-
Type:
Bug
-
Resolution: Fixed
-
Priority:
P3
-
Affects Version/s: 6
-
Component/s: security-libs
-
b63
-
generic
-
generic
As part of the fix for 4781134, the RE changed the DHKeyPairGenerator.generateKeyPair
code around so that the generated x (private) value always has it's topmost bit set.
I think this is wrong.
I believe the change was meant to force a el-bit number to be represented in BigInteger,
but this isn't the crucial number, the prime p is your real number to make sure
is represented using the p bits, with the first bit set to one.
According to Handbook of Applied Crypto (pg 516, protocol 12.47)
Alice/Bob are supposed to choose a random secret x, 1<-x<-p-2. With this change,
I think we're now choosing 2^n<=x<=p-2, which is reducing the keyspace, and
could also slow things down depending on the SecureRandom's choice for x.
This has been here since 1.4.2.
code around so that the generated x (private) value always has it's topmost bit set.
I think this is wrong.
I believe the change was meant to force a el-bit number to be represented in BigInteger,
but this isn't the crucial number, the prime p is your real number to make sure
is represented using the p bits, with the first bit set to one.
According to Handbook of Applied Crypto (pg 516, protocol 12.47)
Alice/Bob are supposed to choose a random secret x, 1<-x<-p-2. With this change,
I think we're now choosing 2^n<=x<=p-2, which is reducing the keyspace, and
could also slow things down depending on the SecureRandom's choice for x.
This has been here since 1.4.2.