lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Apr 2014 11:44:00 +0300
From: Georgi Guninski <guninski@...inski.com>
To: Hanno Böck <hanno@...eck.de>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Should openssl accept weak DSA/DH keys with g = +/- 1 ?

On Tue, Apr 15, 2014 at 09:20:11PM +0200, Hanno Böck wrote:
> On Tue, 15 Apr 2014 17:06:13 +0300
> Georgi Guninski <guninski@...inski.com> wrote:
> 
> > openssl accepts DSA (and probably DH) keys with
> > g=1 (or g= -1). Both are extremely weak, in
> > practice plaintext.
> 
> openssl also accepts 15 as a prime for DH. I recently looked at this:
> http://blog.hboeck.de/archives/841-Diffie-Hellman-and-TLS-with-nonsense-parameters.html
>

Interesting blog post.

AFAICT weak DH keys can't be recognized
since they can be well formed.

The hardness of the discrete log doesn't
depend on the size of $p$ but on the size
of $q$ which is the largest prime factor
of the multiplicative order of $g$.

State of the art is $O(\sqrt{q})$, naive
is O(q).

Here is a sage program with $p$
1420 bit prime and $q=1021$.
https://j.ludost.net/blog/dh-prime.sage

Session:

sage: load dh-prime.sage
log_2(p) 1419.52213626721
p prime True
G.order() 1021
0 dlog 669
1 dlog 172
2 dlog 683
3 dlog 428
4 dlog 277
5 dlog 914
6 dlog 853
7 dlog 56
8 dlog 774
9 dlog 297
10 dlog 7


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists