Fwd: Tor security advisory: DH handshake flaw
Ben Laurie
ben at algroup.co.uk
Sat Aug 20 09:19:00 EDT 2005
Hal Finney wrote:
> I was just at Crypto yesterday and Hugo Krawczyk in his talk emphasized
> the difficulty of securely designing key exchange protocols. He was
> talking about "implicit authorization" protocols where the exponentiation
> involves the long term public key(s). This protocol is different but
> there are still many ways things can go wrong.
>
> This attack is an example of a "small subgroup" attack where the derived
> value is forced into a small subgroup mod p, in this case the trivial
> subgroup with one element. Sometimes other subgroups can be used,
> such as the group with order two (consisting of 1, p-1), or potentially
> other groups. But I checked the source code and Tor is using an "Oakley"
> prime from RFC2409, with a generator g = 2. The prime p is such that
> q = (p-1)/2 is prime also, and g generates the prime order subgroup of
> size q. The only subgroups of such a p have order 1, 2, q, and 2q==(p-1).
> By checking the received bignum is not 1, -1, or 0 (good catch, I forgot
> about that one) and also not >= p, you should be okay.
This is one reason everyone should use well-known primes for
Diffie-Hellman (the other reason is the more obscure non-prime
substitution attack using hash collisions discussed here a few months ago).
Related to this is a project I keep considering and never quite getting
around to is to include a prime proof verifier in OpenSSL. It would be
pretty cool to have modes which only work when all relevant primes come
with proofs.
I've looked into this a few times, but have always ended up at a slight
brick wall: I'd like to use proofs for which there's efficient (yes, I
know "efficient" means "only takes a few months to run") code to produce
the proofs, as well as (obviously) efficient (where efficient means
"really fast") verifiers. This is, of course, so new proven primes can
be produced without having to wait for someone with proprietary code to
feel so inclined.
Do the experts out there have suggestions? Perhaps this time I'll get
around to implementing.
Oh, BTW, bonus points if the prover can be run on large numbers of
processors in parallel. Even more points if communication between the
CPUs are low bandwidth.
It would also be nice to have a collection of primes and proofs in
OpenSSL, so if people want to point me at such things, I'll do my best
to make it so.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list