New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dhparam generates insecure groups (non-quadratic generators) #342

Open
Florianjw opened this Issue Aug 30, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@Florianjw
Copy link

Florianjw commented Aug 30, 2017

It has recently come to my attention that the dhparam-command of both openssl and libressl generates insecure groups: When I request a generator (2 or 5), the library will search for a safe-prime (good) for which this generator is not a square (terrible). Yes, the squares represent a subgroup and therefore reduce the group-size, but it has precisely halve the size and unlike the entire group prime-order. The result of this is that DDH becomes easy to solve, meaning that you cannot use those parameters for things like ElGamal-encryption without enabling distinction-attacks.

This was noticed (apparently without understanding the implications) 15 years ago but the person who did decided to just add the following comment instead of fixing it:

/* Actually there is no reason to insist that 'generator' be a generator.
* It's just as OK (and in some sense better) to use a generator of the
* order-q subgroup.
*/

This is a serious security-issue and I know of at least one serious protocol intended for real-world-usage (with security-proof!) that get's completely broken by this.

I planed to submit this issue to both libraries, but for some reason the openssl-github won't let me do it, so I'll see towards informing them later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment