Nice! Been waiting for a paper like this since I removed the primality-testing code from *ring* ( https://github.com/briansmith/ring/commit/35d5a43f1b26d2636c66fd9b52f97b31428b0605 …). I hope to add RSA keygen back soon. Regardless, if your code is testing potentially-malicious inputs for primality something is fundamentally wrong.https://twitter.com/kennyog/status/1057352372077449216 …
If you let the peer choose a critical security parameter then you must trust them, which means you must have authenticated them and then authorized them to choose it. You otherwise trust them enough to send/receive the data as long as as number is probably prime? Better get help.
-
-
So if someone can surreptitiously switch the dh_param.pem file used by nginx for DHE so they can break DHE to passively eavesdrop and not get caught (stealing key for cert and MiTM is more likely to get caught), what's the defense?
-
What's to stop that same someone from just using static DH parameters and stashing the secret ones? even if they are prime!
-
It is visible from outside whether the DH parameters are static / reused, and exfiltrating the secret half of every handshake's DH parameter is a lot of traffic.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.