[Forwarded from RUH8]
I looked at the panel "Safe and accessible digital power. Myth or reality?" https://youtu.be/wKSrKodzBSk In the second part the discussion became much livelier. And I was interested in the answer of the deputy state telecommunications agency about "Biden Joe".
In case anyone has forgotten, in June Vitaliy wrote a petition to the president for the immediate dismissal of garbage dick Tatarov. The petition was briskly gaining votes. And instead of answering something along the lines of "your opinion is very important for us", the pooch's house on Bankova developed a vigorous activity to find any violations in the voting. And finally the vote of "Biden Joe" born in 1942 appeared under the petition.
The thing is, while anyone could register on the petition site before, by the time of the obayden, it was possible to log in exclusively through the Icel ICT, which is the same entry point that Dia uses.
There are several options there - either digital signature or Bank ID. Fake Biden logged in using Privatbank's digital signature. There is no complaint against Privat, it is the victim here. All this outrage, of course, jeopardizes all the Internet services of the state without exception. If it is possible to certify the keys of "Biden Joe", it means that in the same way it is possible to get certificates for any name.
And the Olympics of lies began. "Expensive hacking attacks." "Key manipulation," and now the lies took shape in a more coherent concept, which was voiced by Mr. Potius.
Allegedly the software, which uses ICEL, contained a vulnerability and X.509 certificates were checked by some "simplified scheme", which allowed unknown people to identify themselves under a false name on the petition site. But you can't sign anything with such a "signature" because it was used to identify, not to sign documents. I will now translate the techno-blah-blah-blah into plain language.
It's very simple. A digital signature consists of two keys, a public key and a private key. Since it doesn't say anywhere on the digits that they are yours, those digits need to be associated with you somehow. To do this, you need a certificate - a digital document that says that public key X, belongs to citizen Biden Joe RNOKPP 1566450018. The data is signed by the secret key of ACSC Privatbank, which swears on his mother that he checked the passport of a simple Ukrainian pensioner named Joe and all the data were entered correctly. Checks by the DSSSZl did not find any violations in the work of ACSK PB.
How is identification by digital signature done? Alice downloads the public key certificate, and Bob has to check the ADCS signature and make sure that the key has not been revoked. But a public key is public for that reason, there's no reason to hide it, so Alice has to prove to Bob that she knows the paired secret key. Bob comes up with a random number and sends it to Alice. Alice signs the random number with her secret key and sends it back to Bob. This is the proof that Alice knows the secret key. Bob verifies the signature with Alice's public key.
So, about not being able to "sign anything" with Biden's key is just a lie. You either know the secret key or you don't.
Mr. Potiy, vulnerabilities in government systems - this is a job just for CERT-UA and the State Service of Special Communication and Information Protection. As it happens, I instinctively distrust the words of officials, especially when they are covered with technical abbreviations poorly understood by a wide range of citizens. Vulnerability, you say? Fixed, you say? Show it to me. Where was the vulnerability? How was it fixed? Diff here. It's not just about ICEL. I'm familiar enough with math and programming to appreciate the work done.
*** Translated with www.DeepL.com/Translator (free version) ***
Коментарі
Дописати коментар
Олег Мічман в X: «Donations and support for media resources, bloggers, projects, and individuals. https://t.co/HPKsNRd4Uo https://t.co/R6NXVPK62M» / X
https://twitter.com/olukawy/status/1703876551505309973