Weak DH primes and openssh

Damien Miller djm at mindrot.org
Fri May 22 10:33:24 AEST 2015 

On Thu, 21 May 2015, Matthew Vernon wrote:

> Hi,
> 
> You will be aware of https://weakdh.org/ by now, I presume; the
> take-home seems to be that 1024-bit DH primes might well be too weak.
> I'm wondering what (if anything!) you propose to do about this issue,
> and what Debian might do for our users?

I don't think much needs to be done: OpenSSH has preferred ECDH, and
before that DH group-exchange with regularly refreshed modp groups for
over a decade, so the diffie-hellman-group1-sha1 mode is only ever used
for compatibility with legacy implementations.

While it is still offered (only by the client), it is offered last
in preference and will never be selected if the client and server
support better options. SSH's key exchange protocol AFAIK stronger than
SSL/TLS's and forcing a downgrade requires breaking both the DH exchange
and the hostkey algorithm in more or less real time.

We do plan on dropping diffie-hellman-group1-sha1 from the default
client offer later this year. We dropped it from servers a few releases
ago.

As for what Debian (and other distribtors) can do: IMO the best thing is
to aggressively backport recent releases of OpenSSH to older supported
releases of your operating systems. We've been trying to modernise the
crypto across the 6.x releases as fast as we can without breaking stuff.

> openssh already prefers ECDH, which must reduce the impact somewhat,
> although the main Windows client (PuTTY) doesn't support ECDH yet. But
> openssh does still offer diffie-hellman-group1-sha1 (uses a 1024-bit
> group) and diffie-hellman-group14-sha1 (uses a 2047-bit group), which
> must be considered a bit suspect? Of course RFC4253 says implementations
> MUST offer these...

We'll be violating a few "MUST" clauses in the 7.0 release in the
interests of security, including turning off group1 by default.

> The moduli file you provide has this distribution of sizes:
> 
> size  count
> 1023  36
> 1535  50
> 2047  36
> 3071  31
> 4095  41
> 6143  27
> 8191  39
> 
> Would it be sensible to remove the <2047 moduli? Generating the larger
> ones is quite time-consuming on non-specialist kit, which would seem to
> argue against re-generating them on users' machines.

Darren can chime in here, but I don't think anything <2047 will actually
be used since he updated dh.c:dh_estimate() a few years ago.

-d

More information about the openssh-unix-dev mailing list