back to article Socat slams backdoor, sparks thrilling whodunit

Popular admin tool Socat has issued a patch for an error that's been in the code for 12 months and is so egregious some fear it could be a backdoor. The problem, revealed here, is simple: the Socat SSL implementation uses a non-prime number as its Diffie-Hellman p parameter. Socat is akin to the famous *nix cat command, but …

  1. Destroy All Monsters Silver badge
  2. John Smith 19 Gold badge
    Unhappy

    Interesting point.

    A pretty big number.

    Not obvious.

    Privacy & security is tricky.

    1. Kanhef

      Re: Interesting point.

      Definitely not obvious - at least it didn't end in a 5 - but at the same time, any decent factorizing program would have reached 271 fairly quickly, so it's clear they didn't double-check the number in the code for primeness. Since one of the factors is so small, my guess is there was a typo of some sort; if I wanted to backdoor an encryption routine, I'd use a semiprime whose only two factors are roughly equal in length (~150 digits in this case), so it would take some significant number crunching to discover that it's not prime.

      1. Destroy All Monsters Silver badge

        Re: Interesting point.

        it would take some significant number crunching to discover that it's not prime.

        Not at all:

        PRIMES is in P

        (Ok, it's still O(log(n)^12) and the AKS algorithm is not used in practice, but still...)

        1. Arthur the cat Silver badge

          Re: Interesting point.

          Given that various researchers have done some serious crunching using Amazon web services for just a few dollars, checking a 1024 or 2048 bit number for primality should be relatively cheap and only needs doing once.

          The big problem is not individual numbers but when an entire algorithm has been back doored by a state level actor. That requires the sort of informed scrutiny most of us simply aren't qualified to supply.

  3. Anonymous Coward
    Anonymous Coward

    Dyslexia?

    One of the reasons I exercise such care in my coding is that I have a mild case myself. Another is accidental truncation; I've done that too. It doesn't have to be purpoeful.

    1. glen waverley

      Re: Dyslexia?

      "purpoeful"

      I see what you did there!

    2. a_yank_lurker

      Re: Dyslexia?

      I am inclined to believe this is an innocent error rather than something deliberate, also.

      1. Robert Carnegie Silver badge

        Re: Dyslexia?

        Dyxlesia is a bastrad

        But that mistake everyone has mad

  4. John Klos

    Obvious, indeed!

    Just using BSD's command line factor, within a second (on a VAX, nonetheless) one already gets two factors:

    factor 143319364394905942617148968085785991039146683740268996579566827015580969124702493833109074343879894586653465192222251909074832038151585448034731101690454685781999248641772509287801359980318348021809541131200479989220793925941518568143721972993251823166164933334796625008174851430377966394594186901123322297453

    143319364394905942617148968085785991039146683740268996579566827015580969124702493833109074343879894586653465192222251909074832038151585448034731101690454685781999248641772509287801359980318348021809541131200479989220793925941518568143721972993251823166164933334796625008174851430377966394594186901123322297453: 271 13597

    Nobody should ever take something like this on faith, unless the source is well known and in direct contact via secure communications. Even if you don't know how to set up the software to factor larger numbers, some sanity checking really isn't hard. It took me longer to copy and paste than the actual test took.

    1. David 132 Silver badge
      Thumb Up

      Re: Obvious, indeed!

      I tried that on my puny little Ubuntu box, and the factor command choked pathetically on a number of that size (actually, I think it has problems with anything larger than three digits...*)

      Anyone know if the University of York still has a VAX? They did when I was there 20+ years ago and I think that's the only one I've ever used. I miss it.

      (*feel free to insert mental "That's what SHE said!" here if so inclined)

      1. Arthur the cat Silver badge

        Re: Obvious, indeed!

        I tried that on my puny little Ubuntu box, and the factor command choked pathetically on a number of that size

        I just checked the source code for the FreeBSD version of factor and it uses the openssl bignum library to handle its arguments, so has no limit to size of input. The time to get the factors is another matter.

    2. Anonymous Coward
      Anonymous Coward

      Re: Obvious, indeed!

      Or install PARI/GP for some serious playing.

    3. GrumpenKraut
      Boffin

      Re: Obvious, indeed!

      Testing primality by factoring is very unwise.

      Anyway, two small prime factors are 271 and 13597 as you said, and the remaining factor (38894884...13639519) is still composite.

  5. cantankerous swineherd

    don't have the first clue about crypto, but the number hard coded seems as big a problem as it's non primeness?

    1. Anonymous Coward
      Anonymous Coward

      Apparently not, it can be a public prime that doesn't change:

      http://mathworld.wolfram.com/Diffie-HellmanProtocol.html

      Don't quote me, I would need a day or so to reflect on why this works.

  6. herman

    It would have been ever so slightly more obvious if it was an even number...

  7. Anonymous Coward
    Anonymous Coward

    Wilful ignorance

    I don't think any malice was intended, I'm pretty sure this was just a programmer without much understanding of anything much just messing up.

    It would've helped if the patch said how the dhparams had been generated. Someone would have noticed that it said "wild guess" instead of "openssl dhparam 1024". A lesson for anyone accepting patches in good faith.

  8. GrumpenKraut

    Next and previous primes.

    Using Pari/GP:

    ? t=1433193643...2297453; \\ shortened

    ? nextprime(t)-t

    210

    ? t-precprime(t)

    1464

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like