Here is one problem. The value coming out of DH_generate_key() is mod p.
This induces the high-order bit to more likely to be a zero than a one. In
an extreme case, if p is a prime of the form 1 + 2^n, then the high-order
bit is almost certainly a zero. If this bit is one of the bits you use to
form your blowfish key, the brute force attack is made easier by a factor of
two.
Perhaps if you were using a symmetric algorithm which naturally uses mod p
keys, you could use the output of DH_generate_key() directly, but neither
blowfish nor any of the ciphers in openssl have this property.
Greg Stark, [EMAIL PROTECTED]
Chief Security Architect
Ethentica, Inc.
www.ethentica.com
----- Original Message -----
From: "Lawrence MacIntyre" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, November 01, 2000 1:51 PM
Subject: Re: possible bug in DH_generate_key()
> Ulf:
>
<...snip...>>
> Just curious, why is the DH shared key insecure before being run through
> MGF1?
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
