Finding flaw in cryptographic protocol

Clash Royale CLAN TAG#URR8PPP

up vote
3
down vote

favorite

2

If you find a flaw or bug for example in Linux kernel you can create an issue in GitHub, or if you can solve it you can contribute.

How about Finding a flaw in cryptographic protocol?!

• How can you report it or flag an issue?


• If you can fix it, is it possible to contribute?

encryption

share|improve this question

asked 5 hours ago

R1w

562222

add a comment | 

up vote
3
down vote

favorite

2

If you find a flaw or bug for example in Linux kernel you can create an issue in GitHub, or if you can solve it you can contribute.

How about Finding a flaw in cryptographic protocol?!

• How can you report it or flag an issue?


• If you can fix it, is it possible to contribute?

encryption

share|improve this question

asked 5 hours ago

R1w

562222

add a comment | 

up vote
3
down vote

favorite

2

up vote
3
down vote

favorite

2

2

If you find a flaw or bug for example in Linux kernel you can create an issue in GitHub, or if you can solve it you can contribute.

How about Finding a flaw in cryptographic protocol?!

• How can you report it or flag an issue?


• If you can fix it, is it possible to contribute?

encryption

share|improve this question

asked 5 hours ago

R1w

562222

If you find a flaw or bug for example in Linux kernel you can create an issue in GitHub, or if you can solve it you can contribute.

How about Finding a flaw in cryptographic protocol?!

• How can you report it or flag an issue?


• If you can fix it, is it possible to contribute?

encryption

encryption

share|improve this question

asked 5 hours ago

R1w

562222

share|improve this question

asked 5 hours ago

R1w

562222

share|improve this question

share|improve this question

asked 5 hours ago

R1w

562222

asked 5 hours ago

R1w

562222

asked 5 hours ago

R1w

562222

562222

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
2
down vote

First of all, if the protocol is under use, you have to warn them before publicly announce. Otherwise, there can be very catastrophic results. First day attacks are very common.

Demonstrating only the flaw is a half paper, with countermeasures you will have a good paper. Of course, you have to give time to people to deploy the countermeasures.

1. Example RSA Dual_EC_DRBG .


2. Example Heartbleed Bug
   

share|improve this answer

edited 4 hours ago

answered 5 hours ago

kelalaka

711214

add a comment | 

up vote
1
down vote

Or, you try to cash in on it.

If you're any good at finding flaws, there is a lucrative (and legal) market in vulnerabilities and zero day exploits. All of the security agencies pay to get these, presumably under some form of non disclosure agreements/secrecy legislation. If you're really good, you should be able to sell the same exploit to multiple buyers. It depends on your contacts as to whether you are able to access this market though.

In the war on terror, it could literally be catastrophic to not exploit such flaws. Hawks would argue that it's your patriotic duty to pass such information onto the security agencies. It's to protect the children too. Or so the ideology goes. See US NOBUS policy.

share|improve this answer

answered 16 mins ago

Paul Uszak

6,08111332

• 
  
  
  

  
  

  
  
  
  
  
  

  
  I confused how legal is to sell zero-day exploit and what is the difference between selling it to those people or in darknet?
  – R1w
  3 mins ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62847%2ffinding-flaw-in-cryptographic-protocol%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
2
down vote

First of all, if the protocol is under use, you have to warn them before publicly announce. Otherwise, there can be very catastrophic results. First day attacks are very common.

Demonstrating only the flaw is a half paper, with countermeasures you will have a good paper. Of course, you have to give time to people to deploy the countermeasures.

1. Example RSA Dual_EC_DRBG .


2. Example Heartbleed Bug
   

share|improve this answer

edited 4 hours ago

answered 5 hours ago

kelalaka

711214

add a comment | 

up vote
2
down vote

First of all, if the protocol is under use, you have to warn them before publicly announce. Otherwise, there can be very catastrophic results. First day attacks are very common.

Demonstrating only the flaw is a half paper, with countermeasures you will have a good paper. Of course, you have to give time to people to deploy the countermeasures.

1. Example RSA Dual_EC_DRBG .


2. Example Heartbleed Bug
   

share|improve this answer

edited 4 hours ago

answered 5 hours ago

kelalaka

711214

add a comment | 

up vote
2
down vote

up vote
2
down vote

First of all, if the protocol is under use, you have to warn them before publicly announce. Otherwise, there can be very catastrophic results. First day attacks are very common.

Demonstrating only the flaw is a half paper, with countermeasures you will have a good paper. Of course, you have to give time to people to deploy the countermeasures.

1. Example RSA Dual_EC_DRBG .


2. Example Heartbleed Bug
   

share|improve this answer

edited 4 hours ago

answered 5 hours ago

kelalaka

711214

First of all, if the protocol is under use, you have to warn them before publicly announce. Otherwise, there can be very catastrophic results. First day attacks are very common.

Demonstrating only the flaw is a half paper, with countermeasures you will have a good paper. Of course, you have to give time to people to deploy the countermeasures.

1. Example RSA Dual_EC_DRBG .


2. Example Heartbleed Bug
   

share|improve this answer

edited 4 hours ago

answered 5 hours ago

kelalaka

711214

share|improve this answer

share|improve this answer

edited 4 hours ago

edited 4 hours ago

edited 4 hours ago

answered 5 hours ago

kelalaka

711214

answered 5 hours ago

kelalaka

711214

answered 5 hours ago

kelalaka

711214

711214

add a comment | 

add a comment | 

up vote
1
down vote

Or, you try to cash in on it.

If you're any good at finding flaws, there is a lucrative (and legal) market in vulnerabilities and zero day exploits. All of the security agencies pay to get these, presumably under some form of non disclosure agreements/secrecy legislation. If you're really good, you should be able to sell the same exploit to multiple buyers. It depends on your contacts as to whether you are able to access this market though.

In the war on terror, it could literally be catastrophic to not exploit such flaws. Hawks would argue that it's your patriotic duty to pass such information onto the security agencies. It's to protect the children too. Or so the ideology goes. See US NOBUS policy.

share|improve this answer

answered 16 mins ago

Paul Uszak

6,08111332

• 
  
  
  

  
  

  
  
  
  
  
  

  
  I confused how legal is to sell zero-day exploit and what is the difference between selling it to those people or in darknet?
  – R1w
  3 mins ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

Or, you try to cash in on it.

If you're any good at finding flaws, there is a lucrative (and legal) market in vulnerabilities and zero day exploits. All of the security agencies pay to get these, presumably under some form of non disclosure agreements/secrecy legislation. If you're really good, you should be able to sell the same exploit to multiple buyers. It depends on your contacts as to whether you are able to access this market though.

In the war on terror, it could literally be catastrophic to not exploit such flaws. Hawks would argue that it's your patriotic duty to pass such information onto the security agencies. It's to protect the children too. Or so the ideology goes. See US NOBUS policy.

share|improve this answer

answered 16 mins ago

Paul Uszak

6,08111332

• 
  
  
  

  
  

  
  
  
  
  
  

  
  I confused how legal is to sell zero-day exploit and what is the difference between selling it to those people or in darknet?
  – R1w
  3 mins ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

up vote
1
down vote

Or, you try to cash in on it.

If you're any good at finding flaws, there is a lucrative (and legal) market in vulnerabilities and zero day exploits. All of the security agencies pay to get these, presumably under some form of non disclosure agreements/secrecy legislation. If you're really good, you should be able to sell the same exploit to multiple buyers. It depends on your contacts as to whether you are able to access this market though.

In the war on terror, it could literally be catastrophic to not exploit such flaws. Hawks would argue that it's your patriotic duty to pass such information onto the security agencies. It's to protect the children too. Or so the ideology goes. See US NOBUS policy.

share|improve this answer

answered 16 mins ago

Paul Uszak

6,08111332

Or, you try to cash in on it.

If you're any good at finding flaws, there is a lucrative (and legal) market in vulnerabilities and zero day exploits. All of the security agencies pay to get these, presumably under some form of non disclosure agreements/secrecy legislation. If you're really good, you should be able to sell the same exploit to multiple buyers. It depends on your contacts as to whether you are able to access this market though.

In the war on terror, it could literally be catastrophic to not exploit such flaws. Hawks would argue that it's your patriotic duty to pass such information onto the security agencies. It's to protect the children too. Or so the ideology goes. See US NOBUS policy.

share|improve this answer

answered 16 mins ago

Paul Uszak

6,08111332

share|improve this answer

share|improve this answer

answered 16 mins ago

Paul Uszak

6,08111332

answered 16 mins ago

Paul Uszak

6,08111332

answered 16 mins ago

Paul Uszak

6,08111332

6,08111332

• 
  
  
  

  
  

  
  
  
  
  
  

  
  I confused how legal is to sell zero-day exploit and what is the difference between selling it to those people or in darknet?
  – R1w
  3 mins ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  I confused how legal is to sell zero-day exploit and what is the difference between selling it to those people or in darknet?
  – R1w
  3 mins ago
  

  
  
  
  

I confused how legal is to sell zero-day exploit and what is the difference between selling it to those people or in darknet?
– R1w
3 mins ago

I confused how legal is to sell zero-day exploit and what is the difference between selling it to those people or in darknet?
– R1w
3 mins ago

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62847%2ffinding-flaw-in-cryptographic-protocol%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email