[Cryptography] Is the real cause of the recent socat error now known?

david wong davidwong.crypto at gmail.com
Thu Mar 17 16:39:33 EDT 2016


To answer the title: no, we don't know. It was probably a developer who had
no idea how crypto works. For the story, the guy who submitted the patch
erased both his personal blog and his github account the day the security
was publicly disclosed

> (1) Scientific: Almost certainly a probabilistic procedure (commonly
involving the Miller-Rabin Test) was employed instead of Maurer's algorithm
of provable prime generation. Hence with some, though practically very
minute (depending on the parameter t of the Miller-Rabin Test), probability
one could indeed have obtained a composite instead of a prime number

Even with M-R you would have to know exactly what bases would be used to
test the prime (so the test would have to use the deterministic version of
M-R) to produce the prime in the first place. And this would have to be
done maliciously. (cf.
http://www.jointmathematicsmeetings.org/mcom/1995-64-209/S0025-5718-1995-1260124-2/S0025-5718-1995-1260124-2.pdf
)

> (2) Human: Human errors of diverse genre and manipulation (backdoor).

I've tried a bunch of things, and so have other people. Nothing works
except if you append "f0" to the hexstring: you obtain a prime. It could
mean it was truncated to reach 1024bits exactly but this doesn't mean
anything as you will often be able to add a higher byte to a non-prime to
make it prime. There was also some effort on the mersenne forum to factor
the composite modulus but only two small factors were found (by trial
division).

I don't think this is a backdoor, but I found the idea interesting: how to
change one value in your ephemeral Diffie-Hellman parameters to make it a
backdoor. I've implemented ways to do it:
https://github.com/mimoo/Diffie-Hellman_Backdoor and plan to release a
paper whenever I'm done (if someone is interested to discuss about it ping
me!).

If there is something we can do, to react positively from this story, is
check for similar potential backdoors in VPN implementations be them closed
or open source. Good thing a list was released a few days ago:
http://lifehacker.com/this-massive-vpn-comparison-spreadsheet-helps-you-choos-1764427219

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160317/c7953edc/attachment.html>


More information about the cryptography mailing list