On Wed, Nov 01, 2000 at 01:51:24PM -0500, Lawrence MacIntyre wrote:
> But bin2bn is generating BNs from the static P and G which don't have
> trailing 0s.
It's actually *leading* zeroes that we are talking about, although
those are trailing zeroes in the low-endian representation used for
bignums ...
> trailing 0s. It is BN_num_bytes that reports 55 when it should be
> saying 56. Is there a better way to determine the length of the key?
> Do I just need to know the length of the key apriori? I had allowed the
> client to pick the key length, and the server just figured it out from
> the output from BN_num_bytes(). Should BN_num_bytes() report 55 instead
> of 56 just because the last byte is 0? Maybe it should be renamed
> BN_num_bytes_not_counting_trailing_zeroes() :-) At the very least that
> limitation should be documented. DH_size() always seems to return the
> correct answer, so I'll switch to that.
DH_size returns the length of p. The result of the DH computation
is some number between 1 and p-1, and of course some of these are
shorter than others! Most of the time, the DH result will take as
many bytes as p, but occasionally it won't.
> Just curious, why is the DH shared key insecure before being run through
> MGF1?
There's no known attack, but by using some hash function instead of
picking bits directly, you make sure that the resulting key depends
on *all* of the DH result. There *may* be attacks if you use just
the lower bytes or just the upper bytes (this might help related-key
attacks against the symmetric cipher for example). The hash function
basically serves to hide the algebraic structure of the DH
computations.
--
Bodo Möller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]