Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
Alfonso De Gregorio
alfonso.degregorio at gmail.com
Sat Sep 5 08:40:24 PDT 2015
On Sat, Sep 5, 2015 at 3:25 PM, Georgi Guninski <guninski at guninski.com> wrote:
...
> I mean: non-proper DH is implementation which doesn't return
> error/aborts if $q$ is composite. $q$ is defined in the RFC.
I'm not aware of any implementation that fails to abort is q is composite.
As a case in point, OpenSSL versions implementing X9.42 DH
(1.0.2-Beta2 and above) test both p and q for primality:
int DH_check(const DH *dh, int *ret)
{
/* ... */
if (dh->q) {
/* ... */
if (!BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL))
*ret |= DH_CHECK_Q_NOT_PRIME;
}
and
if (!BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL))
*ret |= DH_CHECK_P_NOT_PRIME;
else if (!dh->q) {
/* ... */
}
I have no evidence though that application built on OpenSSL call
DH_check() function every time they need to.
Cheers,
-- Alfonso
More information about the cypherpunks
mailing list