Re: Prime example of a can of worms

[Alex Gaynor <alex.gaynor () gmail com>]

I think we can have a far simpler rule: use of DH at <= 1024 bits gets a
CVE, the same way 512-bit RSA, or DES would.

Alex

On Mon, Oct 19, 2015 at 12:06 AM, Kurt Seifried <kseifried () redhat com>
wrote:

> So in light of:
>
> https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
>
> and
>
>
> https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
>
> I would suggest we minimally have a conversation about DH prime security
> (e.g. using larger 2048 primes, and/or a better mix of primes to make
> pre-computation attacks harder). Generating good primes is not easy from
> what I've seen of several discussions, my fear would be that people try to
> fix this by finding new primes that turn out to be problematic.
>
> Secondly I would also suggest we seriously look at assigning a CVE to the
> use of suspected compromised DH primes. Despite the fact we don't have
> conclusive direct evidence (that I'm aware of, correct me if there is any
> conclusive evidence) I think in this case:
>
> 1) the attack is computationally feasible for an organization with
> sufficient funding
> 2) the benefit of such an attack far, far, FAR outweighs the cost for
> certain orgs, from the paper:
>
> A small
> number of fixed or standardized groups are used by millions
> of servers; performing precomputation for a single 1024-bit
> group would allow passive eavesdropping on 18% of popular
> HTTPS sites, and a second group would allow decryption
> of traffic to 66% of IPsec VPNs and 26% of SSH servers.
>
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> Red Hat Product Security contact: secalert () redhat com



-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084