[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SFL "DH Key TestAgree failed" Error Message



All,

Please see the attached messages.

============================================
John Pawling, Director - Systems Engineering
J.G. Van Dyke & Associates, Inc;
a Wang Government Services Company
john.pawling@xxxxxxxx
============================================ 

-----Original Message-----
From: Colestock, Robert 
Sent: Wednesday, April 19, 2000 11:51 AM
To: <snip>
Subject: RE: SFL Smime AND Snacc tmp files fix

I have added "md5WithRSAEncryption" to SMTI_DigestData for the next release.

The DH error message you indicate is from a check I placed in the code to
check the integrity resulting ephemeral key.  I have found that our original
DH parameters were very inadequate for proper DH key construction (if you
are using our old parameters, this could be the cause of the problem).  If
you build keys and do not get this error, the keys work fine and protect the
data; if you get this error it means the resulting buffer can easily be
decrypted without the public/private key mix.  In my experience, this is due
to the DH parameters.  I have avoided this error by using the P and G
parameters from a valid DSA public key.  I have not been successful building
my own parameters from the Crypto++ library (the results are restricted in
robustness, choice of G is always 1 dimensional).  Our present parameters
are listed in
"./test/specMatrix.d/CMS_Examples.d/certs.d/config.d/public.d/ndh_generated_
params.dat".  I have included them here in case you have the opportunity to
rebuild the Recipient certificate they are derived from for the ESDH
ephemeral key construction.

The results with this bad key group will appear to work fine, but they can
be easily compromised so I would not advise using that particular
Recipient's certificate for operational transmission of data.

Bob Colestock

-----Original Message-----
From: <snip>
To: Colestock, Robert
Cc: Pawling, John
Subject: Re: SFL Smime AND Snacc tmp files fix


Hi Bob,
I've downloaded the new versions of SFL and CML and they work fine.

I made a small change in sm_free3.cpp, (poidDigest == md5WithRSAEncryption)
condition added in CSM_Free3::SMTI_DigestData function, in order to able to
verify md5RSA signatures.

Also, I have an error message, " *********DH Key TestAgree failed**********
", which appears from time to time when I try to encrypt with Ephemeral
Diffie Hellman. Is it something that I did wrong?

Thanks,
<snip>