[EC]DH KEx and how to restrict ssh/sshd to secure(er) DH parameters
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Oct 23 20:58:43 EST 2014
On Tue 2014-10-21 23:15:43 +0200, Christian Weisgerber wrote:
> On 2014-10-19, Christoph Anton Mitterer <calestyo at scientia.net> wrote:
>> And it basically also means, the client checks just for the group
>> size,... and has no way to accept/reject certain moduli?
>> Now for ECDH, we know that some curves may be insecure,... is the same
>> known for DH? I.e. could a server accidentally propose the client an
>> insecure moduli (which the client takes without any check except for the
>> group size)?
>
> What is your attack scenario here? If the server can't be trusted,
> your session isn't protected. That is trivial.
>
> Hey, the server might accidentally use a weak random number generator.
> That isn't even hypothetical.
Christoph is pointing out that the client might actually have a way to
verify that the group is strong. The client doesn't have a way to know
if the server is using a weak rng.
For weaknesses that are detectable by the client, it does make sense
that the client should be willing to detect and abort the session before
compromising it.
We already allow clients to constrain the set of choosable ciphers, for
example, so clients who talk to a misconfigured/old/busted server that
tries to select arcfour can reject the connection. It's not implausible
that a client would also want to reject a server that offers an
obviously non-prime DH modulus,, or a server's ephemeral DH public key
if it is clearly bad (e.g. p-1 or 1).
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141023/55a19ceb/attachment.bin>
More information about the openssh-unix-dev
mailing list