IETF Logo Mail Archive

Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2

Tero Kivinen <kivinen@iki.fi> Thu, 30 March 2017 17:41 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7900A1293DA for <curdle@ietfa.amsl.com>; Thu, 30 Mar 2017 10:41:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iaMYRy5EVhLy for <curdle@ietfa.amsl.com>; Thu, 30 Mar 2017 10:41:26 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F9FE129430 for <curdle@ietf.org>; Thu, 30 Mar 2017 10:41:25 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v2UHexxi024431 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 30 Mar 2017 20:40:59 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v2UHewRI011483; Thu, 30 Mar 2017 20:40:58 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22749.17194.509999.470077@fireball.acr.fi>
Date: Thu, 30 Mar 2017 20:40:58 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: "Mark D. Baushke" <mdb@juniper.net>, "Salz, Rich" <rsalz@akamai.com>, curdle <curdle@ietf.org>
In-Reply-To: <1490844151663.13492@cs.auckland.ac.nz>
References: <CADZyTkmr0WF3BOBby3rObBGGQaqMUq=0Ssc7NB9PAgPFDrk7dA@mail.gmail.com> <30381.1490720068@eng-mail01.juniper.net> <6ab576118c6945f4ba888dd403cf2471@usma1ex-dag1mb1.msg.corp.akamai.com> <1490766071333.6018@cs.auckland.ac.nz> <57287.1490768257@eng-mail01.juniper.net> <1490771481840.11723@cs.auckland.ac.nz> <22747.56331.274710.114550@fireball.acr.fi> <1490844151663.13492@cs.auckland.ac.nz>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 34 min
X-Total-Time: 45 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/0yDy-vmo6y13DIuM3SBmOFc-e_U>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 17:41:28 -0000

Peter Gutmann writes:
> Tero Kivinen <kivinen@iki.fi> writes:
> 
> >I did verify the RFC 2409 primes (768, 1024, and 1536 bit groups) when I 
> >generated the RFC3526. I do not know if anybody else has verified the 
> >RFC3526 primes.
> 
> Wow.  So the 2409 values took five years to be independently
> verified and

Earlier than that. First version of the
draft-ietf-ipsec-ike-modp-groups-00.txt was published october 2000,
and that already include primality proofs for 1536, 2048, 3072 and
4096 bit groups. And I did had verified 1024 and 768 bit groups before
publishing that draft. 

It then took 3 years to publish that draft as RFC3526, and it took
several months of that was just to do the primality proofs for bigger
groups. The 16384 bit group (which we decided not to include in
RFC3526) took more than 36 days to generate the primality proof, and I
had to restart it 3-4 times, as machine doing it crashed or lost power
during the process several times. Getting windows machine to stay up
and stable for 36 days was bit challenging.

So yes, there was two year lag from the RFC2409 publication to after
the first draft providing independent proofs for them was published.
Or three years if we use the draft-ietf-ipsec-isakmp-oakley-04 as
baseline for RFC2409, as that was first one that included 1024-bit
group. 

> nineteen years before this became known, the 3526 values took twelve
> years to be independently verified. If we do publish new groups, we
> need to address this problem with some urgency. I'm not saying I
> don't trust you :-) but the point of publishing the details is to
> gain confidence in everything being correct once multiple people
> have verified things.

Sure, it would be good thing for other people to run the verifications
too. How about you verifying both IKE and TLS groups and make sure
they are actually generated as explained, and that they are first
primes matching the process...

Primality proofs are something that you do not need to rerun, you can
just take the proofs and verify that they verifiers the prime.

> >Actually breaking SSH is much more useful than breaking IKE or TLS. The 
> >first time the adminstrator types sudo and his root password inside his 
> >ssh connection, the stored SSH stream comes very valuable for the 
> >attacker... 
> 
> Only if they want to compromise someone's Linux box or something.  If you
> target IKE you get to vaccuum up a ton of VPN traffic, and with SSL you
> get not only all web browsing but a ton of other stuff that uses it as the
> universal secure transport mechanism for network traffic.

Note, that with IKE there is typically 8 hour rekey timer or similar,
so they need to do the second part of the DH breaking again for each 8
hour data capture and also again for each different client. Most of
the VPN traffic is not that high value than something like root
password of the mail server... 

> For example if you're targetting VoIP then you'd want it for the
> tiny fraction of SIP that isn't just sent in the clear. It'd also
> give you ToR traffic, and endless other material. The pretty clear
> lesson here is, don't use the same DH parameters as SSL/TLS.

No the lesson here is that you do not want to use too short
Diffie-Hellman groups. As the [1] says:

	Our analysis suggests that 1024-bit discrete log may be within
	reach for state-level actors. As such, 1024-bit DHE (and
	1024-bit RSA) must be phased out in the near term. NIST has
	recommended such a transition since 2010 [4]. We recommend
	that clients raise the minimum DHE group size to 2048 bits as
	soon as server configurations allow. Server operators should
	move to 2048-bit or larger groups to facilitate this
	transition. Precomputation for a 2048-bit non-trapdoored group
	is around 10^9 times harder than for a 1024-bit group, so
	2048-bit Diffie-Hellman will remain secure barring a major
	algorithmic improvement.

[1] https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf

> So in terms of target groups if I was a government-level attacker, I'd go
> for SSL, then IKE, and then I'd think about what to do next, given that it
> could take years to break each parameter set.

If you are scared about that then just go to the 4096 bit
Diffie-Hellman. If it will take years to break 1024-bit DH, and
billion years (10^9) more to break 2048-bit DH, then 4096-bit DH
should be safe... :-)

Even if we assume that they have much more cpu power than people think
they have, and that they can do pre-calculation for the 1024-bit DH in
one day (meaning it does not matter if people will create their own
1024-bit DH groups as they can easily break them quickly), then doing
pre-calculation on one 2048-bit DH group will take more than 2 million
years, so we should be quite safe even if we just use one group. And
if they go and attack TLS group first then IKE is still safe for 4
million years, so you can safely use IKE numbers for next few
decades... :-)
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email