[cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Dec 18 01:35:57 EST 2010

"James A. Donald" <jamesd at echeque.com> writes:

>Must interoperate with legitimate code.
>Must plausibly claim to utilize well known algorithms (while actually
>misusing them or grossly deviating from them.).

Sheesh, I can do this without even thinking.  Here's one:

  /* Generate the random value k.  FIPS 186 requires (Appendix 3) that this be
     done with:

     k = G(t,KKEY) mod q

    where G(t,c) produces a 160-bit output, however this produces a slight bias
    in k that leaks a small amount of the private key in each signature.
    Because of this we start with a value which is 32 bits larger than q and
    then do the reduction, eliminating the bias.

That took all of ten seconds to get.  Result: A completely FIPS 186-compliant
digsig implementation that leaks the private key.

How many more do you want?


More information about the cryptography mailing list