Re: possible bug in DH_generate_key()

Wed, 01 Nov 2000 10:44:07 -0800 

Ulf:

But bin2bn is generating BNs from the static P and G which don't have
trailing 0s.  It is BN_num_bytes that reports 55 when it should be
saying 56.  Is there a better way to determine the length of the key? 
Do I just need to know the length of the key apriori?  I had allowed the
client to pick the key length, and the server just figured it out from
the output from BN_num_bytes().  Should BN_num_bytes() report 55 instead
of 56 just because the last byte is 0?  Maybe it should be renamed
BN_num_bytes_not_counting_trailing_zeroes() :-)  At the very least that
limitation should be documented.  DH_size() always seems to return the
correct answer, so I'll switch to that.

On the MGF1 thing (new to me, I'll admit), I assume I create the
blowfish key using

MGF1(*bfkey, length_of_blowfish_key, *dh_shared_secret,
length_of_dh_shared_secret);

on both nodes once they have generated the DH_shared_secret.  This
appears to be a hash function using SHA1?

Just curious, why is the DH shared key insecure before being run through
MGF1?

thanks for your help!
Ulf Moeller wrote:
> 
> On Wed, Nov 01, 2000, Lawrence MacIntyre wrote:
> 
> > I use bin2bn to generate the BNs for P and G, and the char lengths are
> > correct AND statically defined in the .h file, so they are the same
> > every time.  Then I generate the key using DH_generate_key() and
> > BN_num_bytes() to determine the length of the key.  Is that incorrect?
> 
> No, it's just that the top byte can be zero, and bin2bn doesn't output
> trailing 0s.
> 
> > The reason I found the error is that I use the DH struct to provide a
> > key to the blowfish encryption function and it would fail sometimes.
> 
> That is potentially insecure anyway. You should use a key derivation
> function (for example MGF1) to generate a symmetric key from the DH
> shared secret.

-- 
                                 Lawrence
                                    ~
------------------------------------------------------------------------
Lawrence MacIntyre      Center for Information Infrastructure Technology
[EMAIL PROTECTED]   http://www.ciit.y12.doe.gov/~lpz     865.574.8696
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to