Full Disclosure mailing list archives
Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ?
From: Georgi Guninski <guninski () guninski com>
Date: Wed, 16 Apr 2014 11:44:00 +0300
On Tue, Apr 15, 2014 at 09:20:11PM +0200, Hanno Böck wrote:
On Tue, 15 Apr 2014 17:06:13 +0300 Georgi Guninski <guninski () guninski com> wrote:openssl accepts DSA (and probably DH) keys with g=1 (or g= -1). Both are extremely weak, in practice plaintext.openssl also accepts 15 as a prime for DH. I recently looked at this: http://blog.hboeck.de/archives/841-Diffie-Hellman-and-TLS-with-nonsense-parameters.html
Interesting blog post. AFAICT weak DH keys can't be recognized since they can be well formed. The hardness of the discrete log doesn't depend on the size of $p$ but on the size of $q$ which is the largest prime factor of the multiplicative order of $g$. State of the art is $O(\sqrt{q})$, naive is O(q). Here is a sage program with $p$ 1420 bit prime and $q=1021$. https://j.ludost.net/blog/dh-prime.sage Session: sage: load dh-prime.sage log_2(p) 1419.52213626721 p prime True G.order() 1021 0 dlog 669 1 dlog 172 2 dlog 683 3 dlog 428 4 dlog 277 5 dlog 914 6 dlog 853 7 dlog 56 8 dlog 774 9 dlog 297 10 dlog 7 _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Should openssl accept weak DSA/DH keys with g = +/- 1 ? Georgi Guninski (Apr 15)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Hanno Böck (Apr 15)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Georgi Guninski (Apr 16)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Hanno Böck (Apr 16)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Pavel Kankovsky (Apr 17)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Jeffrey Walton (Apr 17)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Georgi Guninski (Apr 16)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Hanno Böck (Apr 15)