Scare tactic?

[Victor Duchovni]

On Wed, Sep 19, 2007 at 02:01:13PM -0700, Nash Foster wrote:

> http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
> 
> Any actual cryptographers care to comment on this? I don't feel
> qualified to judge.
> 

I am not a cryptographer, but the article appears silly.

First the verification algorithm as stated is wrong:

    * Verify that 2 <= K_a <= p - 2
    * Verify that (K_a)^g = 1 (mod p)

The first condition is correct, but the second is not, that "g" should
be a "q", where "q" is a large prime divisor of "p-1" and "g" is chosen
so that the order of "g" mod "p" is "q". The correct second test just
verifies that K_a is an element of order q (true for all non-trivial
powers of g).

Even with the verification algorithm K_a can still be equal to a small
power of "g", which the passive eavesdropper can quickly brute-force.

In fact the entire threat model is broken, because if Alice wants Eve to
be able to crack Alice's key exchange with Bob, Alice can just send Eve
her secret exponent. Why waste time with weak exponents that Bob may be
able to detect if he so choses?

So verification of the peer exponent has nothing to do with Allice
colluding with passive eavesdroppers.

Rather the issue is small-subgroup attacks, which are of interest
in some cases (and not applicable in others).

    http://tools.ietf.org/html/rfc2785

Have not looked at IKE closely enough to comment on whether small
subgroups are a concern in that context.

-- 

 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com