Diffie-Helman issue?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Diffie-Helman issue?

22xtrv+f800c4addktto
According to
https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-m
uch-crypto/

"Since a handful of primes are so widely reused, the payoff, in
terms of connections they could decrypt, would be enormous. Breaking a single,
common 1024-bit prime would allow NSA to passively decrypt connections to
two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a
second 1024-bit prime would allow passive eavesdropping on connections to
nearly 20% of the top million HTTPS websites. In other words, a one-time
investment in massive computation would make it possible to eavesdrop on
trillions of encrypted connections."

How is the prime set up for DH in
OpenSSH and is that something a user can change?





----
Sent using
GuerrillaMail.com
Block or report abuse:
https://www.guerrillamail.com/abuse/?a=TEhnBi0PU7Ebih2wvnENdQ%3D%3D

Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Helman issue?

Gabriel Kihlman
> How is the prime set up for DH in
> OpenSSH and is that something a user can change?

Here is good place to start looking:

======================================================
From: Damien Miller <[hidden email]>
Subject: CVS: cvs.openbsd.org: src
To: [hidden email]
Date: Fri, 16 Oct 2015 16:32:22 -0600 (MDT)

CVSROOT: /cvs
Module name: src
Changes by: [hidden email] 2015/10/16 16:32:22

Modified files:
        usr.bin/ssh    : dh.h

Log message:
increase the minimum modulus that we will send or accept in
diffie-hellman-group-exchange to 2048 bits; ok markus@
======================================================

/gabriel

Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Helman issue?

Stuart Henderson
In reply to this post by 22xtrv+f800c4addktto
On 2015-10-17, <[hidden email]> <[hidden email]> wrote:

> According to
> https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-m
> uch-crypto/
>
> "Since a handful of primes are so widely reused, the payoff, in
> terms of connections they could decrypt, would be enormous. Breaking a single,
> common 1024-bit prime would allow NSA to passively decrypt connections to
> two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a
> second 1024-bit prime would allow passive eavesdropping on connections to
> nearly 20% of the top million HTTPS websites. In other words, a one-time
> investment in massive computation would make it possible to eavesdrop on
> trillions of encrypted connections."
>
> How is the prime set up for DH in
> OpenSSH and is that something a user can change?

See moduli(5), 'MODULI GENERATION' in ssh-keygen(1) and the script/Makefile
in /usr/src/usr.bin/ssh/moduli-gen. You can build your own.

The distributed file is updated from time to time (recently it's been at least
once per release, sometimes more often). It's included in baseXX.tgz so local
changes get overwritten when you update.

These are used for 'diffie-hellman-group-exchange-sha1' and ...-sha256
(RFC4419), there are also options with fixed moduli (diffie-hellman-group1-sha1
and ...-group14-sha1). In recent code, the -group1 one is now disabled by
default both client- and server-side. Also the fixed-group ones are
blacklisted on the server for clients known to support RFC4419. And the
shorter moduli have been removed from the distributed file.

See also
https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-May/thread.html#33892
- but that's 5 months old, the code has moved on.

Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Helman issue?

ropers
Also see: http://www.openbsd.org/58.html

Search that page for 1024 (two occurrences).

On 17 October 2015 at 14:03, Stuart Henderson <[hidden email]> wrote:

> On 2015-10-17, <[hidden email]> <
> [hidden email]> wrote:
> > According to
> >
> https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-m
> > uch-crypto/
> >
> > "Since a handful of primes are so widely reused, the payoff, in
> > terms of connections they could decrypt, would be enormous. Breaking a
> single,
> > common 1024-bit prime would allow NSA to passively decrypt connections to
> > two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a
> > second 1024-bit prime would allow passive eavesdropping on connections to
> > nearly 20% of the top million HTTPS websites. In other words, a one-time
> > investment in massive computation would make it possible to eavesdrop on
> > trillions of encrypted connections."
> >
> > How is the prime set up for DH in
> > OpenSSH and is that something a user can change?
>
> See moduli(5), 'MODULI GENERATION' in ssh-keygen(1) and the script/Makefile
> in /usr/src/usr.bin/ssh/moduli-gen. You can build your own.
>
> The distributed file is updated from time to time (recently it's been at
> least
> once per release, sometimes more often). It's included in baseXX.tgz so
> local
> changes get overwritten when you update.
>
> These are used for 'diffie-hellman-group-exchange-sha1' and ...-sha256
> (RFC4419), there are also options with fixed moduli
> (diffie-hellman-group1-sha1
> and ...-group14-sha1). In recent code, the -group1 one is now disabled by
> default both client- and server-side. Also the fixed-group ones are
> blacklisted on the server for clients known to support RFC4419. And the
> shorter moduli have been removed from the distributed file.
>
> See also
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-May/thread.html#33892
> - but that's 5 months old, the code has moved on.

Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Helman issue?

Kimmo Paasiala
In reply to this post by 22xtrv+f800c4addktto
On Sat, Oct 17, 2015 at 11:57 AM,
<[hidden email]> wrote:

> According to
> https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-m
> uch-crypto/
>
> "Since a handful of primes are so widely reused, the payoff, in
> terms of connections they could decrypt, would be enormous. Breaking a single,
> common 1024-bit prime would allow NSA to passively decrypt connections to
> two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a
> second 1024-bit prime would allow passive eavesdropping on connections to
> nearly 20% of the top million HTTPS websites. In other words, a one-time
> investment in massive computation would make it possible to eavesdrop on
> trillions of encrypted connections."
>
> How is the prime set up for DH in
> OpenSSH and is that something a user can change?
>
>
>


Someone correct me if I'm wrong but as far as I know the prime numbers
used in DH group exchange are not secret but must be known by everyone
(and couple other parameters are also public) for the key exchange to
be possible in the first place. What NSA can do is to perform a
"pre-calculation" over the possible key exchange results and the
danger is in that too small DH group can be covered sufficiently by
them to be able to crack DH exchange on the fly.

Hence the recommendation to increase the size of the group size used.

-Kimmo

Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Helman issue?

Giancarlo Razzolini-3
Em 20-10-2015 10:25, Kimmo Paasiala escreveu:
> Someone correct me if I'm wrong but as far as I know the prime numbers
> used in DH group exchange are not secret but must be known by everyone
> (and couple other parameters are also public) for the key exchange to
> be possible in the first place.

How is that different from pre-shared keys then? You can generate your
own primes. If you don't the defaults get used. And it are these
defaults that can be precomputed, because almost everyone do not
generate their own dh parameters.

>  What NSA can do is to perform a
> "pre-calculation" over the possible key exchange results and the
> danger is in that too small DH group can be covered sufficiently by
> them to be able to crack DH exchange on the fly.
>
> Hence the recommendation to increase the size of the group size used.

The OpenSSH project regenerates the moduli file every release, AFAIK.
And the DH parameters for IPSec on OpenBSD just got bumped to 3072 if
I'm not mistaken. Bottom line, generate your own (big) parameters and
keep them as safe as possible. The dh parameters are even more important
than your private key. Specially if you do not change it after a key
replacement.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Helman issue?

Kimmo Paasiala
On Tue, Oct 20, 2015 at 7:43 PM, Giancarlo Razzolini
<[hidden email]> wrote:

> Em 20-10-2015 10:25, Kimmo Paasiala escreveu:
>> Someone correct me if I'm wrong but as far as I know the prime numbers
>> used in DH group exchange are not secret but must be known by everyone
>> (and couple other parameters are also public) for the key exchange to
>> be possible in the first place.
>
> How is that different from pre-shared keys then? You can generate your
> own primes. If you don't the defaults get used. And it are these
> defaults that can be precomputed, because almost everyone do not
> generate their own dh parameters.
>
>>  What NSA can do is to perform a
>> "pre-calculation" over the possible key exchange results and the
>> danger is in that too small DH group can be covered sufficiently by
>> them to be able to crack DH exchange on the fly.
>>
>> Hence the recommendation to increase the size of the group size used.
>
> The OpenSSH project regenerates the moduli file every release, AFAIK.
> And the DH parameters for IPSec on OpenBSD just got bumped to 3072 if
> I'm not mistaken. Bottom line, generate your own (big) parameters and
> keep them as safe as possible. The dh parameters are even more important
> than your private key. Specially if you do not change it after a key
> replacement.
>
> Cheers,
> Giancarlo Razzolini
>
>
>

There are probably some implementation details and the plain DH
exchange is not used alone because it's totally insecure against man
in the middle attacks but the basics should be the same, the prime
numbers are not keys but fixed parameters to the DH exchange
algorithm. Maybe someone who knows more can chime in?

-Kimmo