On Wed, 19 Sep 2007, Nash Foster wrote: > http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/ > > Any actual cryptographers care to comment on this? I don't feel > qualified to judge.
I "discovered" this minor weakness in most of the open source IPSec implementations in May of last year (identical checks for degenerate exponents are actually recommended in RFC2142 section 2.3.1.1). It didn't seem like this weakness could be used for much - an evil IKE endpoint could use it to force disclosure of symmetrically encrypted exchanges that were keyed from DH, but such an endpoint has a myriad of other ways they could disclose this same information. Protocols that do not perform authentication after DH (e.g. Tor) get bit much harder though. Anyway, I fixed OpenBSD's isakmpd[1], tighened the checks in OpenSSH[2] and reported the problem to the security contacts of ipsec-tools/racoon and openswan (two other open source IKE implementations). Racoon and openswan never bothered bother to fix it despite me sending a patch for racoon at least. I recall a rather bizarre conversation with an openswan developer who said he would only accept a patch if I wrote him a testcase to go with it. OTOH Racoon/ipsec-tools would benefit from the extra sanity checks that Ben Laurie added to OpenSSL for the 0.9.8a release[3], assuming it was compiled against that version or later. -d [1] http://marc.info/?l=openbsd-cvs&m=114675357804837&w=2 [2] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/dh.c.diff?r1=1.35&r2=1.36 [3] http://cvs.openssl.org/chngview?cn=14375 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]