
MessageID: <CANO=Ty0eLFpezes_WfNTN0eKj6u5BinhwBQkM6BR7PZPg3eCiA@mail.gmail.com> Date: Wed, 21 Oct 2015 22:27:33 0600 From: Kurt Seifried <kseifried@...hat.com> To: osssecurity <osssecurity@...ts.openwall.com> Subject: Re: Prime example of a can of worms On Wed, Oct 21, 2015 at 9:01 AM, Matthias Weckbecker < matthias@...kbecker.name> wrote: > On Mon, 19 Oct 2015 17:40:14 0400 > Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote: > [...] > > On the flip side, saying "use only strong (>=2048bit today in 2015?), > > wellknown, wellstructured, publiclyvetted groups" is very simple > > guidance: clear and easy to follow. > > > > Interestingly I noticed OpenSSH bumped their 'DH_GRP_MIN' to 2048 bit > just a few days ago to account for precomputation attacks: > > http://cvsweb.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/dh.h.diff? > r1=1.13&r2=1.14 > > RFC4419 seems to recommend 1024 bit minimum, but the document appears > to be from 2006. > > [...] > > > > dkg > > Matthias > So one of my initial thoughts was "easy, just have systems generate some primes, even if we have systems with bad primes we have 10 billion unique primes in use, good luck brute forcing that!", but then I realized I had no idea how long this takes to generate. I generated 1000 2048bit primes on a hardware AMD 3ghz or so system (6 cores, one dedicated for running the openssl prime search), they took anywhere from <1 second to just over 10 minutes, 50% in 58 seconds, 77% at 2 minutes 89% at 3 minutes 94% at 4 minutes 97.3% at 5 minutes and the last at 10 minutes and 9 seconds overall average was 80.9 seconds, with a good 6% taking 410 minutes. I can't even begin to think how slow this would be on hardware limited systems like $20 routers and whatnot (in theory you could have systems taking tens of minutes), which would not be popular with consumers (turn the unit on and wait from 0 seconds to an hour or so for the web interface to come up!). With this data in mind I think we need to generally encourage everyone to go to a minimum of 2048 bit primes (which should last a few more years assuming quantum computers don't suddenly make factorization easy) and establish some safe methods of creating them, much like generating CA encryption keys we need to ensure the systems/software in use are correct, the entropy is available (and not manipulated) and so on. Ideally we'd like to see people using different primes (e.g. hardware manufacturers not using the same primes as everyone else) and where possible people needing more security (e.g. a VPN hosting provider) should generate their own keys securely.  Kurt Seifried  Red Hat  Product Security  Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists  more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.