Socat Weak Crypto Draws Suspicions Of a Backdoor

msm1267 writes: Socat is the latest open source tool to come under suspicion that it is backdoored. A security advisory published Monday warned that the OpenSSL address implementation in Socat contains a hard-coded Diffie-Hellman 1024-bit prime number that was not prime. "The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p," the advisory said. "Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out." Socat said it has generated a new prime that is 2048 bits long; versions 1.7.3.0 and 2.0.0-b8 are affected. The advisory adds that a temporary workaround would be to disable the Diffie-Hellman ciphers.

This cannot happen accidentally

[JoshuaZ]

This cannot happen accidentally. We have for example versions of the Miller-Rabin test https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test which easily test primality if you believe the Riemann Hypothesis and other versions which unconditionally give such a high probability that one is more likely to have had a cosmic ray wreck your computing results than for the test to be erroneous. You can use for example this Javascript http://www.javascripter.net/math/primes/millerrabinprimalitytest.htm. There's no obvious way one would come up with a composite number unless one was deliberately trying. Hopefully there's enough of a record to note when this fake prime was put in.

Re:This cannot happen accidentally

This evening I'll reflect on your rant while performing the Miller-Coors test

Re:This cannot happen accidentally

[JoshuaZ]

Followup: acording to this thread https://news.ycombinator.com/item?id=11014175 the number in question fails at even being a pseudoprime for small bases, which means that even the most simple checks were not done. That thread also mentions the individual responsible for giving the "prime"- I'm not sure why he's not being grilled pretty heavily right now.

Re:This cannot happen accidentally

[Pseudonym]

It easily can happen accidentally. The probability of a bug in your implementation of the Miller-Rabin test (for a general "you") is quite high.

Now look at the history here. The patch was submitted by someone who admitted "I don't have enough knowledge to implement the merge", and was accepted without any serious review. Looking at my own history of screwing up commits, it's fairly easy to see how this might have happened.

I'm just lucky that none of mine had implications that serious. There but for the grace of His Noodly Appendage...

Re:There seem to be a lot of these backdoors

[gstoddart]

Putting on my tin-foil hat, it almost seems like there is a coordinated program to backdoor security products, and attribute them to a 'mistake'. But that's just me being paranoid.

In fairness, intentionally weakening crypto requires as much understanding of it as doing it right.

Screwing it up, however, can be done by any moron.

Which happened here? Who the hell knows.

Let's use the proper terminology

[pjcreath]

The correct term for this is backhole.

Re:There seem to be a lot of these backdoors

[arglebargle_xiv]

Given that it also used 512-bit primes, which are toy keys that were weak twenty years ago, it's more likely a screwup. Seeing messed-up crypto written by people whose crypto knowledge extends to reading the Wikipedia page on RSA and perhaps one or two chapters of Applied Cryptography is pretty much par for the course.

From a very brief Google of socat howtos, I couldn't see much about enabling or applying checking of certs, which means it probably doesn't do that either. In addition the advisory is pretty confusing, what does "OpenSSL address implementation" mean? Since the server supplies the DH values and OpenSSL itself has known-good DH values, why is there some other value hardcoded into socat?