Scare tactic?
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Thu Sep 20 01:09:02 EDT 2007
On Wed, Sep 19, 2007 at 02:01:13PM -0700, Nash Foster wrote:
> http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
>
> Any actual cryptographers care to comment on this? I don't feel
> qualified to judge.
>
I am not a cryptographer, but the article appears silly.
First the verification algorithm as stated is wrong:
* Verify that 2 <= K_a <= p - 2
* Verify that (K_a)^g = 1 (mod p)
The first condition is correct, but the second is not, that "g" should
be a "q", where "q" is a large prime divisor of "p-1" and "g" is chosen
so that the order of "g" mod "p" is "q". The correct second test just
verifies that K_a is an element of order q (true for all non-trivial
powers of g).
Even with the verification algorithm K_a can still be equal to a small
power of "g", which the passive eavesdropper can quickly brute-force.
In fact the entire threat model is broken, because if Alice wants Eve to
be able to crack Alice's key exchange with Bob, Alice can just send Eve
her secret exponent. Why waste time with weak exponents that Bob may be
able to detect if he so choses?
So verification of the peer exponent has nothing to do with Allice
colluding with passive eavesdroppers.
Rather the issue is small-subgroup attacks, which are of interest
in some cases (and not applicable in others).
http://tools.ietf.org/html/rfc2785
Have not looked at IKE closely enough to comment on whether small
subgroups are a concern in that context.
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list