ASKSAGE: Sage Q&A Forum - Latest question feedhttps://ask.sagemath.org/questions/Q&A Forum for SageenCopyright Sage, 2010. Some rights reserved under creative commons license.Sat, 08 Aug 2020 14:01:14 -0500How to modify code to find (calculate) exact generator of curve?https://ask.sagemath.org/question/52915/how-to-modify-code-to-find-calculate-exact-generator-of-curve/I am doing elliptic curve cryptography with the curve "nist256r1".
Here is the code I am using, also available at pastebin: [https://pastebin.com/mCv0AHj7](https://pastebin.com/mCv0AHj7).
nistp256r1_order = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551
nistp256r1_modulus = 2**224 * (2**32 - 1) + 2**192 + 2**96 - 1
nistp256r1_a = 0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC
nistp256r1_b = 0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B
nistp256r1_field = GF(nistp256r1_modulus)
nistp256r1 = EllipticCurve(nistp256r1_field, [0,0,0,nistp256r1_a,nistp256r1_b])
nistp256r1_base_x = 0x6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296
nistp256r1_base_y = 0x4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5
nistp256r1_gen = nistp256r1(nistp256r1_base_x, nistp256r1_base_y, 1)
curve = nistp256r1
curve_order = nistp256r1_order
curve_gen = nistp256r1_gen
CG = Zmod(curve_order)
### These are "inputs" to the system. Only pubkey is known
privkey = CG.random_element()
Q = curve(ZZ(privkey) * curve_gen)
### We generate the necessary malicious generator
kprime = CG.random_element()
kprimeinv = kprime.inverse_of_unit()
Gprime = ZZ(kprimeinv) * Q
### We can now verify that the we knows a private key corresponding
### to the public key under their generator
newpoint = curve(ZZ(kprime) * curve_gen)
Qprime = curve(ZZ(kprime) * Gprime)
When I multiply `kprime` to `Gprime`, result: `Point1=Point1-1`.
But, when I multiply `kprime` to `curve_gen`, I get false result: `Point1<>Point-3`.
But, when I multiply `kprime * Gprime` I get true result.
How to get result `Point1` after multiplying `kprime` to `curve_gen`?
How to modify code and what needed to add to code for finding exact `Point1`
after multiplying `kprime` to `curve_gen`? Maybe Chinese Remainder needed??
When I multiply `kprime` to `curve gen`, I get another point - I get not point **Point-1**-(29071217121488582521608171944263315625701615497932907218591416908586258568965, 59574170696980719976515868978945602886682382595455160870729457813974828581902),
and get this point **Point3**=(17926030768548235702442204134974018188929283587000768925853022445872051613924 : 31678060064977392800194523884536612241566631842713190224565644256881729064814 : 1).
**Result:**
sage: print("Q==Q'", Qprime == Q)
Q==Q' True
sage: print(Qprime.xy())
(29071217121488582521608171944263315625701615497932907218591416908586258568965,
59574170696980719976515868978945602886682382595455160870729457813974828581902)
sage: print(Q.xy())
(29071217121488582521608171944263315625701615497932907218591416908586258568965,
59574170696980719976515868978945602886682382595455160870729457813974828581902)
sage: print(newpoint)
(17926030768548235702442204134974018188929283587000768925853022445872051613924
: 31678060064977392800194523884536612241566631842713190224565644256881729064814
: 1)DuglasSat, 08 Aug 2020 14:01:14 -0500https://ask.sagemath.org/question/52915/Notebook: How to prevent that users can access cell content of other users?https://ask.sagemath.org/question/25337/notebook-how-to-prevent-that-users-can-access-cell-content-of-other-users/I set up a Sage Notebook server which is going to be accessible by multiple users, but I have problems securing it. I am using version 6.4.1.
I invoke the notebook() command with the server_pool=[...] setting, and the $HOME/.sage directory of the user which starts the sage notebook (as well as for the users specified in server_pool) has permissions 700, so it is impossible for users to directly access the worksheets of other users.
However when I do `cat /tmp/*/*.py` in the notebook (after setting language to "sh" of course), I get some cell contents of other users. Those files in /tmp belong to the main sage user, and have permissions rw-r--r--.
I already tried setting umask to 077 before invoking the sage notebook, but when I do so, the notebook does not work at all (it starts, but all commands I enter in cells seem to take an infinite amount of time).
Is there a way to secure the sage notebook, such that it is impossible for one user to see any part of worksheets of other users?alexTue, 23 Dec 2014 08:30:31 -0600https://ask.sagemath.org/question/25337/jmol applets need more java security...https://ask.sagemath.org/question/25108/jmol-applets-need-more-java-security/ java security no longer accepts security levels below "HIGH" If you cannot (or won't) rewrite sage_math
to use a non-java jmol (see jsmol for example), then explain how I'm supposed to fix:
"Application Blocked by Java Security
For security, applications must now meet the requirements for the High or Very High security settings, or be part of the Exception Site List, to be allowed to run.
Name: jmolApplet0
Location: file://
Reason: Your security settings have blocked an application from running **due to missing a "Permissions" manifest attribute in the main jar.**
"
I've added /usr/lib/jvm/jdk1.8.0_25/jre/lib/applet/jmol.jar to the Exception Site List, but STILL java throws up the above-quoted dialog box! BTW, just where is the jmol code supposed to be located in sage_math?stychokillerWed, 03 Dec 2014 20:07:20 -0600https://ask.sagemath.org/question/25108/Does HTTP login to Sage Notebook send plaintex password?https://ask.sagemath.org/question/23161/does-http-login-to-sage-notebook-send-plaintex-password/ Does my web-browser send the login and password in plaintext when I login to Sage Notebook via HTTP protocol?v_2eTue, 01 Jul 2014 11:55:16 -0500https://ask.sagemath.org/question/23161/Searching local HTML Docs with Chrome browser doesn't find anything, everhttps://ask.sagemath.org/question/10118/searching-local-html-docs-with-chrome-browser-doesnt-find-anything-ever/Using locally generated documentation ("make doc" in install dir), the Chrome browser search feature doesn't ever find anything. It used to work, but I don't know when it broke.
My local browser URLs:
file:///usr/local/src/sage/sage-5.9/devel/sage/doc/output/html/en/reference/search.html?q=lfsr
file:///usr/local/src/sage/sage-5.9/devel/sage-main/doc/output/html/en/reference/search.html?q=lfsr
... only show `Searching ...` forever.
This URL returns with doc references quickly.
http://www.sagemath.org/doc/reference/search.html?q=lfsr
What could be blocking my local doc searches?
Where can I look to start debugging?
Interestingly, Firefox works fine.
Chrome's javascript console reports:
Failed to load resource: Origin null is not allowed by Access-Control-Allow-Origin. file:///usr/local/src/sage/sage-5.10/devel/sage-main/doc/output/html/en/reference/searchindex.js
XMLHttpRequest cannot load file:///usr/local/src/sage/sage-5.10/devel/sage-main/doc/output/html/en/reference/searchindex.js. Origin null is not allowed by Access-Control-Allow-Origin.rickhg12hsTue, 14 May 2013 03:01:54 -0500https://ask.sagemath.org/question/10118/Fedora, pyOpenSSLhttps://ask.sagemath.org/question/9780/fedora-pyopenssl/I am setting up a public Sage server on a Fedora 18 machine (Python version python-2.7.3-13.fc18.x86_64)
To have the possibility to enable the secure mode, I installed pyOpenSSL package from Fedora repositories (pyOpenSSL-0.13-4.fc18.x86_64) , but when I try to start the Sage server, I obtain these error messages:
> sage: notebook(port=8082,
> interface='', secure=True,
> accounts=True, ulimit='-v 500000 t
> 120', automatic_login=False)
> -------------------------------------------------------------------------- RuntimeError Traceback (most recent
> call last)
>
> /home/user/sage/sage-5.5-linux-64bit-fedora_release_16_verne_x86_64-Linux/<ipython
> console> in <module>()
>
> /home/user/sage/sage-5.5-linux-64bit-fedora_release_16_verne_-x86_64-Linux/devel/sagenb/sagenb/notebook/notebook_object.pyc
> in _call_(self, *args, **kwds) 221 """
> 222 def _call_(self, *args, **kwds):
> -> 223 return self.notebook(*args, **kwds) 224 225 notebook = run_notebook.notebook_run
>
> /home/dna/sage/sage-5.5-linux-64bit-fedora_release_16_verne_x86_64-Linux/devel/sagenb/sagenb/notebook/run_notebook.pyc
> in notebook_run(self, directory, port,
> interface, port_tries, secure, reset,
> accounts, openid, server_pool, ulimit,
> timeout, upload, automatic_login,
> start_path, fork, quiet, server,
> profile, subnets, require_login,
> open_viewer, address) 476 import
> OpenSSL 477 except ImportError:
> -> 478 raise RuntimeError("HTTPS cannot be used without pyOpenSSL" 479
> " installed. See the Sage README for
> more information.") 480
>
> RuntimeError: HTTPS cannot be used
> without pyOpenSSL installed. See the
> Sage README for more information.CaterpillarWed, 06 Feb 2013 21:38:56 -0600https://ask.sagemath.org/question/9780/Setting up a public Sage serverhttps://ask.sagemath.org/question/9746/setting-up-a-public-sage-server/Hi. I have a desktop computer with an Athlon II X3 440 (probably he will be updated soon with an AMD FX 8350), 32Gb of RAM and Fedora 17 64bit.
I would like to set up a public Sage server on a unprivileged Fedora user.
I am not a security expert, but I need to avoid abuses, so I need suggestions how to secure a public Sage server, where people can sign in from Sage server's webpage and start immediately
The wiki page
http://wiki.sagemath.org/SageServer
does not seem to be enough for my needsCaterpillarSat, 26 Jan 2013 00:03:41 -0600https://ask.sagemath.org/question/9746/Overview of security and memory management?https://ask.sagemath.org/question/8649/overview-of-security-and-memory-management/Hi all,
I've been looking around the documentation for an explanation of how Sage is able to sandbox user code to prevent unauthorized access to the system the platform is being hosted on. Given that Sage Notebook is deployed in production on a public server, how does the platform isolate user environments/worksheets? Furthermore, how does Sage manage memory on a per-worksheet basis?
I'd appreciate any insight from those who have deployed Sage in a production environment, either internal or external to an organization. +5 pts if you have a sys admin background!
Thanks!
(For what it's worth, I've been going through the thesis titled "Securing the Sage Notebook", but I'd also like some more practical input. I'll be scrounging through the dev discussion threads for an answer as well and will follow up if I come across any good explanations.)stefMon, 23 Jan 2012 04:10:48 -0600https://ask.sagemath.org/question/8649/notebook server daemon + security issueshttps://ask.sagemath.org/question/8063/notebook-server-daemon-security-issues/Hi
I installed sage on my vserver and run it with a lighttpd proxy.
All I need now is a daemon so I can run it in the background on my vserver, because I use this server for other things as well. Is there a way I can start the sage notebook as a daemon? Or do I need to make a bash script (I'm not good at bash)?
What would be the best way to invoke the notebook, which parameters should I use?
I am also a bit worried about security, as my notebook can be accessed through the web publicly. Is there anything I should take account of?sporeohrFri, 08 Apr 2011 22:37:09 -0500https://ask.sagemath.org/question/8063/Security in Sagehttps://ask.sagemath.org/question/7776/security-in-sage/In addition to my current development work, I'm working on a paper examining Sage from a computer security perspective. As a open source, widely distributed software system, that must be a concern. The server components that can execute potentially arbitrary code on the server make security even more of a concern.
Is there any documentation that talks about Sage's security precautions?--My initial research i.e. googling and searching the documentation failed to turn anything up.
Are there people who work on that aspect who would be willing to answer a few email questions in the next two weeks?
Is there anything else I should know? I plan to do some fiddling and testing on my own to see what I can turn up.
Thanks,
EthanEthan Van AndelSun, 28 Nov 2010 14:31:00 -0600https://ask.sagemath.org/question/7776/