Full Disclosure mailing list archives
Should openssl accept weak DSA/DH keys with g = +/- 1 ?
From: Georgi Guninski <guninski () guninski com>
Date: Tue, 15 Apr 2014 17:06:13 +0300
openssl accepts DSA (and probably DH) keys with g=1 (or g= -1). Both are extremely weak, in practice plaintext. g=1 works all the time g= -1 works about half the time in DSA (on vanilla openssl). Is there a MITM implication in this, e.g. can a MITM convince both parties that g=1 -- in this case the private keys won't matter in DH. Attached are certs. $ openssl x509 -text -in certg=1.pem G: 1 (0x1) #server $openssl s_server -accept 8888 -cert ./certg=1.pem -key certg=1.key -CAfile ./cacert.pem -www #client $ openssl s_client -connect localhost:8888 -showcerts -CAfile cacert.pem Verify return code: 0 (ok) -- blog: https://j.ludost.net/blog
Attachment:
cacert.pem
Description:
Attachment:
certg=1.pem
Description:
Attachment:
certg=1.key
Description:
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Should openssl accept weak DSA/DH keys with g = +/- 1 ? Georgi Guninski (Apr 15)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Hanno Böck (Apr 15)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Georgi Guninski (Apr 16)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Hanno Böck (Apr 16)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Pavel Kankovsky (Apr 17)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Jeffrey Walton (Apr 17)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Georgi Guninski (Apr 16)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Hanno Böck (Apr 15)