Re: possible bug in DH_generate_key()

Thu, 02 Nov 2000 02:16:21 -0800 

On Wed, Nov 01, 2000 at 01:51:24PM -0500, Lawrence MacIntyre wrote:

> But bin2bn is generating BNs from the static P and G which don't have
> trailing 0s.

It's actually *leading* zeroes that we are talking about, although
those are trailing zeroes in the low-endian representation used for
bignums ...

> trailing 0s.  It is BN_num_bytes that reports 55 when it should be
> saying 56.  Is there a better way to determine the length of the key? 
> Do I just need to know the length of the key apriori?  I had allowed the
> client to pick the key length, and the server just figured it out from
> the output from BN_num_bytes().  Should BN_num_bytes() report 55 instead
> of 56 just because the last byte is 0?  Maybe it should be renamed
> BN_num_bytes_not_counting_trailing_zeroes() :-)  At the very least that
> limitation should be documented.  DH_size() always seems to return the
> correct answer, so I'll switch to that.

DH_size returns the length of  p.  The result of the DH computation
is some number between  1  and  p-1,  and of course some of these are
shorter than others!  Most of the time, the DH result will take as
many bytes as  p,  but occasionally it won't.

> Just curious, why is the DH shared key insecure before being run through
> MGF1?

There's no known attack, but by using some hash function instead of
picking bits directly, you make sure that the resulting key depends
on *all* of the DH result.  There *may* be attacks if you use just
the lower bytes or just the upper bytes (this might help related-key
attacks against the symmetric cipher for example).  The hash function
basically serves to hide the algebraic structure of the DH
computations.


-- 
Bodo Möller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to