[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hidden WebTV signatures

Peter Gutmann writes:

> For those of you who don't read sci.crypt, Robert Ames <[email protected]> has 
> posted an article in which he observes that all WebTV posts contain an 
> X-WebTV-Signature: line containing base64-encoded data.  For samples of 
> WebTV-generated posts, try the alt.weemba newsgroup, which is filled with 
> WebTV-user drool (caution: remember to employ protection when exposting your 
> mind to the content of the messages).  Some samples:
> X-WebTV-Signature: 1
>         ETAsAhQDqtur/jfleJ2CDOnNrVoeyALEQAIUOQyCBbzjx5HHfxeMERDgCjztXOU= 
> X-WebTV-Signature: 1
>         ETAtAhUAmCCzQt+Tqt6fNX+L9+gDCECaqQkCFA0YCPz5tk85mUgq7iX/u4vWvOgG 

Could someone grep their news spool for a few hundred of these signatures
and post them here?  We can do statistical analysis on them and determine
whether they all appear to be modulo the same q value.

> These decode into ASN.1-encoded DSA signatures, eg:
>    1 30   45: SEQUENCE {
>    3 02   21:   INTEGER
>             :     00 98 20 B3 42 DF 93 AA DE 9F 35 7F 8B F7 E8 03
>             :     08 40 9A A9 09
>   26 02   20:   INTEGER
>             :     0D 18 08 FC F9 B6 4F 39 99 48 2A EE 25 FF BB 8B
>             :     D6 BC E8 06
>             :   }
> for the second one.  The key isn't included in the header, presumably the 
> @webtv.net address can be tied to the hardware which contains some hardcoded 
> DSA key.  I wonder if WebTV users know they're signing each message they send?

If they are DSA signatures, they should all be mod q, where q is some 160
bit prime.  Whether everyone uses the same key or different keys, they
probably all share p and q.  In that case the histogram of the values should
be flat up to a cutoff point.  We need to collect some hundreds of these
values in order to distinguish them from random 160 bit values.

The largest q value found in a dozen or so alt.weemba messages from
dejanews started with 0xc0, so q must be at least this large if they
are DSA sigs.  This amount of data was not sufficient to distinguish
from alternate theories, such as that each person has a random 160 bit q.