[cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

James A. Donald jamesd at echeque.com
Sat Dec 18 06:04:43 EST 2010

On 2010-12-18 4:35 PM, Peter Gutmann wrote:
> "James A. Donald"<jamesd at echeque.com>  writes:
>> Must interoperate with legitimate code.
>> Must plausibly claim to utilize well known algorithms (while actually
>> misusing them or grossly deviating from them.).
> Sheesh, I can do this without even thinking.  Here's one:
>    /* Generate the random value k.  FIPS 186 requires (Appendix 3) that this be
>       done with:
>       k = G(t,KKEY) mod q
>      where G(t,c) produces a 160-bit output, however this produces a slight bias
>      in k that leaks a small amount of the private key in each signature.
>      Because of this we start with a value which is 32 bits larger than q and
>      then do the reduction, eliminating the bias.
> That took all of ten seconds to get.  Result: A completely FIPS 186-compliant
> digsig implementation that leaks the private key.

Most of us have made such bugs, and found such bugs.  The work required 
to find them is not small, but neither is it impractically large.

More information about the cryptography mailing list