tag:blogger.com,1999:blog-5832863639484084941.post2235833002254502540..comments2017-03-26T11:04:53.831-07:00Comments on Into the symmetry: OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)Antonio Sansonoreply@blogger.comBlogger23125tag:blogger.com,1999:blog-5832863639484084941.post-6867086211952065772016-04-20T22:07:31.785-07:002016-04-20T22:07:31.785-07:00Great blog! i actually love however it's strai...Great blog! i actually love however it's straightforward on my eyes and therefore the info area unit well written. I'm curious however I'd be notified whenever a brand new post has been created. I actually have signed to your rss feed that extremely ought to do the trick! Have a pleasant day!<br /><br />Clay Anderson<br /><a href="http://www.buyessays.us/" rel="nofollow">college essay writing service</a>Clay Andersonhttp://www.blogger.com/profile/03545962912345103881noreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-7211052882404851962016-02-15T21:48:50.235-08:002016-02-15T21:48:50.235-08:00yes, try to negotiate it....yes, try to negotiate it....Antonio Sansohttp://www.blogger.com/profile/13409233330078201207noreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-64036908897260177232016-02-12T01:17:44.440-08:002016-02-12T01:17:44.440-08:00Thanks for the elaborate post...
Is there a way ...Thanks for the elaborate post... <br /><br />Is there a way to check if the server supports static DH ciphersuites? Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-40452957869105551472016-02-08T00:56:57.999-08:002016-02-08T00:56:57.999-08:00you are completely right. there were indeed few ty...you are completely right. there were indeed few typos. Corrected :)Antonio Sansohttp://www.blogger.com/profile/13409233330078201207noreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-72190118144557020852016-02-05T22:18:55.642-08:002016-02-05T22:18:55.642-08:00Great work! But I don't quite understand the s...Great work! But I don't quite understand the step "calculate yb = g*xa (mod p) * B"... In my understanding, it should be ya = g^xa (mod p) * B , and ya is sent to the server. yb in yb^xa * B^j (mod p) is the one received from server, which is yb = g ^ xb (mod p). Please correct me if I am wrong.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-62154152834892988982016-02-01T23:24:44.530-08:002016-02-01T23:24:44.530-08:00@Anamitra. The commit records are a both listed in...@Anamitra. The commit records are a both listed in this blog post :)Antonio Sansohttp://www.blogger.com/profile/13409233330078201207noreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-20434121907158957422016-02-01T14:01:41.113-08:002016-02-01T14:01:41.113-08:00Great Find Antonio.
Is there a commit record for ...Great Find Antonio.<br /><br />Is there a commit record for the fix.Anamitra Dutta Majumdarhttp://www.blogger.com/profile/02415797084982097232noreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-66914006130673822742016-02-01T08:43:44.222-08:002016-02-01T08:43:44.222-08:00@daidai you are actually right. As you can see th...@daidai you are actually right. As you can see this was just a quote of somebody else work though :)Antonio Sansohttp://www.blogger.com/profile/13409233330078201207noreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-11000669860421649762016-02-01T07:03:42.754-08:002016-02-01T07:03:42.754-08:00Great work!
BTW 83501807020473429349 may not be a ...Great work!<br />BTW 83501807020473429349 may not be a prime...Please try 742327609 * 112486462861.<br />I guess the attack complexity slightly decreases.daidainoreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-27746195682526484722016-01-30T05:12:50.194-08:002016-01-30T05:12:50.194-08:00About RFC 5114 : true but but why making those fac...About RFC 5114 : true but but why making those factors sooooo small and soooo many ? Antonio Sansohttp://www.blogger.com/profile/13409233330078201207noreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-13057473750042713232016-01-30T05:11:17.318-08:002016-01-30T05:11:17.318-08:00AFAIK ya^q (mod p) = 1 is the right validation. Th...AFAIK ya^q (mod p) = 1 is the right validation. This is the OpenSSL commit https://git.openssl.org/?p=openssl.git;a=commit;h=b128abc3437600c3143cb2145185ab87ba3156a2 (For the record I update the blog post to include it now )Antonio Sansohttp://www.blogger.com/profile/13409233330078201207noreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-9204249683713460722016-01-29T16:48:02.711-08:002016-01-29T16:48:02.711-08:00The answer to why RFC 5114 exists is simple. The ...The answer to why RFC 5114 exists is simple. The NIST standard for Diffie-Hellman key exchanges is NIST Special Publication 800-56A. If you read page 28 of the 2007 version of this standard you will find that NIST explicitly requires that primes for use in Finite Field Diffie-Hellman have the same form as the primes they require for DSA.<br /><br />As far as I know NIST has always accepted primes (p) of a forms such that (p-1)/2 is prime - thus not conforming to their standard. The writers of RFC 5114 were just supplying some primes that actually met NIST's own standard.<br /><br />Regarding the question of why 2 wasn't used as a generator I think the answer is also simple. Given a prime modulus p such that there's another prime q that divides (p-1)/2 you want the generator to be an element of order q. The probability that the integer "2" happens to be of order q is very, very, small. The NIST standard for DSA has several complex processes to generate the generator given the primes p and q. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-7105426341580499132016-01-29T13:48:48.051-08:002016-01-29T13:48:48.051-08:00
are you sure the fix is ya^q (mod p) = 1? This ho...<br />are you sure the fix is ya^q (mod p) = 1? This holds for any ya according to Fermat little theorem. If p is not a safe prime, it means order of group (since p is prime, = p-1 = q) has small prime factors, say q = q0 q1 ... qn. Assuming one of them is big (call it qi), then you ought to check that ya^qi = 1 mod p. That would ensure that your group order is big, and an attacker cannot trick u into using a small subgroup attack.<br />Can you point out the file where the supposedly fix is done?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-9647040445390787682016-01-29T10:08:43.539-08:002016-01-29T10:08:43.539-08:00ooops :) thanks !! updatedooops :) thanks !! updatedAntonio Sansohttp://www.blogger.com/profile/13409233330078201207noreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-24623114404972401002016-01-29T10:02:43.722-08:002016-01-29T10:02:43.722-08:00Antonio, in the Disclosure Timeline area you list ...Antonio, in the Disclosure Timeline area you list a CVE that doesn't match the title of the article. Both CVE-2015-1788 and CVE-2016-0701 are mentioned. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-5907712451941140882016-01-29T07:34:52.242-08:002016-01-29T07:34:52.242-08:00isn't the same CVE listed here or am I missing...isn't the same CVE listed here or am I missing something? :)Antonio Sansohttp://www.blogger.com/profile/13409233330078201207noreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-69766948690031146592016-01-29T05:40:08.097-08:002016-01-29T05:40:08.097-08:00CVE is different on OpenSSL advisory, they're ...CVE is different on OpenSSL advisory, they're listing CVE-2016-0701 as the ID fr this.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-63533658877211522282016-01-29T01:25:02.846-08:002016-01-29T01:25:02.846-08:00Great job, Antonio!Great job, Antonio!Dominiquenoreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-34866804077872073652016-01-28T21:32:38.824-08:002016-01-28T21:32:38.824-08:00Thanks a lot.. Got most of stuff.Thanks a lot.. Got most of stuff.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-71265613712829044452016-01-28T21:19:24.665-08:002016-01-28T21:19:24.665-08:00thanks. I did update the link!thanks. I did update the link!Antonio Sansohttp://www.blogger.com/profile/13409233330078201207noreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-70700354888016081612016-01-28T16:23:05.915-08:002016-01-28T16:23:05.915-08:00The link to Paul Wouters reply is wrong and instea...The link to Paul Wouters reply is wrong and instead points to the openssl announcement. Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-28348148445020203372016-01-28T16:18:32.132-08:002016-01-28T16:18:32.132-08:00Ditto. Great find and blog post. Thanks!Ditto. Great find and blog post. Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5832863639484084941.post-49459867793608352632016-01-28T09:25:54.199-08:002016-01-28T09:25:54.199-08:00Great work to all involved in raising and fixing t...Great work to all involved in raising and fixing this issue and thank you Antonio for documenting this so thoroughly.Anonymousnoreply@blogger.com