet Der Tagesspiegel, quoting Numberphile, a solution was found by University of Bristol researcher Andrew Booker for the equation k = x³ + y³ + z³, with k taking the very very very special value of 42, which in addition for its profound philosophical meaning, was until now the last remaining number below 100 which could not be expressed as the sum of three cubes. According This search had begun in 1954. This solution was found on a fairly serious piece of hardware.

Here we go:
42 =
80435758145817515^3+
12602123297335631^3-
80538738812075974^3

The number 3 will be revisited to see if there are interesting solutions beyond the trivial 1³+1³+1³ and 4³+4³-5³. Above 100, the next candidate is 114.

Now that's some really interesting number gazing.

DavidSeptember 20, 2019 4:53 PM

@Andres
> I'm waiting their press release where they state they can break Caesar cipher!

Funny. But sadly, many decision makers will be wooed by these statements and buy their product. We all think that this company is horrible, but we’re not their PR target: it’s the idiots with the finger on the Purchase Order button.

RonnieSeptember 20, 2019 4:57 PM

A sceptical report on Ars Technica.
https://arstechnica.com/information-technology/2019/09/medicine-show-crown-sterling-demos-256-bit-rsa-key-cracking-at-private-event/

This was funny

In a blog post earlier this month, security expert and Harvard Kennedy School lecturer Bruce Schneier declared, "Crown Sterling is complete and utter snake oil." Grant laughed at the term, telling Ars he had ordered bottles of Pride of Strathspey Scotch Whisky with custom "snake oil" labels.

SpaceLifeFormSeptember 20, 2019 6:09 PM

@Dave C, @Anders

The site says that they have 100% confidence that the randomly generated numbers are prime.

Have doubts. Serious doubts.

As the site mentions, they gen random, test for primality, if fail, decrement by 1, repeat.

This is fail.

First, you gen random, and make sure it is plus or minus 1 mod 6.

No reason to do decrement by 1 until primality test passes.

One would decrement by 6, not 1.

Also, Primality tests are *NOT* reliable.

Do not use any semiprime from the site for your own encryption keys!

They have the factors!


Sed Contra September 20, 2019 6:47 PM

Is there any connection between this company and Memcomputing? Both make extraordinary claims using high-concept language. Maybe these extremes are common in California. Just wonderin’ ...

Clive RobinsonSeptember 20, 2019 10:55 PM

@ Dave C.,

I am an impartial source. Why would you think otherwise?

Hmm as there are no sarcasm tags I'll bite.

@andy is not actually saying you are not, such is the joy of the impreciseness of the english language it might appear so.

The point he is making is about "hidden knowledge" that certain supposadly "trusted sources" abbused. That is the NSA[1], RSA[2] Juniper[3] either came up with a backdoored system or pushed it into their products as defaults to steal their customers security.

There is a problem with "redundancy" with multiplying two primes which was mentioned in a single sentence in an accademic paper back in 1980. This gave rise to Adam Young and his academic supervisor Moti Yung coming up with a series of ideas that give rise to the cryptovirology and cryptokleptography domains of endevor. Later others work led Niels Ferguson to postulate that it was possible to build a backdoor into certain types of algorithm. People went looking and found it to be not only true but that the NSA had pushed it into a NIST standard. Then further looking found that RSA had taken money to push the bad algorithm in their productsvas the default, and Juniper Networks products were found to have a similar backdoor built in as the default...

You might have heard of the Blum Blum Shub (BBS) generator. It is a pseudorandom number generator proposed by Lenore Blum, Manuel Blum and Michael Shub back in 1986. It is based one Michael Rabin's earlier work for a secure one-way function.

The BBS generator has the simple form of X[n+1] = X[n]^2 mod M, where M = pq is the product of two large primes p and q where the bottom two bits are set. There are proofs of it's security under certain conditions. Unfortunately the work of Adam Young and Moti Yung can be used to break those conditions. I once wrote some code that did just that and one or two related and some more obvious "backdoors" as an overwhelming "insider attack"[3]. Just to prove a point about why "code reviews" don't work when a programmer knows something the code reviewer does not, which more often than not was the case at the time. Unfortunatly it still is the case in any number of closed source companies, where the managment view is "the quick young people abroad cut the code" as they are dirt cheap in "Sweatypoor", and "old team leaders who now manage rather than code do the code reviews" untill we kick them out as they get in the way of improved quarterly figures...

[1] https://csrc.nist.gov/csrc/media/projects/crypto-standards-development-process/documents/dualec_in_x982_and_sp800-90.pdf

[2] https://arstechnica.com/information-technology/2013/12/report-nsa-paid-rsa-to-make-flawed-crypto-algorithm-the-default/

[3] Juniper Networks remained more or less closed lipped on how the back door got in their code base. They did however imply it had been somehow attacked potentially by an insider, before jumping on the politicaly popular "reds under the bed" line of Russia or China. Others hold the view it was the NSA's handy work, although there is not photographic evidence as was the case with some Cisco kit being supply chain attacked,

https://null-byte.wonderhowto.com/news/what-really-happened-with-juniper-networks-hack-0167439/

Clive RobinsonSeptember 20, 2019 11:51 PM

@ Ronnie,

This was funny

It's actually funnier than it first looks.

Although "Pride of Strathspey" costs around $4800/litre $320/nip, for the 1946 it's not what you might think from the lable anyway,

https://www.thewhiskyvault.com/ekmps/shops/c1207730/images/pride-of-strathspey-1946-41-year-old-gordon-macphail-bottling-10431-p[ekm]1200x1200[ekm].jpg

Gordon & MacPhail of Elgin, are a very well respected firm of "independent bottlers" not "distilers" and their "Pride of Strathspey" is actually an old series of bottlings of a Macallan single malt whisky.

As a single malt it's OK but there are considerably less over priced single malts I actually prefer on taste. If you want to get the best of it then sip from a gold Quaich[1] or gold rimmed lead crystal glass at body temprature.

So Pride of Strathspey like, Robert Grant's demonstration is realy "not what it says on the lable" ;-)

[1] A Quaich is a Scottish "Cup of Friendship" that can be made from a number of metals. However the surface of pure gold --so plate works as well as solid-- has the ability to change the flavour of what is being consumed slightly and this complements many malt whiskies and game (I've not tried it with porridge/oatmeal though ;)

AlexSeptember 21, 2019 12:53 AM

Does this bring back memories of Distributed.net running on Pentium Is or IIs with the cow mooing sound effects every time it finshed a task?

Dave C.September 21, 2019 10:33 AM

@Clive Robinson

Well my challenge still stands. I am not affiliated with their company and don't plan on publishing the factors. If they can publish the factors it MAY mean they have something worth taking a closer look at. Until that time probably not.

Dave C.September 21, 2019 11:03 AM

In looking at the parameter to the function IsProbablyPrime the value 1 was used. This means the probability of my primes being composite is 1/2. Not good. Need to run their code with a value much higher like 128.

AC2September 21, 2019 1:14 PM

Some real gems in the YouTube video...

Pity they didn't include the latter half where they described the math that would allow them to factor 2048 bit "very rapidly"...

maqpSeptember 21, 2019 1:39 PM

From the press release

The paper includes four different geometric and arithmetic methods for public key (semiprime) factorization and one of the methods titled, “The Reciprocal Factoring Method” includes an analysis of reciprocal values of public keys and their embedded private keys (prime factors) found within their period decimal extensions.


“Today’s decryptions demonstrate the vulnerabilities associated with the current encryption paradigm,” said Grant. “We have clearly demonstrated the problem which also extends to larger keys.”

This absurd algorithm is something I dissected in the previous blog post https://www.schneier.com/blog/archives/2019/09/the_doghouse_cr_1.html#c6798668

Clive RobinsonSeptember 21, 2019 2:04 PM

@ Dave C.,

Well my challenge still stands.

That's fine as far as I'm concerned.

But there are a couple of things that will come up.

Firstly, if they succeed in a reasonable time, the question of some kind of collusion arises.

Secondly, if they can not produce p & q in a reasonable time especially if they know they can not do it, they can raise questions about what you did in the way of input.

Whilst the second is not of particular interest you can set up a basic set of ground rules you could publish and ask two or more independent monitors to over see that you adhear to it.

The first is potentially of real interest because it could involve a hidden back door which would be quite topical to say the least of it. Especially when you could in fact set up a set of ground rules that would pass anyone checking them and pass the independent monitors over sight...

Put simply there are a couple of basic ways to generate P and q.

1, For each prime start with a randomly generated number of aproximately the correct size, then increment or decrement from it checking for valid primenes. Stoping when not only do you have two valid primes the product is also valid.

2, Just generate one prime from a start point and increment / decrement till it's a valid prime. Then take the required product size and divide by the valid prime and use that as the start point to find the second valid prime and final valid multiple.

The first is in effect a random process the second a determanistic process.

However as you would be using a computer to do the increment/decrement and check for validity you could apparently do the first whilst doing the second.

It's thus fairly easy to see how you could hide a bit of code to change the random number up to a starting point that is a multiple of a secret number then search from their for a valid prime.

Knowing what the secret is those alegedly factoring for the primes actually just search for valid primes from one of several start points based on the multiples of the secret number.

The result is they have a small search space for a valid prime then they just factor the product with each valid prime they generate untill they get the other valid prime...

There are a whole multitude of other tricks that you can do simply due to the very high level of redundancy in M where P and Q are valid primes.

It's why such chalenges are effectively meaningless unless the generating process is very strongly audited. Just having P or Q is insufficient to check for whole swaths of collusion tricks.

Have a look at the work of Adam Young and Moti Yung, if you want to see a few,

https://en.m.wikipedia.org/wiki/Kleptography

SpaceLifeFormSeptember 21, 2019 2:10 PM

@Dave C

"Maybe we could also use openssl to do this using a good entropy source."

LOL

I prefer the curve on lava lamps.

maqpSeptember 21, 2019 3:14 PM

@Vesselin Bontchev, all

The cado-nfs debug messages can still be seen on the video:
https://www.youtube.com/watch?v=uEVJrQEVd0I#t=7m45s

Info:root: Set tasks.threads=32 based on detected logical CPUs

The amount of RAM is also being displayed.

Was that not the same press conference video? If not, what was on the other video?


Nicholas Weaver noticed this but I'm not sure if he was the first one:

https://twitter.com/ncweaver/status/1175493814296858624

Finally, gotta appreciate the sense of humor from the maintainer of the satire repository:

https://github.com/CrownSterlingIO/SemiPrimeFactorization/commit/b43ea3cce3a37024c077456e33e43190434c7028

Dave C.September 22, 2019 10:50 AM

@SpaceLifeForm
Actually FIPS versions of openssl are used in many types of network security products to generate RSA and other keys.

SpaceLifeFormSeptember 22, 2019 2:24 PM

@Dave C

Again, LOL.

"Actually FIPS versions of openssl are used in many types of network security products to generate RSA and other keys."

Big deal. FIPS is NIST, and OpenSSL is a stinking pile of crap. There is a reason that LibreSSL does not support FIPS.

If you want to support backdoored code and trust the U.S. Government, go ahead, especially if your job depends upon it.

Note the difference in the build systems for OpenSSL and LibreSSL.

OpenSSL has it's own customized build system, does not use AutoTools or LibTool.
Has special magic header and config files.

LibreSSL uses AutoTools and LibTool.

Here's a clue from

https[:]//wiki.openssl.org/index.php/Compilation_and_Installation

"OpenSSL uses a custom build system to configure the library. Configuration will allow the library to set up the recursive makefiles from makefile.org. Once configured, you use make to build the library. You should avoid custom build systems because they often miss details, like each architecture and platform has a unique opensslconf.h and bn.h generated by Configure."

Parse that very carefully.

Note the disconnect about 'custom build systems'.

The message is: Trust *OUR* custom build system, but don't do it yourself.

LibreSSL said NO, we are not buying.

Dave C.September 22, 2019 6:43 PM

@SpaceLifeForm
I can see where you are coming from and so there is a fundamental area of disagreement which is not worth my time to argue with.

mishehuSeptember 23, 2019 3:00 AM

@SpaceLifeForm

The build system is not in of itself a sign of the trustworthiness of a codebase. If you have anything to actually substantiate your claims, I'll have to ask for citations please. Otherwise you are simply spreading FUD. Complaining that the project doesn't use libdrool and autoheadache is meaningless.

1&1~=UmmSeptember 23, 2019 6:22 AM

@mishehu:

"The build system is not in of itself a sign of the trustworthiness of a codebase."

Nor is the opposite.

OpenSSL has to put it politely a checkered path.

Mathew Green said of it,

    The good news is that it’s relatively easy to tamper with an SSL implementation to make it encrypt and exfiltrate the current RNG seed. This still requires someone to physically alter the library, or install a persistent exploit, but it can be done cleverly without even adding much new code to the existing OpenSSL code. (OpenSSL’s love of function pointers makes it particularly easy to tamper with this stuff.)

That is it has been written in a deliberately poor way that facilitates attacks.

But you might also want to consider why LibreSSL came to be when for years OpenSSL was the only game in town for virtually everybody. From an arstechnica article the lead paragraph said,

    OpenBSD founder Theo de Raadt has created a fork of OpenSSL, the widely used open source cryptographic software library that contained the notorious Heartbleed security vulnerability.

And quoted him saying,

    "Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers"

Which in of it's self implies the OpenSSL code base was at best poorly maintaind and thus questionable at best. Theo has a reputation for honesty and good security code assesment as does the team of software developers he heads up. Theo went on to say,

    "The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself."

Whilst it is possible to have security with out clarity in the source code, it usually does not work that way. Similar with the cleanliness of the source code base. The article went on to say,

    "When asked what he meant by OpenSSL containing "discarded leftovers," de Raadt said there were "Thousands of lines of VMS support. Thousands of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically."

So the suspect cruft which was in part ancient history which should have been cleaned up by the developer but for various reasons he did not... Oh and of course in part that comment about "Thousands of lines of FIPS support, which downgrade ciphers" is again not what you want in a security product.

But what happened between Mathew Green's comment and Theo de Raadt's?

You could "go and follow the money" as the old saying has it but to save you the time it was "Heartbleed" that is described in another article with,

    "Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data."

That is 66% of webservers were vulnerable. Worse most Internet users at the time went to such broken web servers. This was because as OpenSSL Software Foundation President Steve Marquess said,

    "I’m looking at you, Fortune 1000 companies," Marquess wrote. "The ones who include OpenSSL in your firewall/appliance/cloud/financial/security products that you sell for profit, and/or who use it to secure your internal infrastructure and communications."

You can read up further about Heartbleed, but put simply people started to dig into OpenSSL and a whole can of worms came out of it.

Some quite pointedly suggested that the NSA had been behind the alleged "bug" due to various reasons.

The point is OpenSSL had strayed well off the path of what was considered sensible software practice and as a result most users of the Internet had become exposed to a significant security risk that some had assumed was at the hands of the NSA, thus all the traffic over insecure OpenSSL had gone into the NSA vaults...

So the question arises with OpenSSL still not following what some consider sensible software practice, why should they trust it over another development that does?

And the answer is "no reason at all".

As has been pointed out before "You are not a murderer untill you kill someone, then there is no turning back". We can not say if other SigInt enterties had known and used Heartbleed. But we do know that certain SigInt entities have had people murdered over weak Internet security put in place by another US IC entity.

Which raises the question of why anyone should challenge what are for some sensible doubts?

So perhaps you should now do as you ask of others,

If you have anything to actually substantiate your claims, I'll have to ask for citations please. Otherwise you are simply spreading FUD.

I'm sure some people will look forward to reading them, but don't leave it to long, they might get ideas about you...

[1] https://blog.cryptographyengineering.com/2013/12/03/how-does-nsa-break-ssl/

[2] https://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/

[3] https://arstechnica.com/information-technology/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

256 < 2048 by quite a bitSeptember 23, 2019 6:24 AM

Two 128 bit primes multiplied looks like:

69,420,827,571,959,709,546,340,695,189,354,893,943,777,501,940,316,291,649,816,713,221,998,382,139,059

Two 1024 bit primes multiplied looks like:

19,343,667,891,781,738,797,370,449,870,396,728,863,202,179,703,682,342,733,967,278,822,480,775,276,979,813,504,845,595,034,120,393,370,152,899,748,537,330,898,548,017,116,175,240,963,843,867,106,157,651,562,938,898,587,956,984,439,585,038,390,081,531,059,793,636,342,757,112,708,239,493,995,608,005,284,452,393,526,826,826,070,437,900,649,990,778,255,928,880,967,794,060,642,207,210,135,237,248,313,591,984,445,102,205,903,536,129,280,729,693,873,645,010,158,968,436,202,325,737,975,359,495,133,351,478,385,069,986,802,247,946,708,263,098,835,744,821,961,101,805,321,686,249,554,702,982,917,404,602,650,552,634,211,721,543,194,027,909,462,103,211,831,759,214,437,760,483,022,798,117,868,041,446,071,398,803,987,275,533,080,729,349,251,435,281,331,126,580,312,335,348,000,444,123,257,382,275,855,627,368,919,052,416,438,211

Just a tad harder.

Keep making fun of these fraudsters: Clown Turdling

Vesselin BontchevSeptember 23, 2019 6:46 AM

@maqp, sorry I don't understand what you are asking.

Yes, this was the press conference video. As I said, it shows that they did not factor the number on a Mac laptop but instead used the Mac to SSH (look carefully at the top line of the screen, slightly to the right of the center) to a machine with 32 cores and around 200 Gb RAM (the first and the sixth lines displayed by the program). It's not even their tool, it's CADO-NFS.

The really funny part is that my student managed to factor the first number used in their demonstration (that took them 51 seconds to factor) on a laptop with a 4-core CPU using the YAFU utility and the Quadratic Sieve factoring method (SIQS) in just 43.8794 seconds. No need for 32 cores, LOL.

JeremySeptember 23, 2019 7:43 AM

@1&1~=Umm -

Two assertions in your post caught my eye:

Thousands of lines of FIPS support, which downgrade ciphers almost automatically.

Attributed to Theo de Raadt.


But we do know that certain SigInt entities have had people murdered over weak Internet security put in place by another US IC entity.

Your own assertion.


Can you direct me to discussion of either?

Clive RobinsonSeptember 23, 2019 9:16 AM

@ Jeremy,

I've linked to the ARStechnica artickes that Theo was quoted in.

As for the deaths it was CIA sources in China and Iran,

This was when the deaths were first reported but the cause unknown,

https://www.theguardian.com/us-news/2017/may/20/china-dismantled-cia-spying-operations-new-york-times

This was from when more investigation had been carried out,

https://thefederalist.com/2018/11/07/6-questions-huge-cia-blunder-allowed-enemies-kill-70-u-s-spies/

Dave C.September 23, 2019 9:44 AM

For what it is worth, here is a 2048 bit RSA modulus N generated using OpenSSL 1.0.2f 28 Jan 2016 (not in FIPS mode):

D15AF30AD1BA7722042704BE7301475D0B920ED3B02CDB77205CEC999C2F9B579ECB291C8CF991DA3F2C26994358A18194A749E4A762F97C218317CFB8AD4A66B56FB3EB0138684BC134461E67DE0E7485B71BF0DE37CC5A8FE05068BD226FFD658FC3BC5F5CDE47C53DD4970040A3EE127A5513B8FD53FE7114E18E631B7A3EEF82B542A10746A34747005F0551076FE6CEC8EB8345B420864A38EE9499CCF807FC4E5F86ACAF50C64CE6253C5E737C3F18A33C9FDC54E1481DA11CC09A4FCC857E126B79F195407C18009D0B96F431B5BED63824ACFB280489D2E2386AA8F1C0480B4FA02858100F240F941A5152E0D65285F283FB80F9EF81AFC8984B6D0B

It would be an interesting test for someone to factor this.

DHSeptember 23, 2019 10:30 AM

Bruce, I'm not a cryptographer or mathematician, but I did hear about this company well before their Black Hat snafu. Aside from my initial thought that it was the plot to Sneakers, my only other reply to the person asking about it was to "trust the math." ;-)

SpaceLifeFormSeptember 23, 2019 3:29 PM

@1&1~=Umm

Well said. Besides the issues you pointed to, I still do not like that one needs Perl to do the build. For either OpenSSL *OR* LibreSSL.

That is a dependency that should not exist.

I have not built either recently, but I think I should, and intentionaly break the build at strategic points, to debug.


@mishehu

Nice red herring.

It's about using *trusted* build tools.
Yes, AutoTools and LibTool can be painful at times, I agree.

But, using build tools that autogenerate .h files *BEFORE* compilation, is questionable practice.

What is buried in those header files?

Magic numbers via #DEFINE? Obtained from /dev/urandom during the configure process?

How about magic obfuscated Macros?

How about plain .c code embedded in the .h file?

Does the build process actually bury magic stuff in .h files that magically disappear after the library is built?

Think about that. Hidden magic.

SpaceLifeFormSeptember 23, 2019 5:38 PM

@Clive @Jeremy

It was CIA trying to do double encryption, but they screwed up, big time. Vault7 revealed that. They tried double, but used weak.

@Dave C

Just stop. Really, just stop trying to defend OpenSSL. You are not helping yourself or the country that you are supposed to defend.

Go to Smokey Bones.

Phill Hallam-BakerSeptember 23, 2019 10:11 PM

This irritated me enough to write a piece looking at the claims. It occurred to me that Bruce's snake oil crypto signs are for folk proposing new algorithms. People claiming to have broken existing algorithms create a whole new dimension of crazy.

The biggest problem with the Crown Sterling claims is that they could easily prove they are not full of shit by simply factoring any of the unsolved RSA challenge numbers. That is clearly the threshold criteria for being taken seriously.

But I also looked at how they claim to break RSA and it is roughly a 10^250 worse than the existing known attacks. Which is kinda bad.

https://medium.com/@hallam/getting-rsa-256-bits-wrong-4a9339f2f178

mishehuSeptember 23, 2019 11:03 PM

@SpaceLifeForm -

There is no red herring, only what appears to be a severe misunderstanding on your behalf about build systems. Pretty much all that you listed off is completely independent of whether or not the build system is a custom one or is a common one. Or are you suggesting that it's not possible to things such as populate "magic" numbers derived from /dev/random or /dev/urandom into header files with automake et al or cmake or other common build systems? If that is what you think, you are sadly mistaken about what can and cannot be done with the popular build systems.

You are, of course, free to distrust any software you desure. But for those reasons centering on the build system, I find them to not be valid.

That said, we're digressing from the topic of Crown Sterling's oh-so-sterling claims. Regarding that, I wonder if somebody's just having a lot of fun at Bruce's expense with what may be an elaborate troll. (Perhaps I'm just too cynical?)

maqpSeptember 24, 2019 3:23 AM

@Vesselin Bontchev

sorry I don't understand what you are asking.

You said

Oh, and they took down from YouTube the video of the press conference where all these facts can be easily seen.

I wanted to check if they really did that, but found a video on Crown Sterling's youtube channel where the SSH connection, n/o logical CPUs, amount RAM and the cado-nfs debug message was still showing. So I asked if there was another conference video that was removed, and if, what was there.

So I wasn't e.g. questioning whether the giveaways were present in the first place, but whether there was another video that had even more stuff that was removed.

Thanks for the tip on YAFU, it was really simple to use. I managed to factor the first prime used in Crown Sterling demonstration in time

SIQS elapsed time = 91.8618 seconds.
Total factoring time = 108.1558 seconds

using a 3GHz CPU (single thread).

JurjenSeptember 25, 2019 1:17 AM

I had a look at the paper "Uncovering multiscale order in the prime numbers via scattering". He uses a lot of jargon (mostly from physics) to disguise what he is doing.
Then he discovers that primes in an interval have a periodic pattern using Fourier analysis. He concludes that if you do this accurate enough, you can predict the primes.
Actually, this method of using these patterns to predict primes isn't new. It is called the sieve of Eratosthenes.

WeatherSeptember 26, 2019 1:47 AM

I see why it was hosted at blackhat, with go this social engineering hack we want to try, I'm guessing by the looks it was spot on or miles off course.

Vesselin BontchevSeptember 26, 2019 10:01 AM

@maqp, I understand now; sorry I didn't get it the first time.

They posted the video, but people started making fun of them in the comments, pointing out that they are using CADO-NFS, etc. So, they made the video "private" - i.e., not viewable by the general public. That's when I posted my comment here. Later, they made the video public again (so you can watch it now) - but disabled the ability to comment on it.

maqpSeptember 26, 2019 12:18 PM

@Vesselin Bontchev

Haha. So the same story as was with the first TimeAI video they uploaded: its commenting was also disabled after it received a lot of critique.

SpaceLifeFormSeptember 26, 2019 8:22 PM

The @thepacketrat noted:

So, when I interviewed Robert Grant at Crown Sterling, he said that he had reached out to
@schneierblog about looking at his crypto work, but was told "there was a significant pay-to-play," so he didn't go forward with it.

[Me thinks Robert Grant has some sieving to do to get out of the swamp he created]

Bob SilvermanSeptember 27, 2019 12:57 PM

I was factoring 256 bit numbers back in the mid 80's.

This whole thing is a con.

Bob Silverman

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.