

Google Keyczar was using stock Python RNG for its DSA crypto code. - tptacek
http://code.google.com/p/keyczar/source/detail?r=420

======
kragen
That's amazing.

If someone guesses your random number in DSA, doesn't that reveal your private
key? r⁻¹(s·k - H(m)) mod q or something like that, where r and s are the two
pieces of the signature, k is the random number, H(m) is the hash of the
message, and q is the modulus from the public algorithm parameters?

Does Keyczar generate DSA signatures that are revealed to untrusted parties?
Because if so, it just leaked your keys to those parties.

Maybe you (a) shouldn't use DSA and (b) shouldn't use Keyczar. Who's the
Rivest grad student Thomas keeps going on about? Did Rivest award him a Ph.D.?

~~~
sweis
Yes, if the 'k' values are predictable, then someone can extract the private
key. The Python random module uses a Mersenne twister, so observing a
sufficient number of signatures would allow someone to extract the key.

This is not a flaw in DSA, but a flaw in the Keyczar Python implementation.
Here's the original security advisory, again:
[http://groups.google.com/group/keyczar-
discuss/browse_thread...](http://groups.google.com/group/keyczar-
discuss/browse_thread/thread/781c4db2c0b72b36)

PS - I was the grad student. Yes, I did get my degree, and no, they haven't
asked for it back (yet).

~~~
kragen
My condolences. You must not be feeling very good right now.

I don't know whether to agree that it's "not a flaw in DSA". DSA's failure
mode is that if you ever use your private key, even once, with a single
guessable random number, your opponent knows your key and can impersonate you
thereafter. There are other digital signature algorithms that don't have this
failure mode, such as RSA. Maybe it's better, from a "defense-in-depth" point
of view, not to design DSA into new protocols.

~~~
sweis
No condolences necessary. I'm glad that more people are looking at Keyczar and
finding these bugs. We learn from our mistakes and in the end have safer code
for everyone.

------
tptacek
But yeah, sure. I mean, all they had was a Rivest grad student leading the
project, and Google's name behind them. You're definitely going to get
everything right with your own code.

~~~
sweis
Mea culpa. I originally reviewed this code and missed it. Here's the post in
the message group about this: [http://groups.google.com/group/keyczar-
discuss/browse_thread...](http://groups.google.com/group/keyczar-
discuss/browse_thread/thread/781c4db2c0b72b36)

