Scare tactic?

Dave Korn dave.korn at
Thu Sep 20 05:42:35 EDT 2007

On 19 September 2007 22:01, Nash Foster wrote:

> Any actual cryptographers care to comment on this? 


> I don't feel qualified to judge.

  Nor do I, but I'll have a go anyway.  Any errors are all my own work.  AIUI,
the weakness is that if you control one end of the DH exchange, you can force
a weak key to be selected for the subsequent encrypted exchange that an
external observer can easily guess.  I would summarize the main findings as:

  "If you are one participant in a DH key exchange, it is possible for you to
reveal the agreed-upon shared secret".

  "If you pwn an IKE server, you can decrypt and read all the traffic it is
exchanging with peers.  The clients of that server won't know that it's giving
up all their data".

  Whether you do it by forcing the implementation to choose a weak key, or by
just revealing the information that in each situation you already have under
your control, seems to me like a mere technicality.  I can't envisage any
situation under which this would actually *increase* your exposure.  However
it is an implementation flaw and should be addressed just for the sake of
tying up loose ends and doing things properly.

Can't think of a witty .sigline today....

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list