Socat Weak Crypto Draws Suspicions Of a Backdoor (threatpost.com) 50
msm1267 writes: Socat is the latest open source tool to come under suspicion that it is backdoored. A security advisory published Monday warned that the OpenSSL address implementation in Socat contains a hard-coded Diffie-Hellman 1024-bit prime number that was not prime. "The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p," the advisory said. "Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out." Socat said it has generated a new prime that is 2048 bits long; versions 1.7.3.0 and 2.0.0-b8 are affected. The advisory adds that a temporary workaround would be to disable the Diffie-Hellman ciphers.
There seem to be a lot of these backdoors (Score:2, Insightful)
Putting on my tin-foil hat, it almost seems like there is a coordinated program to backdoor security products, and attribute them to a 'mistake'. But that's just me being paranoid.
Re:There seem to be a lot of these backdoors (Score:5, Insightful)
In fairness, intentionally weakening crypto requires as much understanding of it as doing it right.
Screwing it up, however, can be done by any moron.
Which happened here? Who the hell knows.
Re: (Score:1)
I thought it was called a backhole?
Just like your mother, Trebek.
Re: (Score:2, Insightful)
> Which happened here? Who the hell knows.
Oh please.
You're probably trying to do the "it's just incompetence, not malice" thing.
But after seeing this pattern over and over.. no, it reeks of manipulation.
Any advanced malice is indistinguishable from incompetence.
Re:There seem to be a lot of these backdoors (Score:4, Interesting)
Given that it also used 512-bit primes [repo.or.cz], which are toy keys that were weak twenty years ago, it's more likely a screwup. Seeing messed-up crypto written by people whose crypto knowledge extends to reading the Wikipedia page on RSA and perhaps one or two chapters of Applied Cryptography is pretty much par for the course.
From a very brief Google of socat howtos, I couldn't see much about enabling or applying checking of certs, which means it probably doesn't do that either. In addition the advisory is pretty confusing, what does "OpenSSL address implementation" mean? Since the server supplies the DH values and OpenSSL itself has known-good DH values, why is there some other value hardcoded into socat?
Re: (Score:2)
In this case, all it would have needed is understanding that it's important that the numbers used to generate the keys are prime and that substituting a composite number would make the keys easier to find. I'm not claiming that this is what happened, but it's not something that only a cryptography specialist could have come up with.
Re: (Score:2)
Putting on my tin-foil hat, it almost seems like there is a coordinated program to backdoor security products, and attribute them to a 'mistake'. But that's just me being paranoid.
speaking of which, did you ever check your tin-foil hat for backdoors?
This cannot happen accidentally (Score:5, Insightful)
Re:This cannot happen accidentally (Score:5, Funny)
This evening I'll reflect on your rant while performing the Miller-Coors test
Re: (Score:2)
What sort of evil hold do they have on you that they can force you to drink Miller-Coors.
Re:This cannot happen accidentally (Score:5, Informative)
Re: (Score:2)
I'm not sure why he's not being grilled pretty heavily right now.
Because 99% of the time, the process is to blame, not the person.
Re: (Score:1)
Do we know the process that generated this number, and how it didn't include apparently minimal verification?
Re: (Score:2)
While your at it, check to see if the numbers within the number can actually make a prime. What I mean is 457 is a prime but 475 isn't. So could it be a matter of a digit being transposed?
Re:This cannot happen accidentally (Score:4, Informative)
It easily can happen accidentally. The probability of a bug in your implementation of the Miller-Rabin test (for a general "you") is quite high.
Now look at the history here. The patch was submitted by someone who admitted "I don't have enough knowledge to implement the merge" [xenproject.org], and was accepted without any serious review. Looking at my own history of screwing up commits, it's fairly easy to see how this might have happened.
I'm just lucky that none of mine had implications that serious. There but for the grace of His Noodly Appendage...
Re: (Score:2)
I was once in computer security class, and my miller-rabin primality test ended up calling an even number prime. I can totally see these failures happening.
Re: (Score:2)
A note in the commit indicates that Socat was not working in FIPS mode because it requires a 1024 Diffie-Hellman prime, and added that a developer named Zhiang Wang provided a patch with the new prime. The poster revealed that Wang works at Oracle and contributes to Socat.
accidental or malicious, Mr. Wang is about to have a very bad day.
Re: (Score:2)
Technical discussion (Score:3)
link [ycombinator.com] to the technical discussion from the article (which propeller heads may safely skip).
The article doesn't mention (Score:2)
Re: (Score:2)
Well, we can presume that at BEST its 512. (As two 512 bit numbers multiplied together is 1024 bits.)
Re: (Score:2)
Re: (Score:3)
eewwh... 271 is a factor:
https://news.ycombinator.com/i... [ycombinator.com]
Re: (Score:1)
257 and 13597 were immediately found, per the thread
Let's use the proper terminology (Score:4, Informative)
They can neither confirm nor deny (Score:2)
They can neither confirm nor deny, nor admit electronically or in print, that they have been backdoored.
Even if it's obvious (and a requirement) that they are.
Oh, so now it's back to "backdoored"? (Score:2)
Socat Weak Crypto Draws Suspicions Of a Backdoor
I thought we were calling them "backholes" now?