On 01/21/2014 05:14 PM, Petr Lautrbach wrote: > Hello everybody, > > An issue was reported in RH bugzilla [1] about the size of the used DH > group when combined with the 3des-cbc cipher. OpenSSH uses the > actual key length for the size estimation. This is probably fine as far > as the cipher has the same number of bits of security as the key > length. But this is not true for 3TDEA where the key size is 168 resp > 192 but it's security is only 112. > > Given that the key size in openssh is set to 192, DH group size is > estimated to 7680. But according to NIST SP 800-57, the size of DH key > should be 2048 so openssh doesn't follow that and it might cause > problems with key exchanges with some servers. > It was confirmed that openssh can't connect to the server with a server string 'SSH-2.0-cryptlib' using diffie-hellman-group-exchange-sha1 and 3des-cbc with SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192). It's due to a issue in its code [1] which takes only requested value and is limited only to 4096 bits. So I've made a patch [2] as a POF which adds a security length column and uses this value for dh_estimation. For 3des-cbc it's 14 which makes 2048 of preferred DH group size: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) and I've got confirmed that is solves the issue with this particular server. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1026430#c5 [2] http://fedorapeople.org/~plautrba/openssh/cipher-security-size.patch Petr -- Petr Lautrbach Security Technologies Red Hat Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140124/4df877b7/attachment.bin>
