Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

Georgi Guninski guninski at guninski.com
Mon Sep 7 23:47:38 PDT 2015


On Sat, Sep 05, 2015 at 11:45:07AM +0000, Peter Gutmann wrote:
> So if you generate them yourself, you're OK.  If you get them from a CA then
> you don't need to care because if the CA wants to attack you then they can
> just issue a forged cert in your name and don't need to worry about
> backdooring the params (in any case using shared params is a bad idea because
> they allow forgery of signatures on certificates. Suppose that the certificate
> contains a copy of the certificate signer's DSA parameters, and the verifier
> of the certificate has a copy of the signer's public key but not the signer's
> DSA parameters (which are shared with other keys). If the verifier uses the
> DSA parameters from the certificate along with the signer's public key to
> verify the signature on the certificate, then an attacker can create bogus
> certificates by choosing a random u and finding its inverse v modulo q (uv is
> congruent to 1 modulo q).  Then take the certificate signer's public key g^x
> and compute g' = (g^x)^u. Then g'^v = g^x.  Using the DSA parameters p, q, g',
> the signer's public key corresponds to the private key v, which the attacker
> knows.  The attacker can then create a bogus certificate, put parameters (p,
> q, g') in it, and sign it with the DSA private key v to create an apparently
> valid certificate).
>

Sorry but I don't understand the final stage of the attack.

If I follow correctly, you start from public DSA key
with strong parameters and produce another keypair,
which is related to the original key, but is distinct
from it.

What is the final stage of the attack?





More information about the cypherpunks mailing list