[openssl-users] Why openssl 1.0.1p accepts composite $q$ in DSA?
Jeffrey Walton
noloader at gmail.com
Wed Sep 9 11:45:16 UTC 2015
Hi Georgi,
Sorry to go offlist...
Also keep in mind that the IETF has effectively deprecated the DH
parameters in PKIX certificates. In fact, they moved to fixed DH
groups to avoid the option dance between client and server; and that
has the benefit that the parameters can be validated offline. As for
DSA, the IETF is killing it off, too.
See, for example,
https://tools.ietf.org/html/draft-gillmor-tls-negotiated-dl-dhe-00 and
https://www.ietf.org/mail-archive/web/tls/current/msg17489.html
(archive of latter at
https://www.ietf.org/mail-archive/web/tls/current/maillist.html).
Jeff
On Wed, Sep 9, 2015 at 6:28 AM, Georgi Guninski <guninski at guninski.com> wrote:
> In short openssl 1.0.1p accepts composite $q$
> in DSA verify/SSL.
>
> If $q$ is backdoored in the DSA/DH group parameters,
> this breaks all private keys using it (see links at
> bottom).
>
> On linux:
> $./apps/openssl s_server -accept 8080 -cert /tmp/cacert2.pem -key
> /tmp/key-comp2.key
>
> $./apps/openssl s_client -connect localhost:8080
>
> Verify return code: 18 (self signed certificate)
>
>
> $./apps/openssl x509 -text -in /tmp/cacert2.pem
> (make Q hex).
>
> In sage:
> sage: q=0x008000000000000000001d8000000000000000012b
> sage: factor(q)
> 604462909807314587353111 * 1208925819614629174706189
>
> The self signed cert and key are attached.
>
> The discussion started on cypherpunks:
> https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
>
> On my blog I summarized with title:
>
> RFC-2631, fips 186-3 and openssl's implementation of DSA appear broken
> (and possibly backdoored)
>
> https://j.ludost.net/blog/archives/2015/09/05/rfc-2631_fips_186-3_and_openssls_implementation_of_dsa_appear_broken_and_possibly_backdoored/index.html
>
More information about the openssl-users
mailing list