Secure Coding mailing list archives

DH exchange: conspiracy or ignorance?

From: bitsec at fakse-ldp.dk (Bjarne Carlsen)
Date: Wed, 19 Sep 2007 19:04:20 +0200

Since most, if not all implementations of DH key exchange are set to
choose p and q from primes with several hundreds of digits, the chance
of getting a zero or one is extremely small to non-existent.

That aside the finding is, of course, an implementation weakness.

Bjarne

---
Bjarne Carlsen
CTO 
I/S Mail2Net
Denmark

ons, 19 09 2007 kl. 11:31 -0400, skrev Evgeny Lebanidze:

Yes, this is certainly bad and a very interesting finding.  These checks should clearly be present.  Are there 
serious practical ramifications of this problem though?  In other words, how likely is it that the generated public 
key in the DH key exchange will actually be 0 or 1?  It can certainly happen, but our passive attacker would have to 
be passive for a very long time and there is no guarantee that the secret key they might eventually get will be of 
interest to them (since the attacker cannot control when a weak public key is produced).  Just a thought.

Evgeny

-------------------------------------------------
Evgeny Lebanidze
Senior Security Consultant, Cigital
703-585-5047, http://www.cigital.com
Software Confidence.  Achieved.


-----Original Message-----
From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Kowsik
Sent: Wednesday, September 19, 2007 1:24 AM
To: SC-L at securecoding.org
Subject: [SC-L] DH exchange: conspiracy or ignorance?

http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/

K.

ps: I work for Mu.
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Current thread:

DH exchange: conspiracy or ignorance? Kowsik (Sep 18)
- DH exchange: conspiracy or ignorance? Evgeny Lebanidze (Sep 19)
  - DH exchange: conspiracy or ignorance? Leichter, Jerry (Sep 19)
  - DH exchange: conspiracy or ignorance? Bjarne Carlsen (Sep 19)
- <Possible follow-ups>
- DH exchange: conspiracy or ignorance? Adam Bozanich (Sep 19)