Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

Alfonso De Gregorio alfonso.degregorio at gmail.com
Sat Sep 5 07:06:22 PDT 2015

On Sat, Sep 5, 2015 at 1:31 PM, Georgi Guninski <guninski at guninski.com> wrote:
> On Sat, Sep 05, 2015 at 11:45:07AM +0000, Peter Gutmann wrote:
>> The real question though is, why would anyone use parameters they didn't
>> generate themselves?  All DSA implementations I've seen (apart from some
> What about MITM in DH -- where do you get the keys from
> in this case?

A key-recovery attack may allow the retroactive decryption of past
communication sessions, if the network endpoints rely on fixed
Diffie-Hellman. Of course, whenever an attacker can successfully mount
a MITM attack the current sessions are compromised.


-- Alfonso

More information about the cypherpunks mailing list