Crypto flaw was so glaring it may be intentional eavesdropping backdoor

[J65nko]

From http://arstechnica.com/security/2016...ping-backdoor/

Quote:

Network tool contained hard-coded prime number that wasn't prime after all.

An open source network utility used by administrators and security professionals contains a cryptographic weakness so severe that it may have been intentionally created to give attackers a surreptitious way to eavesdrop on protected communications, its developer warned Monday.

Socat is a more feature-rich variant of the once widely used Netcat networking service for fixing bugs in network applications and for finding and exploiting security vulnerabilities. One of its features allows data to be transmitted through an encrypted channel to prevent it from being intercepted by people monitoring the traffic. Amazingly, when using the Diffie-Hellman method to establish a cryptographic key, Socat used a non-prime parameter to negotiate the key, an omission that violates one of the most basic cryptographic principles.

[kpa]

I'm not familiar with the OpenSSL DH implementation but one would assume that such a system should check the provided prime numbers for primality at least with a crude and fast method, maybe this isn't the case?

[jjstorm]

So much for the advantage of "peer scrutiny" of open source software