[Cryptech Tech] News
Joachim Strömbergson
joachim at secworks.se
Wed Feb 3 08:17:32 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Peter Gutmann wrote:
> Russ Housley <housley at vigilsec.com> writes:
>
>> I thought people on this list would find this article interesting:
>> http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-may-be-intentional-eavesdropping-backdoor/
>
>>
> If you read the discussion around that it's far more likely to be due
> to incompetence. The flawed 1024-bit prime was replacing the 512-bit
> prime that had been in use until then, and the guy who made the
> change was asking for help with various other things which indicated
> he wasn't the most capable developer (I don't have the links any more
> but it was linked off a thread on ycombinator). It just looks like
> standard badly-done crypto, they also do things like tell you how to
> set up the SSL tunnel without any mention of validating certs so it's
> unlikely they check those, and various other signs that they're not
> doing the crypto too well.
The big question is really why Gerhard Rieger (author of the commit)
didn't ask Zhigang Wang how the new prime had been tested, but simply
accepted the patch. Several people has been running Miller-Rabin and
verified that it failed and it also fails Fermats test.
Probably not malice, but mistake in combination with failing procedure
to verify a patch before accepting it.
I would also like to know what tool Zhigang Wang used to generate the
number.
- --
Med vänlig hälsning, Yours
Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
Joachim Strömbergson Secworks AB joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJWsbecAAoJEF3cfFQkIuyNXowQAIhRxaoMOUepK2DOUIJyJkP5
E97ndZJ75TQpvKVhO8/vUY1XLAGbTdq4QZiSyMK9PTh9EVzX4WKmW7l3wHpURHJd
BMTbvdtE3g/FDz1OO3xFWtvrC5PRclQ9nINNu6grCxjRtmtuuodPl63wfDA9IBvg
ZOMJc7IvDOR0NkW00HPsxTzMT9wOnKOPIFu6/CgpllxEq6Zi4dNAX2+hCyk5DnWl
rZyWlf66B0E/rSwf6jnE8teMRGT0TZ73ZPzeQjcsgFxNOjU4fnHaGDPgcJZktEX2
+VlUZSDoKxtTUT/pamYekYb3JCa71cR8Sll4T5gmI2ZHRrod3xfLtXkqNcw6WxSm
PMBlC0dRmMCBE/AI3vcu6c7Uua6eMvxIto/0zs1BXbdMO+6qHNgUN3k5WZrArrWP
5DT/MEDMDAn8t+JTPO6SNevIpaliHK0fqpir4q4u3KFpNn4iPbVi+Du7xS/9AoK/
IQ9B6XfqONKyIit2aCuqgxw3Tbd0HUrMwEEf6kC24OUwyy46g2+ciLoTNemzFsR8
UHkafZJLHFN4NA7aXpJB8Qzi5JqKD3R9dDh/XQEEteh/2UOnscYsqSrScUyxY73P
VHkQJDf4FdbL0r45TPw91O2UblBfLZjrKCvza3GfYNPPjIRBexVH1iQcw3EJSXtb
/Zcsc7gaTPolj4NuVSel
=jmg2
-----END PGP SIGNATURE-----
More information about the Tech
mailing list