openssl/zrtpDH DH3K use only 32 bytes for the private key while it has generated 64 bytes.

Shouldn't the following code from openssl/zrtpDH by changed?

From this:

        if (pkType == DH2K) {
            tmpCtx->p = BN_dup(bnP2048);
            RAND_bytes(random, 32);
            tmpCtx->priv_key = BN_bin2bn(random, 32, NULL);
        }
        else if (pkType == DH3K) {
            tmpCtx->p = BN_dup(bnP3072);
            RAND_bytes(random, 64);
            tmpCtx->priv_key = BN_bin2bn(random, 32, NULL);
        }

To this:

        if (pkType == DH2K) {
            tmpCtx->p = BN_dup(bnP2048);
            RAND_bytes(random, 32);
            tmpCtx->priv_key = BN_bin2bn(random, 32, NULL);
        }
        else if (pkType == DH3K) {
            tmpCtx->p = BN_dup(bnP3072);
            RAND_bytes(random, 64);
            tmpCtx->priv_key = BN_bin2bn(random, 64, NULL);
        }

I am not actually sure so I am probably wrong but shouldn't big number for DH3K use all the random 64 bytes instead simply the first 32 bytes?

[wernerd]

Am 28.03.2016 um 10:16 schrieb 0x616d:

Shouldn't the following code from openssl/zrtpDH https://github.com/wernerd/ZRTPCPP/blob/master/zrtp/crypto/openssl/zrtpDH.cpp#L237 by changed?

From this:

|if (pkType == DH2K) { tmpCtx->p = BN_dup(bnP2048);
RAND_bytes(random, 32); tmpCtx->priv_key = BN_bin2bn(random, 32,
NULL); } else if (pkType == DH3K) { tmpCtx->p = BN_dup(bnP3072);
RAND_bytes(random, 64); tmpCtx->priv_key = BN_bin2bn(random, 32,
NULL); } |

To this:

|if (pkType == DH2K) { tmpCtx->p = BN_dup(bnP2048);
RAND_bytes(random, 32); tmpCtx->priv_key = BN_bin2bn(random, 32,
NULL); } else if (pkType == DH3K) { tmpCtx->p = BN_dup(bnP3072);
RAND_bytes(random, 64); tmpCtx->priv_key = BN_bin2bn(random, 64,
NULL); } |

I am not actually sure so I am probably wrong but shouldn't big
number for DH3K use all the random 64 bytes instead simply the first
32 bytes?

Maybe a copy/paste error :-) , maybe we decided to use 32 bytes only after
some testing. Using the full 64bytes as the exponent requires a lot of CPU
cycles. Can't remember because I haven't touched this specific code for a
long time.

However, it's not a real security issue. Actually, the secret key (the secrect
DH exponent) should be twice as long as the key of the symmetric encryption
algo that's being used later, i.e. it's OK for AES-128, should be 64 if the client
uses AES-256. As said using the full 64 bytes requires much more CPU cycles and
may lead to timeouts etc.

If you like to use AES-256 or Twofish-256 I would propose to use the EC-DH
public key algorithms.

Werner

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub #30

Werner Dittmann
email: Werner.Dittmann@t-online.de
cell: +49 173 44 37 659
PGP key: 82EF5E8B