On 22/05/2015 07:18, Jeffrey Walton wrote:
On Fri, May 22, 2015 at 12:51 AM, Jakob Bohm <jb-open...@wisemo.com> wrote:
On 22/05/2015 03:57, Jeffrey Walton wrote:
As an additional change for 1.0.2c or later (no need to
delay the urgent fix), maybe adjust internal operations
to discourage use of hardcoded DH groups for TLS DH (but
NOT for generic DH-like operations such as openssl-based
implementations of SRP).
That's going to be tough because standards groups like the TLS WG are
actively promoting fully specified, named parameters and curves.
See, for example, "Negotiated Finite Field Diffie-Hellman Ephemeral
Parameters for TLS",
https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-09; and
the discussion of magic primes at "Re: [TLS] Another IRINA bug in
TLS", https://www.ietf.org/mail-archive/web/tls/current/msg16417.html.
(The thread is due to the recent attacks on DH).
The latter thread contains posts from respected experts
asking not to use fixed parameters for DH...
Well, I'm not sure how much more respected one can get than Daniel
Kahn Gillmore, Stephen Farrell, Eric Recorla; or have better
credentials than practicing cryptographers.
How high is your bar :)
Whom did I say were not highly respected cryptographers?
I read the thread as some of the highly respected experts
saying that the LogJam supplemental finding (some fixed
DH groups of once recommended size used by so many it
makes expensive attacks pay) shows why fixed DH groups
should not be mandatory, while other respected experts
talk about other subjects.
I saw posts from respected experts arguing how to shoehorn
non-fixed DH curves back into the drafts of how to use
fixed DH curves (rather than simply dropping that protocol
change for DH).
I saw posts from respected experts arguing if the cost of
client side primality checks of DH parameters would exceed
the cost of using a secure enough group size.
I saw no posts in that thread arguing why fixed DH groups
would be a good thing.
I saw no posts discussing if DH parameters signed by the
trusted server really need to be fully validated client
side, or if cheaper checks (range, length, correspondence
to seed etc.) would be good enough given better uses for
the CPU time.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
