Since most, if not all implementations of DH key exchange are set to
choose p and q from primes with several hundreds of digits, the chance
of getting a zero or one is extremely small to non-existent.

That aside the finding is, of course, an implementation weakness.

Bjarne

---
Bjarne Carlsen
CTO 
I/S Mail2Net
Denmark

ons, 19 09 2007 kl. 11:31 -0400, skrev Evgeny Lebanidze:
> Yes, this is certainly bad and a very interesting finding.  These checks 
> should clearly be present.  Are there serious practical ramifications of this 
> problem though?  In other words, how likely is it that the generated public 
> key in the DH key exchange will actually be 0 or 1?  It can certainly happen, 
> but our passive attacker would have to be passive for a very long time and 
> there is no guarantee that the secret key they might eventually get will be 
> of interest to them (since the attacker cannot control when a weak public key 
> is produced).  Just a thought.
> 
> Evgeny
> 
> -------------------------------------------------
> Evgeny Lebanidze
> Senior Security Consultant, Cigital
> 703-585-5047, http://www.cigital.com
> Software Confidence.  Achieved.
> 
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kowsik
> Sent: Wednesday, September 19, 2007 1:24 AM
> To: SC-L@securecoding.org
> Subject: [SC-L] DH exchange: conspiracy or ignorance?
> 
> http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
> 
> K.
> 
> ps: I work for Mu.
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
> 
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Reply via email to