On 2/16/2012 11:36 AM, Magosányi Árpád wrote:
Hi!
Is the sentence "It checks that p and q are in fact prime, and that n
= p*q" in RSA_check_key's documentation mean that it checks for weak
primes, like the ones mentioned here?:
http://arstechnica.com/business/news/2012/02/crypto-shocker-four-of-every-1000-public-keys-provide-no-security.ars
As I understand there are two cases.
One is when the prime is not exactly prime. I would expect
RSA_check_key to find this out, but what is the extent of the check?
The other cause is a clash with already existing prime factors out
there. I guess that checking for this would involve looking up a list
of prime factors collected on the net. Is there such tool accessible
to mere mortals?
All the practical ways of creating and checking primes for
use in crypto have the following features:
1. They are statistical tests, each round of testing that
passes increases the probability that this is really a
prime, you stop if it says "not a prime" (an absolute
non-statistical rejection) or until the combined
probability is big enough for you. Someone else on this
list can hopefully give you the number of rounds and
resulting probabilities used by OpenSSL.
2. Creating primes starts with high quality random numbers,
such that there are a gigantic number of possible primes.
If done correctly (like in current OpenSSL versions), the
chance of choosing the same prime as somebody else is
extremely low (again, I hope someone else on this list can
come up with the numbers for general enlightenment).
However there is another issue with checking for known bad
primes:
Some versions of OpenSSL historically packaged by the
Debian and Ubuntu Linux distributions from 2006 to 2008
contained a broken non-standard patch which caused those
patched versions to frequently choose one of a very few
primes and RSA keys.
Debian has published a table of the bad keys and code to
check existing keys against those blacklists.
For more information, see the security advisory at
<http://www.debian.org/security/2008/dsa-1571>
and the blacklist databases from
<http://packages.debian.org/source/sid/openssl-blacklist>
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
