Fwd: Tor security advisory: DH handshake flaw
Werner Koch
wk at gnupg.org
Fri Sep 2 03:27:37 EDT 2005
On Thu, 01 Sep 2005 15:04:43 +0200, Simon Josefsson said:
> If you control the random number generator, you control which
> Miller-Rabin bases that are used too.
Oh well, if you are able to do this you have far easier ways of
compromising the security. Tricking the RNG to issue the same number
to requests for the secret exponent of an DSA sign operation seems to
be easier.
> Designing this fake random number generator is not trivial, and must
> likely be done separately for each crypto library that is used. If
> software only used prime numbers that came with a prime certificate,
> you combat this attack.
Here it would be easier to add a backdoor to the prime certificate
check than to implement a fake RNG.
Shalom-Salam,
Werner
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list