I'm not claiming that I know about all users, I can just say that of all
our
customers that do care about working in FIPS mode (which is not limited to
people that fall under US Federal regulation) none have complained
intensively
about accepting only well known groups in FIPS mode. SHA-1 deprecation was
more impactful.
And while the company you mention may not want to change to a widely-known
group, they still can choose a group known to then as secure.
I'm not saying that we should mandate use of well known groups for FFDHE,
I'm saying that not allowing use of RSA and allowing use of FFDHE under
very
specific conditions is workable to a large set of users.
On Friday, 14 July 2023 18:48:27 CEST, Blumenthal, Uri - 0553 - MITLL
wrote:
Hubert,
I’m aware of at least one company (using the term loosely) that
uses custom group, and probably understands FFDH(E) better than
you or me. Since they had their reasons for choosing custom,
“can change … to use well-known groups” (obviously) does not
apply.
Regards,
Uri
On Jul 14, 2023, at 12:33, Hubert Kario <hka...@redhat.com> wrote:
!-------------------------------------------------------------------|
This Message Is From an External Sender
This message came from outside the Laboratory.
|-------------------------------------------------------------------!
On Friday, 14 July 2023 18:03:25 CEST, Peter Gutmann wrote:
Hubert Kario <hka...@redhat.com> writes:
...
I wouldn't go as far as "nobody uses them", it's more like
"people that use
them, either have them configured unknowingly or can change configuration
to use well known groups". So while it may cause interoperability issues,
for people that really do care about interoperability with old systems,
they are fine with tweaking DH configuration to make it happen (or simply
end up using ECDHE and are completely unaware of the whole issue).
One more side note: in FIPS mode we also disable RSA ciphersuites, so the
FFDHE and ECDHE, both with only well known groups, are the only two key
exchanges that do work.
And can something similar be said about SSH implementations?
There's fixed DH
groups and then the Swiss-army-knife diffie-hellman-group-exchange-*, but
AFAIK the only groups that ever get exchanged there are the RFC 3526/7919
ones.
nope, for OpenSSH those will be the safe-primes from
/etc/ssh/moduli, though
in FIPS mode we do ignore that file and indeed use RFC 3526 or 7919 groups
of at least 2048 bits (don't remember what we default to, but
we will accept
either)
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
