Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

Alfonso De Gregorio alfonso.degregorio at gmail.com
Fri Sep 4 23:37:09 PDT 2015

On Sat, Sep 5, 2015 at 5:28 AM, Georgi Guninski <guninski at guninski.com> wrote:
> This works with openssl 1.0.1p over SSL.
> Attached is self signed cert and the priv. key.
> Session:
>  ./apps/openssl s_server -accept 8080 -cert ./cacert2.pem -key
>  ./key-comp2.key -HTTP
>  openssl s_client -connect localhost:8080
>  Server public key is 1204 bit
>  Verify return code: 18 (self signed certificate)
>  sage: q=0x008000000000000000001d8000000000000000012b
>  sage: factor(q)
>  604462909807314587353111 * 1208925819614629174706189


just a quick note to thank you for sharing your research and taking
time to verify your findings against OpenSSL.

I've been researching cryptographic backdoors -- you may want to
review this http://illusoryTLS.com/ -- and the lack of checks on group
parameters, malicious or otherwise (*), is to me yet another cause for
concern. Great catch!

(*) It would be interesting to look at the story of RFC-2631, as
Bernstein, Lange, and Niederhagen did for the Dual EC standard


-- Alfonso

More information about the cypherpunks mailing list