[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Should openssl accept weak DSA/DH keys with g = +/- 1 ?
- To: Georgi Guninski <guninski@xxxxxxxxxxxx>
- Subject: Re: [FD] Should openssl accept weak DSA/DH keys with g = +/- 1 ?
- From: Pavel Kankovsky <peak@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 17 Apr 2014 18:50:06 +0200 (CEST)
On Wed, 16 Apr 2014, Georgi Guninski wrote:
AFAICT weak DH keys can't be recognized
since they can be well formed.
You can check whether the modulus is a safe prime (p = 2q + 1
where q is a prime number as well) and whether the generator is not a
degenerate one (g != +/- 1; this is sufficient to prove that the order
of g is either q or 2q).
Does anyone use non-safe primes for DH? Afaik any well-known moduli
are safe. And openssl dhparam generates safe primes only.
The check would burn quite a lot of CPU cycles but it would be feasible
and the client could cache results because bening servers are expected to
switch groups rather infrequently.
The hardness of the discrete log doesn't depend on the size of $p$ but
on the size of $q$ which is the largest prime factor of the
multiplicative order of $g$.
No. It depends on both of those sizes in the sense that for some moduli
the algorithm whose complexity depends on q (Pollard's rho?) is better,
for other moduli other algorithms (e.g. NFS) depending on p (L_p(a,c) to
be precise) are more efficient.
--
Pavel Kankovsky aka Peak / Jeremiah 9:21 \
"For death is come up into our MS Windows(tm)..." \ 21st century edition /
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/