Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CANO=Ty0eLFpezes_WfNTN0eKj6u5BinhwBQkM6BR7PZPg3eCiA@mail.gmail.com>
Date: Wed, 21 Oct 2015 22:27:33 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Prime example of a can of worms

On Wed, Oct 21, 2015 at 9:01 AM, Matthias Weckbecker <
matthias@...kbecker.name> wrote:

> On Mon, 19 Oct 2015 17:40:14 -0400
> Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote:
> [...]
> > On the flip side, saying "use only strong (>=2048bit today in 2015?),
> > well-known, well-structured, publicly-vetted groups" is very simple
> > guidance: clear and easy to follow.
> >
>
> Interestingly I noticed OpenSSH bumped their 'DH_GRP_MIN' to 2048 bit
> just a few days ago to account for precomputation attacks:
>
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/dh.h.diff?
> r1=1.13&r2=1.14
>
> RFC4419 seems to recommend 1024 bit minimum, but the document appears
> to be from 2006.
>
> [...]
> >
> >       --dkg
>
> Matthias
>

So one of my initial thoughts was "easy, just have systems generate some
primes, even if we have systems with bad primes we have 10 billion unique
primes in use, good luck brute forcing that!", but then I realized I had no
idea how long this takes to generate. I generated 1000 2048bit primes on a
hardware AMD 3ghz or so system (6 cores, one dedicated  for running the
openssl prime search), they took anywhere from <1 second to just over 10
minutes,

50% in 58 seconds,
77% at 2 minutes
89% at 3 minutes
94% at 4 minutes
97.3% at 5 minutes
and the last at 10 minutes and 9 seconds

overall average was 80.9 seconds, with a good 6% taking 4-10 minutes. I
can't even begin to think how slow this would be on hardware limited
systems like $20 routers and whatnot (in theory you could have systems
taking tens of minutes), which would not be popular with consumers (turn
the unit on and wait from 0 seconds to an hour or so for the web interface
to come up!).

With this data in mind I think we need to generally encourage everyone to
go to a minimum of 2048 bit primes (which should last a few more years
assuming quantum computers don't suddenly make factorization easy) and
establish some safe methods of creating them, much like generating CA
encryption keys we need to ensure the systems/software in use are correct,
the entropy is available (and not manipulated) and so on. Ideally we'd like
to see people using different primes (e.g. hardware manufacturers not using
the same primes as everyone else) and where possible people needing more
security (e.g. a VPN hosting provider) should generate their own keys
securely.


--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.