[Cryptography] DH non-prime kills "socat" command security
david
davidwong.crypto at gmail.com
Fri Feb 5 15:08:00 EST 2016
On 2/4/16 8:30 PM, Henry Baker wrote:
> The purported prime in the socat news story doesn't pass any of the
> simple primality tests of the type that you describe, so it is obvious
> to include such primality tests in the QA for these socat algorithms.
> After factoring out the two small factors 271 and 13,597, the
> resulting 1002-bit number *still doesn't pass* simple primality tests,
> but I wasn't able to further factor it in 15 minutes on my really old,
> really slow laptop. So someone was criminally stupid, or else
> purposely installed this non-prime backdoor.
I'm digging into the topic and summarizing everything on this github
repo: https://github.com/mimoo/socat_backdoor
it would be interesting to try several factoring algorithm like
pollard's p-1, ECM, p+1 ... Also, try and provide some estimations. If
the factorization of the last composite has a lower bound of X =>
Pohlig-Hellman won't work.
Another question: if it was indeed a mistake, how could that number
would have been generated? And what are the probabilities that the
factorization would include big primes/small primes if generated this way?
David
More information about the cryptography
mailing list