Scare tactic?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Sep 20 00:38:24 EDT 2007
"Nash Foster" <leaf at google.com> writes:
>http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
>
>Any actual cryptographers care to comment on this? I don't feel qualified to
>judge.
It's quite possible that many implementations do this. When the Mozilla folks
changed their code a year or two back to reject RSA keys with an exponent of
one (which in itself means that they'd been accepting those keys for years), a
number of certs broke because CAs were issuing exponent-one keys, which in
turn means that many other implementations that never complained about these
certs were freely accepting them. Windows CryptoAPI, for example, still
allows exponent-one keys as a by-design feature to allow the export of
"wrapped" keys in plaintext form. So it's quite believable that a number of
DH implementations allow bad key parameter values, and that this has been
going on for years.
(Even the level of validation discussed on the web page doesn't help entirely,
FIPS 186 provides extra parameters that you can use for checking the key
(p,q,g) while the still widely-used PKCS #3 doesn't (p,g), so even just using
PKCS #3 rather than FIPS 186 is a problem).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list