Re: FREAK cipher-suite hygiene for Postfix

Wed, 04 Mar 2015 09:00:04 -0800 


Zitat von Viktor Dukhovni <postfix-us...@dukhovni.org>:


On Wed, Mar 04, 2015 at 07:53:18AM +0000, Viktor Dukhovni wrote:


Now that the FREAK attack is widely disclosed, those of you who
run SMTP servers that peer with clients that authenticate your
server (be it via the traditional PKI or via DANE), might want to
tighten-up your server cipher-suite settings just in-case:

    smtpd_tls_exclude_ciphers = EXPORT, LOW

If nobody has yet elicited and factored any 512-bit RSA public keys
from your server then your unpatched clients will be safe from the
attack.  (Not clear how you'd know this).

If your server might have already signed one or more export RSA
keys then its clients are potentially exposed to the attack for
the lifetime of the server's long-term RSA keys.


It seems I substantially overstated the impact of the attack on
Postfix.  With export RSA key transport the server's signature of
the ephemeral RSA key also binds the ClientHello.random value (as
well as the ServerHello.random, but that could be replayed).

Therefore, the MiTM attacker would need to obtain a fresh signature
over the ephemeral RSA key for each client handshake, which requires
that the server continues to use the same ephemeral key.

This avoids turning each ephemeral key into a long-term key, the
attack only works for as long as the same key is still in use by
a given server and no longer.


So, *after disabling* export grade algorithms, it may be prudent
as appropriate to deploy new certificates.  If you've published
DANE TLSA records, follow the key rotation process described in:

    https://tools.ietf.org/html/draft-ietf-dane-ops-07#section-8.1


With Postfix each smtpd(8) process generates its own ephemeral RSA
key the first time EXPORT ciphers are requested.  Since Postfix
smtpd(8) processes run for a limited amount of time (they exit
after 100 client connections or 100s of idle time whichever is
sooner) the attack on any one key is only effective for the lifetime
of that process and only for additional connections to the *same*
process.

So if you disable EXPORT ciphers on the server, and "postfix reload"
you're done.  There is no need to replace long-term keys.
Thanks for explaining. As i understand the problem arises from apache (and maybe other webservers) generate one EXPORT key which is reused for performance reasons until the server process is restarted. 

Regards

Andreas

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to