oss-sec mailing list archives
Re: Prime example of a can of worms
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 21 Oct 2015 22:27:33 -0600
On Wed, Oct 21, 2015 at 9:01 AM, Matthias Weckbecker < matthias () weckbecker name> wrote:
On Mon, 19 Oct 2015 17:40:14 -0400 Daniel Kahn Gillmor <dkg () fifthhorseman net> wrote: [...]On the flip side, saying "use only strong (>=2048bit today in 2015?), well-known, well-structured, publicly-vetted groups" is very simple guidance: clear and easy to follow.Interestingly I noticed OpenSSH bumped their 'DH_GRP_MIN' to 2048 bit just a few days ago to account for precomputation attacks: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/dh.h.diff? r1=1.13&r2=1.14 RFC4419 seems to recommend 1024 bit minimum, but the document appears to be from 2006. [...]--dkgMatthias
So one of my initial thoughts was "easy, just have systems generate some primes, even if we have systems with bad primes we have 10 billion unique primes in use, good luck brute forcing that!", but then I realized I had no idea how long this takes to generate. I generated 1000 2048bit primes on a hardware AMD 3ghz or so system (6 cores, one dedicated for running the openssl prime search), they took anywhere from <1 second to just over 10 minutes, 50% in 58 seconds, 77% at 2 minutes 89% at 3 minutes 94% at 4 minutes 97.3% at 5 minutes and the last at 10 minutes and 9 seconds overall average was 80.9 seconds, with a good 6% taking 4-10 minutes. I can't even begin to think how slow this would be on hardware limited systems like $20 routers and whatnot (in theory you could have systems taking tens of minutes), which would not be popular with consumers (turn the unit on and wait from 0 seconds to an hour or so for the web interface to come up!). With this data in mind I think we need to generally encourage everyone to go to a minimum of 2048 bit primes (which should last a few more years assuming quantum computers don't suddenly make factorization easy) and establish some safe methods of creating them, much like generating CA encryption keys we need to ensure the systems/software in use are correct, the entropy is available (and not manipulated) and so on. Ideally we'd like to see people using different primes (e.g. hardware manufacturers not using the same primes as everyone else) and where possible people needing more security (e.g. a VPN hosting provider) should generate their own keys securely. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- Re: Prime example of a can of worms, (continued)
- Re: Prime example of a can of worms Seth Arnold (Oct 19)
- Re: Prime example of a can of worms Kurt Seifried (Oct 19)
- Re: Prime example of a can of worms Tim (Oct 19)
- Re: Prime example of a can of worms Daniel Kahn Gillmor (Oct 19)
- Re: Prime example of a can of worms Kurt Seifried (Oct 19)
- Re: Prime example of a can of worms Daniel Kahn Gillmor (Oct 19)
- Re: Prime example of a can of worms Brad Knowles (Oct 20)
- Re: Prime example of a can of worms Kurt Seifried (Oct 20)
- Re: Prime example of a can of worms gremlin (Oct 20)
- Re: Prime example of a can of worms Seth Arnold (Oct 19)
- Re: Prime example of a can of worms Matthias Weckbecker (Oct 21)
- Re: Prime example of a can of worms Kurt Seifried (Oct 21)
- Re: Prime example of a can of worms Joshua Rogers (Oct 21)
- Re: Prime example of a can of worms Kurt Seifried (Oct 21)
- Re: Prime example of a can of worms Florent Daigniere (Oct 22)
- Re: Prime example of a can of worms Daniel Kahn Gillmor (Oct 22)
- Re: Prime example of a can of worms Kurt Seifried (Oct 22)
- Re: Prime example of a can of worms Daniel Kahn Gillmor (Oct 22)
- Re: Prime example of a can of worms gremlin (Oct 23)