http://matasanochargen.disqus.com/enThu, 04 Jun 2009 14:59:54 -0000http://www.matasano.com/log/962/adam-bozanovich-did-not-uncover-an-nsa-ipsec-conspiracy-diffie-hellman-parameter-validation-explained/#comment-10493279" When Alice and Bob run DH, they have to be careful not to allow any of the parameters —- p, g, A, or B —- be zero or one mod p. "<br><br>Well, p is always going to be zero mod p!JBThu, 04 Jun 2009 14:59:54 -0000http://www.matasano.com/log/962/adam-bozanovich-did-not-uncover-an-nsa-ipsec-conspiracy-diffie-hellman-parameter-validation-explained/#comment-2323226It's intresting to know Im not alone with a brain in this weird world.Peder GrassMon, 07 Jul 2008 14:20:50 -0000http://www.matasano.com/log/962/adam-bozanovich-did-not-uncover-an-nsa-ipsec-conspiracy-diffie-hellman-parameter-validation-explained/#comment-2323220In addition to 1970's crypt and 1980's chroot, the 1990's ISP now contributes...<br><br>Rainbow tables visualized:<br><br><a href="http://ourworld.compuserve.com/homepages/cityglass/arms/table2.jpg" rel="nofollow">http://ourworld.compuserve.com/homepages/citygl...</a>Andy 2Fri, 28 Sep 2007 21:36:50 -0000http://www.matasano.com/log/962/adam-bozanovich-did-not-uncover-an-nsa-ipsec-conspiracy-diffie-hellman-parameter-validation-explained/#comment-2323224I know! We'll add a salt to the DH derived secret like this:<br><br>MD5("barfing bunions" || secret)<br><br>Then rainbow tables cannot be used to attack it. Also, in addition to 1970's Unix crypt being a new discovery, apparently the 1980's chroot break code is also new:<br><br><a href="http://kerneltrap.org/Linux/Abusing_chroot" rel="nofollow">http://kerneltrap.org/Linux/Abusing_chroot</a>NateFri, 28 Sep 2007 14:02:38 -0000http://www.matasano.com/log/962/adam-bozanovich-did-not-uncover-an-nsa-ipsec-conspiracy-diffie-hellman-parameter-validation-explained/#comment-2323219Parameter validation is actually recommended in RFC 2141 (s. 2.3.1.1) and anyone implementing DH needs to do it, so it isn't fair to blame the protocol here.<br><br>I found and reported this problem to the security contacts of the ipsec-tools and openswan people last May, neither bothered to fix it. Some more details at: <a href="http://article.gmane.org/gmane.comp.encryption.general/10661" rel="nofollow">http://article.gmane.org/gmane.comp.encryption....</a><br><br>Of course I was being very web 1.0 about it, I guess I should have just blogged it.djmTue, 25 Sep 2007 19:35:41 -0000http://www.matasano.com/log/962/adam-bozanovich-did-not-uncover-an-nsa-ipsec-conspiracy-diffie-hellman-parameter-validation-explained/#comment-2323223and what have we learned?<br><br>That we should be more careful about blog titles? :)Adam BozanichTue, 25 Sep 2007 18:59:40 -0000http://www.matasano.com/log/962/adam-bozanovich-did-not-uncover-an-nsa-ipsec-conspiracy-diffie-hellman-parameter-validation-explained/#comment-2323222<em>IKE is probably one of the worst protocols ever to come out of the IETF</em><br><br>Ferguson and Schneier's paper on IPSec, including IKE, from a protocol design standpoint:<br><br><a href="http://schneier.com/paper-ipsec.html" rel="nofollow">http://schneier.com/paper-ipsec.html</a><br><br>I also know from first-hand experience that a couple of the existing implementations have disastrously scary codebases.MattTue, 25 Sep 2007 14:41:21 -0000http://www.matasano.com/log/962/adam-bozanovich-did-not-uncover-an-nsa-ipsec-conspiracy-diffie-hellman-parameter-validation-explained/#comment-2323221Thanks for the tip, hon!Erin PtacekTue, 25 Sep 2007 12:36:40 -0000