IETF Logo Mail Archive

Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 29 March 2017 05:41 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 975C91205D3 for <curdle@ietfa.amsl.com>; Tue, 28 Mar 2017 22:41:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bCmDdyO3nPJx for <curdle@ietfa.amsl.com>; Tue, 28 Mar 2017 22:41:27 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C75AF1293D8 for <curdle@ietf.org>; Tue, 28 Mar 2017 22:41:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1490766086; x=1522302086; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=ZDvEAV4ewSF4dPjINANdBI93V4VkpFCuPfx+uS1+m8Q=; b=piA95Fzb2OgauxmmVEvNpFNQUYl96QW5AtOsc872DGtTMHq3lVmoFJDi 94dLQwmxKu1QhpBzRFXF5mJDdoip3spNQ56JOSBIk5zVSb0a13Ct2mDE6 AEcF+MzDS2SudXpZSCGCduVDKqJLHqfuVyU6znxRJXy+jDCVvtEHwPoLl /p6XAGxGeTBZce8F8ctv6tNjKhGzGhhmqGQdbQLJ0pJ40auH0wt3uAANg jgLTAq0dfIm47yia5iup0+3bxND7Vf+DRHGmcgkTITmTL09yL1u9irN7S IPTUCGk8CTSZLjl8K4jczZmQ0eKzlpIhe7FJtMKcbL9UN+QwR32OwxbNb w==;
X-IronPort-AV: E=Sophos;i="5.36,239,1486378800"; d="scan'208";a="146359102"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.3 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-tdc-b.UoA.auckland.ac.nz) ([10.6.3.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 29 Mar 2017 18:41:15 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-b.UoA.auckland.ac.nz (10.6.3.23) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 29 Mar 2017 18:41:14 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Wed, 29 Mar 2017 18:41:14 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Salz, Rich" <rsalz@akamai.com>, "Mark D. Baushke" <mdb@juniper.net>, curdle <curdle@ietf.org>
Thread-Topic: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2
Thread-Index: AQHSp+P9Zh0d3oAyu0685TNgkwvXXqGptgiAgAGYQ10=
Date: Wed, 29 Mar 2017 05:41:14 +0000
Message-ID: <1490766071333.6018@cs.auckland.ac.nz>
References: <CADZyTkmr0WF3BOBby3rObBGGQaqMUq=0Ssc7NB9PAgPFDrk7dA@mail.gmail.com> <30381.1490720068@eng-mail01.juniper.net>, <6ab576118c6945f4ba888dd403cf2471@usma1ex-dag1mb1.msg.corp.akamai.com>
In-Reply-To: <6ab576118c6945f4ba888dd403cf2471@usma1ex-dag1mb1.msg.corp.akamai.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/6m0DHuCKlJ7jJoMSfaDXb0Zczgw>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 05:41:30 -0000

Salz, Rich <rsalz@akamai.com> writes:

>I think the in-room consensus was that since this is deployed and used in
>IKE, it's okay and that no work is needed.

There is one obvious counter-argument and that's diversification.  The problem
with the DH1024 group that was pointed out in the Logjam paper is that
absolutely everything ended up using it, making it an incredibly attractive
target because if you break that you break everything that uses it.  Having
everything use the 3526 groups, or similar, just moves the problem to a
slightly larger key size.  So using known-good parameter sets that differ from
what everyone else is using, and in particular IKE and SSL, which are much
large targets than SSH, wouldn't be a bad idea.

In -LTS, one of the suggestions I make is:

  If this isn't possible, an alternative option is to pre-generate a selection
  of DH parameters and choose one set at random for each new handshake, or
  again roll them over from time to time from the pre-generated selection, so
  that an attacker has to attack multiple sets of parameters rather than just
  one.

So one possibility would be to generate, say, 16 NUMS DH parameters for each
size and publish those, and have the server select one at random.  This adds
security both in terms of diversifying from the IKE/SSL values that everyone
else uses, and forcing an attacker to break all 16 parameter sets instead of
just the one.

Peter.

v2.23.0 | Report a Bug | By Email