[openssl-users] Why openssl 1.0.1p accepts composite $q$ in DSA?

Jeffrey Walton noloader at gmail.com
Wed Sep 9 11:33:42 UTC 2015


On Wed, Sep 9, 2015 at 7:15 AM, Georgi Guninski <guninski at guninski.com> wrote:
> On Wed, Sep 09, 2015 at 07:03:59AM -0400, Jeffrey Walton wrote:
>> On Wed, Sep 9, 2015 at 6:28 AM, Georgi Guninski <guninski at guninski.com> wrote:
>> > In short openssl 1.0.1p accepts composite $q$
>> > in DSA verify/SSL.
>> >
>> > If $q$ is backdoored in the DSA/DH group parameters,
>> > this breaks all private keys using it (see links at
>> > bottom)...
>> >
>> Just bikeshedding, but before I went any further with it, I would
>> verify DSA_check_key(...) does *not* reject the key.
>>
>
> Doesn't the sessions with s_client/s_server and
> dsa verify (in the links) show this works in practice,
> no matter of your question?

I don't believe so. Its been my experience that very few
secure/high-integrity applications actually validate parameters out of
the box :(

In some cases, crypto parameters cannot be validated; for example,
those damn Lim-Lee primes. To validate a Lim-Lee prime, you need the
unique factorization of 'q' as a witness, which no one provides. (As
opposed to a Sophie-Germain or safe primes).

I also think the validation problems that plague high integrity
software makes ed25519 and friends so appealing. I think all of the
keys are valid, so you don't need to validate them.

Jeff


More information about the openssl-users mailing list