Re: [PATCH] Re: Logjam mitigation for Wheezy?
micah <micah <at> riseup.net> writes:
> Encouraging custom DH groups is not a good idea, as this opens up the
> triple handshake attack possibility[0].
>
> 0. https://www.secure-resumption.com/ (search for Initial DHE Handshake)
> <-- details an attack where a server can send custom groups
Interesting, but:
① This already works, as clients *do* (and do have to) accept those groups.
② “We instead recommend that a set of well-known good groups be standardized
for use in DHE” will open up not only the precomputation problem (though
it’s not “as bad” with larger bitsizes), but also the difficulty of selec‐
ting one (whom are you going to trust, and NUMS numbers may not actually
be good here).
Since their recommendation would require a protocol change anyway, I suggest
(as I have been doing for a while) that even the DH part of the handshake be
protected by the server (and, optionally, client) certificate. This way, you
basically first open up a non-PFS connection and handle out a PFS connection
inside it then switch to that. The PFS attacks currently all seem to require
being able to MITM it, which is not possible if the server key was not handed
out yet (I’d expect people to change it after handing out the old one).
This would also allow servers to send a bit extra random bytes to the client,
securely, which (especially mobile devices with only flash storage) they can
then use to mix into their own entropy pool in a safe way “if they want to”
(or just ignore them), as added benefit.
tl;dr: without a protocol change, clients *are* going to accept custom DH
groups, so the recommendation to use custom ones currently is not bad. It
may not be “good” (for 2048+-bit groups), but doesn’t add more harm.
bye,
//mirabilos
Reply to: