"Nash Foster" <[EMAIL PROTECTED]> writes: >http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/ > >Any actual cryptographers care to comment on this? I don't feel qualified to >judge.
It's quite possible that many implementations do this. When the Mozilla folks changed their code a year or two back to reject RSA keys with an exponent of one (which in itself means that they'd been accepting those keys for years), a number of certs broke because CAs were issuing exponent-one keys, which in turn means that many other implementations that never complained about these certs were freely accepting them. Windows CryptoAPI, for example, still allows exponent-one keys as a by-design feature to allow the export of "wrapped" keys in plaintext form. So it's quite believable that a number of DH implementations allow bad key parameter values, and that this has been going on for years. (Even the level of validation discussed on the web page doesn't help entirely, FIPS 186 provides extra parameters that you can use for checking the key (p,q,g) while the still widely-used PKCS #3 doesn't (p,g), so even just using PKCS #3 rather than FIPS 186 is a problem). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]