[cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)
James A. Donald
jamesd at echeque.com
Sat Dec 18 04:26:50 EST 2010
On 2010-12-18 4:35 PM, Peter Gutmann wrote:
> "James A. Donald"<jamesd at echeque.com> writes:
>> Must interoperate with legitimate code.
>> Must plausibly claim to utilize well known algorithms (while actually
>> misusing them or grossly deviating from them.).
> Sheesh, I can do this without even thinking. Here's one:
> /* Generate the random value k. FIPS 186 requires (Appendix 3) that this be
> done with:
> k = G(t,KKEY) mod q
> where G(t,c) produces a 160-bit output, however this produces a slight bias
> in k that leaks a small amount of the private key in each signature.
> Because of this we start with a value which is 32 bits larger than q and
> then do the reduction, eliminating the bias.
> That took all of ten seconds to get. Result: A completely FIPS 186-compliant
> digsig implementation that leaks the private key.
And one that would take someone checking the code about an hour or so to
More information about the cryptography