Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 20 May 2015 13:14:59 -0400
From: Paul Wouters <pwouters@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Logjam attack /  Imperfect Forward Secrecy: How
 Diffie-Hellman Fails in Practice

On 05/20/2015 07:57 AM, Yves-Alexis Perez wrote:
> I guess most people will already have seen that, but just in case,
> because it might interest readers (even though it's not specifically
> about open source stuff).
> 
> https://weakdh.org/
> https://weakdh.org/imperfect-forward-secrecy.pdf

Note that it really points to TLS. While they mention other protocols, IKE / IPsec are not really (as) vulnerable. The original IKE design from November 1998
has a minimum MODP group of 768 bits. Why is TLS till allowing 512 bits SEVENTEEN years later?

I did a write up on MODP and IKE/IPsec from the freeswan/openswan/libreswan point of view:


https://nohats.ca/wordpress/blog/2015/05/20/weakdh-and-ike-ipsec/

    TL;DR The LogJam downgrade attack does not apply to MODP groups in the IKE protocol, only to TLS, so IKE or IPsec is not impacted.

    If you are using libreswan you are not vulnerable to weak MODP groups and using MODP2048 per default unless specifically configured for a lower MODP group.
    If you are using openswan with IKEv2 you are using MODP2048, but if you are using IKEv1 you are using MODP1536 which is still much stronger than MODP768 or
MODP1024.

    Libreswan as a client to a weak server will allow MODP1024 in IKEv1 as the least secure option, and MODP1536 in IKEv2 as the least secure option.
    Openswan does not properly implement INVALID_KE, so it cannot connect to another DH group than the one it started out as, so it runs the risk of getting
locked out if the server side bumps their minimum MODP group to 2048. openswan defaults to MODP1536 in IKEv1 and MODP2048 in IKEv2

[...]

Paul

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.