Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Eric Rescorla (ekrspeedy.rtfm.com)
Date: Wed Feb 07 2001 - 10:23:24 CST
> Earlier I wrote,
> > I looked at several free crypto libraries, including OpenSSL, Crypto++,
> > CryptoLib, and CryptLib and most are vulnerable, to the extent there is a
> > vulnerability: they choose a random 160 bit value and then take it mod q.
> As Wei has pointed out, I was wrong about Crypto++, which does in fact
> choose k as a random value less than q. I apologize for misreading
> the code.
Is there a consensus on what the "Right Thing" to do is.
Certainly the easiest thing to do is what Peter Guttman and PGP do:
Generate a random number between 2^Z-1 and 1 where Z>>160 and then
reduce it by q. Is that good enough?
PureTLS does the "random 160 mod q" approach as well and I'd rather
only have to change it once. Damn, I really hate it when you can
go wrong by doing exactly what the standard says.
[Eric Rescorla ekrrtfm.com]