On Monday, 30 August 2021 06:42:52 CEST, Damien Miller wrote:
On Thu, 26 Aug 2021, Demi Marie Obenour wrote:
One can prove primality using the Miller-Ramin test, which will
detect composites with probability at least 3/4 per round. After 64
rounds the likelihood of a composite not being detected is not more
than 2⁻¹²⁸, even for adversarial choices of moduli. Note that
the primality testing APIs in cryptographic libraries are often not
designed for this, as they perform optimizations that are not valid for
adversarially chosen numbers.
I assumed the safety of most libraries in the adversarial model was
fixed a while ago, after https://eprint.iacr.org/2018/749.pdf pointed
out a bunch of flaws. Shame on me for not checking thoroughly...
I haven't looked into OpenSSH or libssh, but for TLS the clients generally
_don't_ check if the p is a prime, let alone a safe prime, so it doesn't
really matter if the isPrime() function is hardened or not as it's not used
in
the first place...
(Unless you run in FIPS mode with a recently certified module, then you
can use only few hardcoded primes from rfc3526 or rfc7919)
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
