[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

To: Georgi Guninski <[email protected]>
Subject: Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
From: [email protected] (Alfonso De Gregorio)
Date: Sat, 5 Sep 2015 15:40:24 +0000
Cc: [email protected]
In-reply-to: <[email protected]$>
References: <CA+bTbPDoQi030MN4j8E4fmx_KOQP48xsbJjGM4X2rk=_E3zgZQ@mail.gmail.com> <[email protected]$> <CA+bTbPCHKm_n8ei9qw6yx=VVbHh+z8jQ1GNYa+gs6ZLC0AfxyQ@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4AF36EE@uxcn10-5.UoA.auckland.ac.nz> <[email protected]$> <CA+bTbPB_Z7QXU1so=jR4J7yxo_r7Vjgjd=1TfW8ZQStvdsNOUw@mail.gmail.com> <[email protected]$> <CA+bTbPCQ+rsZS3ufiqVOLWOUrPP2K3u+D+_=8Biguy-DW59nrQ@mail.gmail.com> <[email protected]$> <CA+bTbPDhOHyJQyKJrx9HrRifwnKTs+6p7c62gx2FKEGhoSbvGA@mail.gmail.com> <[email protected]$>

On Sat, Sep 5, 2015 at 3:25 PM, Georgi Guninski <[email protected]> wrote:
...
> I mean: non-proper DH is implementation which doesn't return
> error/aborts if $q$ is composite. $q$ is defined in the RFC.

I'm not aware of any implementation that fails to abort is q is composite.

As a case in point, OpenSSL versions implementing X9.42 DH
(1.0.2-Beta2 and above) test both p and q for primality:

int DH_check(const DH *dh, int *ret)
{
   /* ... */

    if (dh->q) {
        /* ... */
        if (!BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL))
            *ret |= DH_CHECK_Q_NOT_PRIME;
    }

and

    if (!BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL))
        *ret |= DH_CHECK_P_NOT_PRIME;
    else if (!dh->q) {
       /* ... */
    }

I have no evidence though that application built on OpenSSL call
DH_check() function every time they need to.

Cheers,

-- Alfonso

Follow-Ups:
- Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
  - From: [email protected] (Georgi Guninski)

References:
- Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
  - From: [email protected] (Alfonso De Gregorio)
- Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
  - From: [email protected] (Georgi Guninski)
- Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
  - From: [email protected] (Alfonso De Gregorio)
- Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
  - From: [email protected] (Peter Gutmann)
- Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
  - From: [email protected] (Georgi Guninski)
- Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
  - From: [email protected] (Alfonso De Gregorio)
- Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
  - From: [email protected] (Georgi Guninski)
- Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
  - From: [email protected] (Alfonso De Gregorio)
- Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
  - From: [email protected] (Georgi Guninski)
- Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
  - From: [email protected] (Alfonso De Gregorio)
- Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
  - From: [email protected] (Georgi Guninski)

Prev by Date: Hackers spent at least a year spying on Mozilla to discover Firefox security holes – and exploit them
Next by Date: Re: Hackers spent at least a year spying on Mozilla to discover Firefox security holes – and exploit them
Previous by thread: Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
Next by thread: Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
Index(es):
- Date
- Thread