-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter Gutmann wrote: > Russ Housley <hous...@vigilsec.com> writes: > >> I thought people on this list would find this article interesting: >> http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-may-be-intentional-eavesdropping-backdoor/ > >> > If you read the discussion around that it's far more likely to be due > to incompetence. The flawed 1024-bit prime was replacing the 512-bit > prime that had been in use until then, and the guy who made the > change was asking for help with various other things which indicated > he wasn't the most capable developer (I don't have the links any more > but it was linked off a thread on ycombinator). It just looks like > standard badly-done crypto, they also do things like tell you how to > set up the SSL tunnel without any mention of validating certs so it's > unlikely they check those, and various other signs that they're not > doing the crypto too well.
The big question is really why Gerhard Rieger (author of the commit) didn't ask Zhigang Wang how the new prime had been tested, but simply accepted the patch. Several people has been running Miller-Rabin and verified that it failed and it also fails Fermats test. Probably not malice, but mistake in combination with failing procedure to verify a patch before accepting it. I would also like to know what tool Zhigang Wang used to generate the number. - -- Med vänlig hälsning, Yours Joachim Strömbergson - Alltid i harmonisk svängning. ======================================================================== Joachim Strömbergson Secworks AB joac...@secworks.se ======================================================================== -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJWsbecAAoJEF3cfFQkIuyNXowQAIhRxaoMOUepK2DOUIJyJkP5 E97ndZJ75TQpvKVhO8/vUY1XLAGbTdq4QZiSyMK9PTh9EVzX4WKmW7l3wHpURHJd BMTbvdtE3g/FDz1OO3xFWtvrC5PRclQ9nINNu6grCxjRtmtuuodPl63wfDA9IBvg ZOMJc7IvDOR0NkW00HPsxTzMT9wOnKOPIFu6/CgpllxEq6Zi4dNAX2+hCyk5DnWl rZyWlf66B0E/rSwf6jnE8teMRGT0TZ73ZPzeQjcsgFxNOjU4fnHaGDPgcJZktEX2 +VlUZSDoKxtTUT/pamYekYb3JCa71cR8Sll4T5gmI2ZHRrod3xfLtXkqNcw6WxSm PMBlC0dRmMCBE/AI3vcu6c7Uua6eMvxIto/0zs1BXbdMO+6qHNgUN3k5WZrArrWP 5DT/MEDMDAn8t+JTPO6SNevIpaliHK0fqpir4q4u3KFpNn4iPbVi+Du7xS/9AoK/ IQ9B6XfqONKyIit2aCuqgxw3Tbd0HUrMwEEf6kC24OUwyy46g2+ciLoTNemzFsR8 UHkafZJLHFN4NA7aXpJB8Qzi5JqKD3R9dDh/XQEEteh/2UOnscYsqSrScUyxY73P VHkQJDf4FdbL0r45TPw91O2UblBfLZjrKCvza3GfYNPPjIRBexVH1iQcw3EJSXtb /Zcsc7gaTPolj4NuVSel =jmg2 -----END PGP SIGNATURE----- _______________________________________________ Tech mailing list Tech@cryptech.is https://lists.cryptech.is/listinfo/tech
