3des cipher and DH group size
Petr Lautrbach
plautrba at redhat.com
Sat Jan 25 03:28:03 EST 2014
On 01/21/2014 05:14 PM, Petr Lautrbach wrote:
> Hello everybody,
>
> An issue was reported in RH bugzilla [1] about the size of the used DH
> group when combined with the 3des-cbc cipher. OpenSSH uses the
> actual key length for the size estimation. This is probably fine as far
> as the cipher has the same number of bits of security as the key
> length. But this is not true for 3TDEA where the key size is 168 resp
> 192 but it's security is only 112.
>
> Given that the key size in openssh is set to 192, DH group size is
> estimated to 7680. But according to NIST SP 800-57, the size of DH key
> should be 2048 so openssh doesn't follow that and it might cause
> problems with key exchanges with some servers.
>
It was confirmed that openssh can't connect to the server with a server string
'SSH-2.0-cryptlib' using diffie-hellman-group-exchange-sha1 and 3des-cbc with
SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192).
It's due to a issue in its code [1] which takes only requested value and is limited
only to 4096 bits. So I've made a patch [2] as a POF which adds a security length column and
uses this value for dh_estimation. For 3des-cbc it's 14 which makes 2048 of preferred
DH group size:
SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192)
and I've got confirmed that is solves the issue with this particular server.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1026430#c5
[2] http://fedorapeople.org/~plautrba/openssh/cipher-security-size.patch
Petr
--
Petr Lautrbach
Security Technologies
Red Hat
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140124/4df877b7/attachment.bin>
More information about the openssh-unix-dev
mailing list