On Wed, Sep 09, 2015 at 02:46:05PM +0300, Georgi Guninski wrote: > Is this ``issue'' real or imaginary according to developers, developers, > developers(!) ? On Wed, Sep 09, 2015 at 01:28:42PM +0300, Georgi Guninski wrote: > In short openssl 1.0.1p accepts composite $q$ > in DSA verify/SSL. > > On my blog I summarized with title: > > RFC-2631, fips 186-3 and openssl's implementation of DSA appear broken > (and possibly backdoored) > > https://j.ludost.net/blog/archives/2015/09/05/rfc-2631_fips_186-3_and_openssls_implementation_of_dsa_appear_broken_and_possibly_backdoored/index.html The backdoor assertion looks wrong, the check on the bit-length of q is correct as required by the standards, and the subgroups in question are not "small", rather they are commensurate with the expected security level. As for running primality tests, presumably certificates signed by a trusted CA use a prime q. If the certificate is *not* signed by a trusted CA, of course the connection is not secure... You forgot to include the full context from the standard: ... Whether agents provide validation information in their certificates is a local matter between the agents and their CA. The expected time for this sort of check is when CAs sign certificates, not when TLS handshake participants validate the certificates of their peers (issued by trusted issuers, or else why bother). -- Viktor.
