mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 17:38:00 +00:00
93c412b1a7
I used this to confirm that the previous nonces generated by dsa_gen_k() were indeed biased, and to check that the new RFC6979 ones don't have the same problem. Recovering the DSA nonce value is equivalent to recovering the private key. One way round, this is well known: if you leak or reuse a nonce, your private key is compromised. But the other direction of the equivalence is also true - if you know the private key and have a signed message, you can retrieve the input nonce. This is much less obviously useful (certainly not to an attacker), but I found it convenient for this particular test purpose, because it can operate on the standard SSH data formats, without needing special access into the signing algorithm to retrieve its internal variables. So I was able to run this script unchanged against the 'before' and 'after' versions of testcrypt, and observe the difference. |
||
---|---|---|
.. | ||
sclog | ||
agentmulti.py | ||
agenttest.py | ||
agenttestdata.py | ||
agenttestgen.py | ||
ca.py | ||
colours.txt | ||
cryptsuite.py | ||
desref.py | ||
display.txt | ||
dsa_nonce_recover.py | ||
eccref.py | ||
fuzzterm.c | ||
lattrs.txt | ||
list-accel.py | ||
mpu-check.pl | ||
numbertheory.py | ||
primegen.py | ||
scocols.txt | ||
ssh.py | ||
testcrypt-enum.h | ||
testcrypt-func.h | ||
testcrypt.c | ||
testcrypt.py | ||
testsc.c | ||
testzlib.c | ||
utf8.txt | ||
vt100.txt | ||
windowchange.py |