Python Cryptography Toolkit

Activity log for bug #985164

Date Who What changed Old value New value Message
2012-04-18 19:19:08 Legrandin bug added bug
2012-04-18 19:19:33 Legrandin visibility private public
2012-04-18 21:03:37 Legrandin description In the ElGamal schemes (for both encryption and decryption), g is supposed to be the generator of the entire Z^*_p group. However, in the current implementation, g is more simply the generator of a random sub-group of Z^*_p. The order of such sub-group may be smaller than p-1, and since there are not constraints or checks on the factorization of p-1, the order may be *much* smaller than what it should be. To say, if I limit the bit size to 8 bits, I get p=211 and g=107. The order of g is 42, much less than the expected (and "secure") 210! In the ElGamal schemes (for both encryption and signatures), g is supposed to be the generator of the entire Z^*_p group. However, in the current implementation, g is more simply the generator of a random sub-group of Z^*_p. The order of such sub-group may be smaller than p-1, and since there are not constraints or checks on the factorization of p-1, the order may be *much* smaller than what it should be. To say, if I limit the bit size to 8 bits, I get p=211 and g=107. The order of g is 42, much less than the expected (and "secure") 210!
2012-04-24 23:12:51 Dwayne Litzenberger cve linked 2012-2417
2012-04-25 21:10:02 Dwayne Litzenberger pycrypto: importance Undecided High
2012-04-25 21:10:10 Dwayne Litzenberger pycrypto: status New In Progress
2012-05-24 12:40:11 Dwayne Litzenberger pycrypto: status In Progress Fix Released
2012-06-28 20:22:54 Mike Doherty bug added subscriber Mike Doherty