Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Nov 2015 09:41:59 +0300
From: gremlin@...mlin.ru
To: owl-dev@...ts.openwall.com
Subject: Re: OpenSSH

On 2015-11-17 23:42:14 +0100, Pavel Kankovsky wrote:

 > Have you modified /etc/ssh/moduli (the list of groups for
 > diffie-hellman-group-exchange-*)? The developers seem to
 > have already eliminated all DH groups with a modulus shorter
 > than 2048 bits but a higher lower limit might be needed to
 > prevent the key exchange from being the weakest link.

Not yet, but will do that before releasing .src.rpm to public.

 > If NIST curves have been somehow manipulated then at least
 > one of the two following conditions would have to be true:
 > 1. There is a feasible preimage attack against SHA-1 that
 > makes it possible to turn "cooked" parameters back into an
 > X9.62 seed. (Note we are talking about preimages rather than
 > collisions here!)

Unlikely, but not impossible at all.

 > 2. The hypothetical "spectral weakness" is real, there exists
 > a sufficiently large subset of weak elliptical curves, and it
 > is feasible to find a weak curve by trial and error.

Very likely and, theoretically, possible.
However I can't neither prove nor refute that.

 > That said, SSH should probably support more curves, perhaps
 > even curves with arbitrary parameters (like TLS; see RFC 4492).

Both: more curves and longer keys.

 > But then again, there is also the recent Pythian announcement
 > by NSA that we need to get ready for the coming of quantum
 > computers and the resulting crypto-apocalypse...

We? Or our grandsons?

 >> It it notoriously difficult to compare the relative strength
 >> of symmetric and asymmetric crypto.  

They don't need to be compared, as they serve for different purposes.

 >> However, it's relatively simple to notice that every additional
 >> bit in a key would require at least two transistors (physical
 >> areas on the chip) just to store it and much more to process.
 > This is a correct observation... but also completely pointless
 > because the same thing holds for both an attacker and a legitimate
 > user and the whole point of cryptography is to make attacks much
 > more expensive than legitimate operations.

Where legitimate user performs computations once in a single thread,
attacker has to perform them many times in parallel.

 >>>> I think of disabling ED25519 [...] intentionally weakened by
 >>>> reducing the key size beyond good sence
 >>> As far as I know Ed25519 is able to provide approximately 128
 >>> BoS. [...]
 >> IIRC, the DSA used 1024-bit keys. Switching to the use of elliptic
 >> curves could be a good reason to keep the key size the same, but
 >> not to reduce it.
 > I am afraid you compare apples to oranges.

That's normal if you are interested in carbohydrates, vitamins etc.

 > First, let me note there are two size parameters in DSA
 > Let n denote log_2 of the order of the subgroup and l denote
 > log_2 p.
 > The complexity of some attacks depends on n (approx. 2^(n/2))
 > while the complexity of other attacks depends on l
 > Attacks of the first kind are more efficient in some cases,
 > attacks of the second kind in other cases and there are also
 > balanced cases where neither kind gets much advantage

Yes, obviously.

 > traditional DSA with n = 160 and l = 1024 is an example
 > of such balanced design providing cca 80 "bits of security".

s/is/was/

Now it's considered weak and even is disabled in SSH by default.

 > There are some more efficient attacks against special and
 > presumably rare weak curves.

I doubt they are rare... most likely, only a small subset of all
curves is really strong.

 > Also, there is a recent attack by Bernstein & Lange that might
 > offer better *amortized* complexity but it does not seem to be
 > useful in any practical situation.

Yet...

 > The order of Ed25519 is cca 2^252 and this corresponds to 126
 > "bits of security" (until a major breakthrough makes attacks
 > against ECC more efficient).
 > To sum it up: Ed25519 is likely to be much stronger than
 > traditional DSA despite having much shorter public keys. (OTOH,
 > its private keys are longer: it's 160 bits for DSA and 256 bits
 > for Ed25519.)

Obviously, yes. But the question was whether to enable ED25519
for server or to keep it only in client, leaving server RSA-only.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.