You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Not checking g_a enables a serious man-in-the-middle (MitM) attack: the MitM sets g_a to 1 on one side, g_b to 1 on the other side, and the shared secret is set to 1, making the channel open to the MitM (even if the two parties verify the hash of the shared secret)
Am I wrong, is this check on g_a coded somewhere else?
Otherwise, can we modify tglmp_check_g_a to check that 1 < g_a < p-1.
This should be fairly easy to code using BN_cmp.
Best,
Karthik
The text was updated successfully, but these errors were encountered:
I haven't actually tried to pass 1 or p-1 as key, but believe that there is code that seems to check that 2^{2048-64} <= KEY <= p - 2^{2048-64}, which also means that the key is between 1 <= KEY <= p - 1.
I haven't actually tried to pass 1 or p-1 as key, but believe that there is code that seems to check that 2^{2048-64} <= KEY <= p - 2^{2048-64}, which also means that the key is between 1 <= KEY <= p - 1.
Thanks for the response. It looks like this code checks: 2^{2048-64} <= KEY <= 2^{2048}, which is not related to $p$.
If p is also in this range, the code would certainly allow $p-1$ and probably also $p$ and $p+1$ (essentially 0,1,-1 mod p)
The code for checking the received DH ephemeral in telegram-cli seems to not follow the protocol spec.
See https://github.com/vysheng/tgl/blob/master/mtproto-utils.c#L74
This code does not verify that 1 < g_a < p-1 as required by MTProto (See "g_a and g_b validation" in https://core.telegram.org/mtproto/security_guidelines).
Not checking g_a enables a serious man-in-the-middle (MitM) attack: the MitM sets g_a to 1 on one side, g_b to 1 on the other side, and the shared secret is set to 1, making the channel open to the MitM (even if the two parties verify the hash of the shared secret)
Am I wrong, is this check on g_a coded somewhere else?
Otherwise, can we modify tglmp_check_g_a to check that 1 < g_a < p-1.
This should be fairly easy to code using BN_cmp.
Best,
Karthik
The text was updated successfully, but these errors were encountered: