Re: [PATCH] Add support for diffie-hellman-group16-sha512

[Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx>]

On Fri, 2018-09-21 at 15:11 +0200, Aris Adamantiadis wrote:
> Hi Nikos,
> 
> I share your point of view over group exchange. I even made some
> (poor)
> research myself on how bad parameters in /etc/moduli could make SSH
> key
> exchanges trivially breakable. Like you said, it boils down to
> convincing system administrators to install a backdoored moduli file
> with weak parameters that they wouldn't test. There is an offline
> test
> that can mitigate this attack.
> 
> However, I do not think big, hardcoded groups, are any better, unless
> we
> have hundreds of them. Cracking the DLP, for the most important
> parts,
> requires precomputing that only applies to the group parameters and
> not
> the actual encrypted values. It means that all standard groups,
> especially the currently crackable ones (probably group1 and maybe
> group14), are very obvious static targets to information agencies and
> I
> wouldn't be surprised at all if they can crack them on the fly. This
> is
> a problem that can apply to every standard group of reasonable size.
> 
> I'd personally encourage everyone to move to curve25519, but
> interoperability is an important issue, and I think dh-gex maximizes
> the
> interoperability without sacrificing security too much. Big
> standardized
> groups still have the disadvantage of being poorly supported, so if
> we
> merge them, it won't be for interoperability advantages. 

Sorry for the long time to get into that. I admit I'm no longer in the
crypto theoretical field, and I have read several concerns similar to
the above, but I'm not really convinced that this is really a threat.
The attacks you mention that use pre-computations are older than
elliptic curves themselves, however there haven't been any published
results with any RFC value. 

On the other hand, the records in breaking the DLP are usually set with
groups of very special form (e.g., characteristic 2), and since special
form groups can be broken, makes the arbitrary group negotiation, in
tls and other protocols the most most attractive to attackers
mechanism, because it can be manipulated easily, unlike fixed
groups. In fact the only attack I've been involved at, on TLS, was
taking advantage of this mechanism. To counter these attacks, NIST
requires additional checks for arbitrarily negotiated groups (e.g.,
check that the prime is a safe one, and that the value received belongs
to the correct group). These make sense cryptographically, but make
these key exchanges significantly slower and dependent on probabilistic
primality checks for efficiency.

So, I'd worry more about attacks that inject questionable values into
an open-parameter negotiation, rather than fixed RFC parameters, (which
also are not that fixed, new groups are added every few years).

regards,
Nikos