[6709] in cryptography@c2.net mail archive
How to avoid those pesky crypto security measures
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Fri Mar 3 22:04:16 2000
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@c2.net
Reply-To: pgut001@cs.auckland.ac.nz
X-Charge-To: pgut001
Date: Sat, 4 Mar 2000 15:54:39 (NZDT)
Message-ID: <95213847906726@kahu.cs.auckland.ac.nz>
An except from Microsoft Knowledge Base Article Q228786:
-- Snip --
Sometimes it is convenient to export/import plain text session keys. However,
the Microsoft Cryptographic Providers (Base and Enhanced) do not support this
feature, for which both CryptExportKey() and CryptImportKey()require a valid
key handle to encrypt and decrypt the session key, respectively. But, by using
an "exponent-of-one" private key the same effect can be achieved to "encrypt"
and "decrypt" the session key.
Since the exponent of the key is one, both the encryption and decryption do
nothing to the plain text, and thus essentially leave the session key
unencrypted.
Sample code below illustrates how to implement this feature:
-- Snip --
I don't know what's more scary, the fact that their CSP will accept an
obviously invalid RSA key, or that they have an article telling you how to
bypass the CSP's (ahem) "security". I love the creative way that "gaping
security hole" has been redefined as "feature" too :-).
Peter.
