Verification of primes in /etc/ssh/moduli file
Hubert Kario
hkario at redhat.com
Fri Sep 3 04:52:42 AEST 2021
On Monday, 30 August 2021 06:42:52 CEST, Damien Miller wrote:
> On Thu, 26 Aug 2021, Demi Marie Obenour wrote:
>
>> One can prove primality using the Miller-Ramin test, which will
>> detect composites with probability at least 3/4 per round. After 64
>> rounds the likelihood of a composite not being detected is not more
>> than 2⁻¹²⁸, even for adversarial choices of moduli. Note that
>> the primality testing APIs in cryptographic libraries are often not
>> designed for this, as they perform optimizations that are not valid for
>> adversarially chosen numbers.
>
> I assumed the safety of most libraries in the adversarial model was
> fixed a while ago, after https://eprint.iacr.org/2018/749.pdf pointed
> out a bunch of flaws. Shame on me for not checking thoroughly...
I haven't looked into OpenSSH or libssh, but for TLS the clients generally
_don't_ check if the p is a prime, let alone a safe prime, so it doesn't
really matter if the isPrime() function is hardened or not as it's not used
in
the first place...
(Unless you run in FIPS mode with a recently certified module, then you
can use only few hardcoded primes from rfc3526 or rfc7919)
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
More information about the openssh-unix-dev
mailing list