[Bug crypto/38417] gnu.java.security.util.PRNG produces easily predictable values

[lloyd at randombit dot net]

------- Comment #3 from lloyd at randombit dot net  2008-12-08 15:45 -------
I have confirmed that DSA private keys can easily be derived from the public
key and a single message/signature pair when the app is compiled with gcj. It
does not matter if the key was generated by gcj or something else; any DSA key
used with gcj is easily compromised as long as the public key, message and
signature are known, and the attacker has some starting guess as to what time
the message was signed. Tested with 'gcj (Gentoo 4.3.2 p1.2) 4.3.2'.

I can attach the victim and attack code, if desired.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417