Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2
Tero Kivinen <kivinen@iki.fi> Thu, 30 March 2017 17:41 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7900A1293DA for <curdle@ietfa.amsl.com>; Thu, 30 Mar 2017 10:41:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iaMYRy5EVhLy for <curdle@ietfa.amsl.com>; Thu, 30 Mar 2017 10:41:26 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F9FE129430 for <curdle@ietf.org>; Thu, 30 Mar 2017 10:41:25 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v2UHexxi024431 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 30 Mar 2017 20:40:59 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v2UHewRI011483; Thu, 30 Mar 2017 20:40:58 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22749.17194.509999.470077@fireball.acr.fi>
Date: Thu, 30 Mar 2017 20:40:58 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: "Mark D. Baushke" <mdb@juniper.net>, "Salz, Rich" <rsalz@akamai.com>, curdle <curdle@ietf.org>
In-Reply-To: <1490844151663.13492@cs.auckland.ac.nz>
References: <CADZyTkmr0WF3BOBby3rObBGGQaqMUq=0Ssc7NB9PAgPFDrk7dA@mail.gmail.com> <30381.1490720068@eng-mail01.juniper.net> <6ab576118c6945f4ba888dd403cf2471@usma1ex-dag1mb1.msg.corp.akamai.com> <1490766071333.6018@cs.auckland.ac.nz> <57287.1490768257@eng-mail01.juniper.net> <1490771481840.11723@cs.auckland.ac.nz> <22747.56331.274710.114550@fireball.acr.fi> <1490844151663.13492@cs.auckland.ac.nz>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 34 min
X-Total-Time: 45 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/0yDy-vmo6y13DIuM3SBmOFc-e_U>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 17:41:28 -0000
Peter Gutmann writes: > Tero Kivinen <kivinen@iki.fi> writes: > > >I did verify the RFC 2409 primes (768, 1024, and 1536 bit groups) when I > >generated the RFC3526. I do not know if anybody else has verified the > >RFC3526 primes. > > Wow. So the 2409 values took five years to be independently > verified and Earlier than that. First version of the draft-ietf-ipsec-ike-modp-groups-00.txt was published october 2000, and that already include primality proofs for 1536, 2048, 3072 and 4096 bit groups. And I did had verified 1024 and 768 bit groups before publishing that draft. It then took 3 years to publish that draft as RFC3526, and it took several months of that was just to do the primality proofs for bigger groups. The 16384 bit group (which we decided not to include in RFC3526) took more than 36 days to generate the primality proof, and I had to restart it 3-4 times, as machine doing it crashed or lost power during the process several times. Getting windows machine to stay up and stable for 36 days was bit challenging. So yes, there was two year lag from the RFC2409 publication to after the first draft providing independent proofs for them was published. Or three years if we use the draft-ietf-ipsec-isakmp-oakley-04 as baseline for RFC2409, as that was first one that included 1024-bit group. > nineteen years before this became known, the 3526 values took twelve > years to be independently verified. If we do publish new groups, we > need to address this problem with some urgency. I'm not saying I > don't trust you :-) but the point of publishing the details is to > gain confidence in everything being correct once multiple people > have verified things. Sure, it would be good thing for other people to run the verifications too. How about you verifying both IKE and TLS groups and make sure they are actually generated as explained, and that they are first primes matching the process... Primality proofs are something that you do not need to rerun, you can just take the proofs and verify that they verifiers the prime. > >Actually breaking SSH is much more useful than breaking IKE or TLS. The > >first time the adminstrator types sudo and his root password inside his > >ssh connection, the stored SSH stream comes very valuable for the > >attacker... > > Only if they want to compromise someone's Linux box or something. If you > target IKE you get to vaccuum up a ton of VPN traffic, and with SSL you > get not only all web browsing but a ton of other stuff that uses it as the > universal secure transport mechanism for network traffic. Note, that with IKE there is typically 8 hour rekey timer or similar, so they need to do the second part of the DH breaking again for each 8 hour data capture and also again for each different client. Most of the VPN traffic is not that high value than something like root password of the mail server... > For example if you're targetting VoIP then you'd want it for the > tiny fraction of SIP that isn't just sent in the clear. It'd also > give you ToR traffic, and endless other material. The pretty clear > lesson here is, don't use the same DH parameters as SSL/TLS. No the lesson here is that you do not want to use too short Diffie-Hellman groups. As the [1] says: Our analysis suggests that 1024-bit discrete log may be within reach for state-level actors. As such, 1024-bit DHE (and 1024-bit RSA) must be phased out in the near term. NIST has recommended such a transition since 2010 [4]. We recommend that clients raise the minimum DHE group size to 2048 bits as soon as server configurations allow. Server operators should move to 2048-bit or larger groups to facilitate this transition. Precomputation for a 2048-bit non-trapdoored group is around 10^9 times harder than for a 1024-bit group, so 2048-bit Diffie-Hellman will remain secure barring a major algorithmic improvement. [1] https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf > So in terms of target groups if I was a government-level attacker, I'd go > for SSL, then IKE, and then I'd think about what to do next, given that it > could take years to break each parameter set. If you are scared about that then just go to the 4096 bit Diffie-Hellman. If it will take years to break 1024-bit DH, and billion years (10^9) more to break 2048-bit DH, then 4096-bit DH should be safe... :-) Even if we assume that they have much more cpu power than people think they have, and that they can do pre-calculation for the 1024-bit DH in one day (meaning it does not matter if people will create their own 1024-bit DH groups as they can easily break them quickly), then doing pre-calculation on one 2048-bit DH group will take more than 2 million years, so we should be quite safe even if we just use one group. And if they go and attack TLS group first then IKE is still safe for 4 million years, so you can safely use IKE numbers for next few decades... :-) -- kivinen@iki.fi
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 denis bider
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Daniel Migault
- [Curdle] minutes for IETF98 Daniel Migault
- [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Mark D. Baushke
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Salz, Rich
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Martin Thomson
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Yoav Nir
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Mark D. Baushke
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Yoav Nir
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Anna Johnston
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Anna Johnston
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Salz, Rich
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Anna Johnston
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Ilari Liusvaara
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Ilari Liusvaara
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Kyle Rose
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Mark D. Baushke
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Kyle Rose
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Ilari Liusvaara
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Mark D. Baushke
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Kyle Rose
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Peter Gutmann
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Tero Kivinen
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Anna Johnston
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Anna Johnston
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Anna Johnston
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 denis bider
- Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 Hubert Kario