Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

Alfonso De Gregorio alfonso.degregorio at gmail.com
Sat Sep 5 09:15:16 PDT 2015


On Sat, Sep 5, 2015 at 4:06 PM, Georgi Guninski <guninski at guninski.com> wrote:
> On Sat, Sep 05, 2015 at 03:40:24PM +0000, Alfonso De Gregorio wrote:
>> On Sat, Sep 5, 2015 at 3:25 PM, Georgi Guninski <guninski at guninski.com> wrote:
>> ...
>> > I mean: non-proper DH is implementation which doesn't return
>> > error/aborts if $q$ is composite. $q$ is defined in the RFC.
>>
>> I'm not aware of any implementation that fails to abort is q is composite.
>>
>> As a case in point, OpenSSL versions implementing X9.42 DH
>> (1.0.2-Beta2 and above) test both p and q for primality:
>>
>> int DH_check(const DH *dh, int *ret)
>> {
>>    /* ... */
>>
>>     if (dh->q) {
>>         /* ... */
>>         if (!BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL))
>>             *ret |= DH_CHECK_Q_NOT_PRIME;
>
>
> In 1.0.1p is_prime() is such a mess, it appears to often return $-1$
> by quick audit.
>
> Did you check the explicit POC in this thread against this version
> of openssl?

Yes, I did. The DSA PoC works again OpenSSL version 1.0.2d (snapshot).

Cheers,

-- Alfonso



More information about the cypherpunks mailing list