Bug#619439: Please do _not_ distribute gnutls-params in the package
Laurent Fousse
lfousse at debian.org
Sat Apr 30 15:13:47 UTC 2011
Hello,
Diffie-Hellman parameters are public information. Here is the prime
parameter used by your MX at the time I write this mail:
ce 7d 02 b5 82 40 24 a4 6f 3d b7 25 c6 cc 74 a7
e9 60 f1 2e 0c 95 41 11 26 bd 08 e9 88 a1 58 fc
db 7f 89 87 12 dc e5 ec 16 60 a2 e1 af 8f 6c c2
9c 8f a0 06 3c dd 58 4e 4e c1 af 7e 5d 1f 43 13
87 a9 a8 67 54 74 7a 3e 09 1a 35 23 10 78 20 b9
ff af 76 86 c8 ed 22 9b 66 bc 59 21 7a 81 c4 c0
bf 53 3c f1 b3 fb 12 6d c5 6e 42 5c d2 39 55 05
54 f9 0a ad c2 ed ca bf cf 12 e1 4d 1d a2 35 6c
31 0c 08 f9 86 25 d4 11 0b ad c6 22 bb 83 18 da
6b 31 49 e5 27 71 26 4c f8 34 cd af 7f 70 8c af
6b d0 44 84 d9 45 36 0f 54 e5 ee 67 3a fb 53 b2
a8 d9 c9 34 14 48 52 81 c8 69 dd 6b e9 0b 3e 40
4a 82 95 09 31 15 24 9a e0 4b 59 7b 91 fb 36 c0
aa e9 4e f0 b2 97 18 49 70 b9 75 53 9f 23 58 fa
3d 41 ef 2b c5 09 f0 36 db 76 31 e1 2e d3 6a cb
da 54 fb c8 14 a8 04 7c b4 31 ca 0f 1f 2d 4a f7
Obtained using ssldump -A in parallel with s_client.
> But I will go into the cryptographic basics to see if he is true. Until
> then I cannot say that is is secure to open that prime material to the
> world and the fact that debian is trusting a anonymous more than the
> exim people do not higher my trust in that package. Sorry to say.
DH key establishment protocol is described for example in the
Handbook of Applied Cryptography
§12.6.1. http://www.cacr.math.uwaterloo.ca/hac/
You could also have a look at the NIST recommendation (SP 800-56A),
§5.5:
"Although domain parameters are public information[...]"
Laurent.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20110430/df3ecbe1/attachment.pgp>
More information about the Pkg-exim4-maintainers
mailing list