3des cipher and DH group size

[Petr Lautrbach]

On 01/21/2014 05:14 PM, Petr Lautrbach wrote:
> Hello everybody,
> 
> An issue was reported in RH bugzilla [1] about the size of the used DH
> group  when combined with the 3des-cbc cipher. OpenSSH uses the
> actual key length for the size estimation. This is probably fine as far
> as the cipher has the same number of bits of security as the key
> length. But this is not true for 3TDEA where the key size is 168 resp
> 192 but it's security is only 112.
> 
> Given that the key size in openssh is set to 192, DH group size is
> estimated to 7680. But according to NIST SP 800-57, the size of DH key
> should be 2048 so openssh doesn't follow that  and it might cause
> problems with key exchanges with some servers.
> 

It was confirmed that openssh can't connect to the server with a server string
'SSH-2.0-cryptlib' using diffie-hellman-group-exchange-sha1 and 3des-cbc with
SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192).

It's due to a issue in its code [1] which takes only requested value and is limited
only to 4096 bits. So I've made a patch [2] as a POF which adds a security length column and
uses this value for dh_estimation. For 3des-cbc it's 14 which makes 2048 of preferred
DH group size:
SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192)

and I've got confirmed that is solves the issue with this particular server.



[1] https://bugzilla.redhat.com/show_bug.cgi?id=1026430#c5
[2] http://fedorapeople.org/~plautrba/openssh/cipher-security-size.patch

Petr
-- 
Petr Lautrbach
Security Technologies
Red Hat

Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140124/4df877b7/attachment.bin>