Re: [SC-L] DH exchange: conspiracy or ignorance?
Yes, this is certainly bad and a very interesting finding. These checks should clearly be present. Are there serious practical ramifications of this problem though? In other words, how likely is it that the generated public key in the DH key exchange will actually be 0 or 1? It can certainly happen, but our passive attacker would have to be passive for a very long time and there is no guarantee that the secret key they might eventually get will be of interest to them (since the attacker cannot control when a weak public key is produced). Just a thought. Evgeny - Evgeny Lebanidze Senior Security Consultant, Cigital 703-585-5047, http://www.cigital.com Software Confidence. Achieved. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kowsik Sent: Wednesday, September 19, 2007 1:24 AM To: SC-L@securecoding.org Subject: [SC-L] DH exchange: conspiracy or ignorance? http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/ K. ps: I work for Mu. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] DH exchange: conspiracy or ignorance?
Since most, if not all implementations of DH key exchange are set to choose p and q from primes with several hundreds of digits, the chance of getting a zero or one is extremely small to non-existent. That aside the finding is, of course, an implementation weakness. Bjarne --- Bjarne Carlsen CTO I/S Mail2Net Denmark ons, 19 09 2007 kl. 11:31 -0400, skrev Evgeny Lebanidze: Yes, this is certainly bad and a very interesting finding. These checks should clearly be present. Are there serious practical ramifications of this problem though? In other words, how likely is it that the generated public key in the DH key exchange will actually be 0 or 1? It can certainly happen, but our passive attacker would have to be passive for a very long time and there is no guarantee that the secret key they might eventually get will be of interest to them (since the attacker cannot control when a weak public key is produced). Just a thought. Evgeny - Evgeny Lebanidze Senior Security Consultant, Cigital 703-585-5047, http://www.cigital.com Software Confidence. Achieved. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kowsik Sent: Wednesday, September 19, 2007 1:24 AM To: SC-L@securecoding.org Subject: [SC-L] DH exchange: conspiracy or ignorance? http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/ K. ps: I work for Mu. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] DH exchange: conspiracy or ignorance?
( just jumped onto the list ) nash [EMAIL PROTECTED] wrote: How do you feel this differs from a participant simply pre-agreeing on his keys with the passive attacker? There is not much difference, you are right. What we described is also a lot easier to detect ( are there actually ips signatures for this? ), but easier to implement and coordinate. How does the threat differ from the participant simply forwarding the plaintext on a separate channel? The separate channel isn't necessary, that's the difference. I mean, no key exchange protocol is magical. If one of the parties is a bad guy, then he can subvert the security objectives of the protocol every time. What are you really expecting DH to do, here? We are expecting the vendors who claim to sell highly secure equipment to follow extremely simple sanitation procedures as recommended by the NIST , ANSI , and various RFCs. Blake-Wilson, et al., set out the authenticated key agreement problem in this way: ... entity i wishes to agree on secret keying information with entity j. Each party desires an assurance that no party other than i and j can possibly compute the keying information agreed. Your attack assumes that j is the bad guy. That's not what Blake-Wilson seem to be talking about. I disagree. They're supposed to protect themselves. There is no assurance that no other party can compute the keying information if the keys aren't validated. Buggy software can send invalid keys, for instance. This strikes me as sloppy academics at best, or deliberately misleading, at worst. I hope you were merely excited and in a rush, but either way you've thrown several red flags. This characterization is unnecessary. We are not a research organization and I am not an academic. We are simply pointing out that nobody is following the recommendations. I admit that the title of the blog post could have been less inflammatory. You also did not address the fact that DoS/MitM implementations don't need to compute the secret, so the processing power required to run them is a lot lower. -Adam Bozanch ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
