[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Add support for diffie-hellman-group16-sha512

On 21/09/2018 14:44, Nikos Mavrogiannopoulos wrote:
> On Mon, 2018-09-10 at 17:26 +0200, Aris Adamantiadis wrote:
>> Hi Anderson,
>> Thanks for your contribution. I am not particularly fond of hardcoded
>> DH
>> groups such as group14 or group16, especially since we have
>> dh-group-exchange now. Is it needed to connect to some device that
>> has group16 but doesn't have dh-gex
> (replying also to the next mail from Andreas)
> I think that supporting the dh-gex key exchange is not a good thing
> today. Few years ago it may have looked like a good idea, but today the
> general security directions are toward safe hard-coded groups which
> require no verification from either party. The problem with arbitrary
> parameters is that they are often delegated to be set by administrators
> who have no idea about crypto or how to select a secure parameter.
> Selecting good DH parameters is a problem that even people who know
> crypto have a hard-time to answer. Even worse the protocols that
> transmit parameters, transmit no information to the recipient in order
> to verify their security (I know of TLS but I guess SSH is the same). 
> As such I think supporting only hard-coded groups is a better strategy
> for the future crypto-wise.
> I'm not sure where the SSH protocol stands in that aspect, but IPSec
> was always in the train of hard-coded params, and now also TLS (1.3 and
> 1.2 via RFC7919) have moved to hard-coded groups.
> regards,
> Nikos
Hi Nikos,

I share your point of view over group exchange. I even made some (poor)
research myself on how bad parameters in /etc/moduli could make SSH key
exchanges trivially breakable. Like you said, it boils down to
convincing system administrators to install a backdoored moduli file
with weak parameters that they wouldn't test. There is an offline test
that can mitigate this attack.

However, I do not think big, hardcoded groups, are any better, unless we
have hundreds of them. Cracking the DLP, for the most important parts,
requires precomputing that only applies to the group parameters and not
the actual encrypted values. It means that all standard groups,
especially the currently crackable ones (probably group1 and maybe
group14), are very obvious static targets to information agencies and I
wouldn't be surprised at all if they can crack them on the fly. This is
a problem that can apply to every standard group of reasonable size.

I'd personally encourage everyone to move to curve25519, but
interoperability is an important issue, and I think dh-gex maximizes the
interoperability without sacrificing security too much. Big standardized
groups still have the disadvantage of being poorly supported, so if we
merge them, it won't be for interoperability advantages. 

I'm all for merging the patch if other major SSH implementations follow
the trend.


[PATCH] Add support for diffie-hellman-group16-sha512Anderson Sasaki <ansasaki@xxxxxxxxxx>
Re: [PATCH] Add support for diffie-hellman-group16-sha512Aris Adamantiadis <aris@xxxxxxxxxxxx>
Re: [PATCH] Add support for diffie-hellman-group16-sha512Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org