On 03/29/2011 11:08 AM, Niels Möller wrote:
Nikos Mavrogiannopoulos nmav@gnutls.org writes:
At least for TLS, weak key checking is not that important due to low probability of selecting one, to be of any practical concern.
In lsh, I disconnect when a weak key is detected. The problem with relying on "low probability" is that unless you generate the random key all by yourself, you need that probability to be low also in the presence of any possible attacks on the key agreement protocol. The analysis needed to rule out such attacks may cause some headache, which you can avoid by simply refusing to use weak keys if they ever occur.
In TLS the generated keys do not only depend on the key exchange but also on several bytes of randomness contributed by both peers. Even a key exchange with a malicious party, would produce random keys with a little more than 224 bits of randomness.
Moreover if you handle weak keys, you should include it into the protocol, i.e. do you restart the key exchange once a weak key is detected, or you just terminate the handshake? TLS has no provisions for a re-handshake once a weak-key is detected.
regards, Nikos