Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
Georgi Guninski
guninski at guninski.com
Sat Sep 5 09:06:01 PDT 2015
On Sat, Sep 05, 2015 at 03:40:24PM +0000, Alfonso De Gregorio wrote:
> On Sat, Sep 5, 2015 at 3:25 PM, Georgi Guninski <guninski at guninski.com> wrote:
> ...
> > I mean: non-proper DH is implementation which doesn't return
> > error/aborts if $q$ is composite. $q$ is defined in the RFC.
>
> I'm not aware of any implementation that fails to abort is q is composite.
>
> As a case in point, OpenSSL versions implementing X9.42 DH
> (1.0.2-Beta2 and above) test both p and q for primality:
>
> int DH_check(const DH *dh, int *ret)
> {
> /* ... */
>
> if (dh->q) {
> /* ... */
> if (!BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL))
> *ret |= DH_CHECK_Q_NOT_PRIME;
In 1.0.1p is_prime() is such a mess, it appears to often return $-1$
by quick audit.
Did you check the explicit POC in this thread against this version
of openssl?
More information about the cypherpunks
mailing list