Full Disclosure mailing list archives
Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ?
From: Hanno Böck <hanno () hboeck de>
Date: Wed, 16 Apr 2014 12:23:08 +0200
On Wed, 16 Apr 2014 11:44:00 +0300 Georgi Guninski <guninski () guninski com> wrote:
AFAICT weak DH keys can't be recognized since they can be well formed.
Yes, I'm aware of that, has recently been discussed on the TLS WG list also. But clients could (and should imho) reject obviously bogus parameters like 8 bit moduli sizes. The solution would be to change TLS to have a fixed set of "known good" DH parameters written in the spec. This is also what the authors of the triple handshake attack have proposed. Would also save traffic because servers wouldn't have to send the DH parameter set, just an identifier. But probably won't happen before TLS 1.3. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
signature.asc
Description:
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Should openssl accept weak DSA/DH keys with g = +/- 1 ? Georgi Guninski (Apr 15)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Hanno Böck (Apr 15)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Georgi Guninski (Apr 16)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Hanno Böck (Apr 16)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Pavel Kankovsky (Apr 17)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Jeffrey Walton (Apr 17)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Georgi Guninski (Apr 16)
- Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Hanno Böck (Apr 15)