Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
Alfonso De Gregorio
alfonso.degregorio at gmail.com
Fri Sep 4 23:37:09 PDT 2015
On Sat, Sep 5, 2015 at 5:28 AM, Georgi Guninski <guninski at guninski.com> wrote:
...
> This works with openssl 1.0.1p over SSL.
>
> Attached is self signed cert and the priv. key.
>
> Session:
> ./apps/openssl s_server -accept 8080 -cert ./cacert2.pem -key
> ./key-comp2.key -HTTP
>
> openssl s_client -connect localhost:8080
>
> Server public key is 1204 bit
> Verify return code: 18 (self signed certificate)
>
>
> sage: q=0x008000000000000000001d8000000000000000012b
> sage: factor(q)
> 604462909807314587353111 * 1208925819614629174706189
Georgi,
just a quick note to thank you for sharing your research and taking
time to verify your findings against OpenSSL.
I've been researching cryptographic backdoors -- you may want to
review this http://illusoryTLS.com/ -- and the lack of checks on group
parameters, malicious or otherwise (*), is to me yet another cause for
concern. Great catch!
(*) It would be interesting to look at the story of RFC-2631, as
Bernstein, Lange, and Niederhagen did for the Dual EC standard
https://projectbullrun.org/dual-ec/
Cheers,
-- Alfonso
More information about the cypherpunks
mailing list