[cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

James A. Donald jamesd at echeque.com
Sat Dec 18 04:26:50 EST 2010


On 2010-12-18 4:35 PM, Peter Gutmann wrote:
> "James A. Donald"<jamesd at echeque.com>  writes:
>
>> Must interoperate with legitimate code.
>>
>> Must plausibly claim to utilize well known algorithms (while actually
>> misusing them or grossly deviating from them.).
>
> Sheesh, I can do this without even thinking.  Here's one:
>
>    /* Generate the random value k.  FIPS 186 requires (Appendix 3) that this be
>       done with:
>
>       k = G(t,KKEY) mod q
>
>      where G(t,c) produces a 160-bit output, however this produces a slight bias
>      in k that leaks a small amount of the private key in each signature.
>      Because of this we start with a value which is 32 bits larger than q and
>      then do the reduction, eliminating the bias.
>
> That took all of ten seconds to get.  Result: A completely FIPS 186-compliant
> digsig implementation that leaks the private key.

And one that would take someone checking the code about an hour or so to 
detect.




More information about the cryptography mailing list