Hi Georgi, Sorry to go offlist... Also keep in mind that the IETF has effectively deprecated the DH parameters in PKIX certificates. In fact, they moved to fixed DH groups to avoid the option dance between client and server; and that has the benefit that the parameters can be validated offline. As for DSA, the IETF is killing it off, too. See, for example, https://tools.ietf.org/html/draft-gillmor-tls-negotiated-dl-dhe-00 and https://www.ietf.org/mail-archive/web/tls/current/msg17489.html (archive of latter at https://www.ietf.org/mail-archive/web/tls/current/maillist.html). Jeff On Wed, Sep 9, 2015 at 6:28 AM, Georgi Guninski <guninski at guninski.com> wrote: > In short openssl 1.0.1p accepts composite $q$ > in DSA verify/SSL. > > If $q$ is backdoored in the DSA/DH group parameters, > this breaks all private keys using it (see links at > bottom). > > On linux: > $./apps/openssl s_server -accept 8080 -cert /tmp/cacert2.pem -key > /tmp/key-comp2.key > > $./apps/openssl s_client -connect localhost:8080 > > Verify return code: 18 (self signed certificate) > > > $./apps/openssl x509 -text -in /tmp/cacert2.pem > (make Q hex). > > In sage: > sage: q=0x008000000000000000001d8000000000000000012b > sage: factor(q) > 604462909807314587353111 * 1208925819614629174706189 > > The self signed cert and key are attached. > > The discussion started on cypherpunks: > https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html > > On my blog I summarized with title: > > RFC-2631, fips 186-3 and openssl's implementation of DSA appear broken > (and possibly backdoored) > > https://j.ludost.net/blog/archives/2015/09/05/rfc-2631_fips_186-3_and_openssls_implementation_of_dsa_appear_broken_and_possibly_backdoored/index.html >
