Yes, this is certainly bad and a very interesting finding. These checks should clearly be present. Are there serious practical ramifications of this problem though? In other words, how likely is it that the generated public key in the DH key exchange will actually be 0 or 1? It can certainly happen, but our passive attacker would have to be passive for a very long time and there is no guarantee that the secret key they might eventually get will be of interest to them (since the attacker cannot control when a weak public key is produced). Just a thought.
Evgeny ------------------------------------------------- Evgeny Lebanidze Senior Security Consultant, Cigital 703-585-5047, http://www.cigital.com Software Confidence. Achieved. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kowsik Sent: Wednesday, September 19, 2007 1:24 AM To: SC-L@securecoding.org Subject: [SC-L] DH exchange: conspiracy or ignorance? http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/ K. ps: I work for Mu. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________