[18366] in cryptography@c2.net mail archive
Re: Fwd: Tor security advisory: DH handshake flaw
daemon@ATHENA.MIT.EDU (astiglic@okiok.com)
Sat Sep 3 08:46:39 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <878xygkjyu.fsf@wheatstone.g10code.de>
Date: Fri, 2 Sep 2005 10:32:55 -0400 (EDT)
From: astiglic@okiok.com
To: "Werner Koch" <wk@gnupg.org>
Cc: "Simon Josefsson" <jas@extundo.com>,
"Ben Laurie" <ben@algroup.co.uk>, cryptography@metzdowd.com,
astiglic@okiok.com
> On Thu, 01 Sep 2005 15:04:43 +0200, Simon Josefsson said:
>
>> If you control the random number generator, you control which
>> Miller-Rabin bases that are used too.
>
> Oh well, if you are able to do this you have far easier ways of
> compromising the security. Tricking the RNG to issue the same number
> to requests for the secret exponent of an DSA sign operation seems to
> be easier.
I agree. Either assume that the code on the PC is valid, or don't. If
you don't, anything can have a back door in it, the encryption or
signature code, the Miller-Rabin test, the RNG, the encoding scheme you
use, etc.
--Anton
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
