Re: [EC]DH KEx and how to restrict ssh/sshd to secure(er) DH parameters

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue 2014-10-21 23:15:43 +0200, Christian Weisgerber wrote:
> On 2014-10-19, Christoph Anton Mitterer <calestyo@xxxxxxxxxxxx> wrote:
>> And it basically also means, the client checks just for the group
>> size,... and has no way to accept/reject certain moduli?
>> Now for ECDH, we know that some curves may be insecure,... is the same
>> known for DH? I.e. could a server accidentally propose the client an
>> insecure moduli (which the client takes without any check except for the
>> group size)?
>
> What is your attack scenario here?  If the server can't be trusted,
> your session isn't protected.  That is trivial.
> 
> Hey, the server might accidentally use a weak random number generator.
> That isn't even hypothetical.

Christoph is pointing out that the client might actually have a way to
verify that the group is strong.  The client doesn't have a way to know
if the server is using a weak rng.

For weaknesses that are detectable by the client, it does make sense
that the client should be willing to detect and abort the session before
compromising it.

We already allow clients to constrain the set of choosable ciphers, for
example, so clients who talk to a misconfigured/old/busted server that
tries to select arcfour can reject the connection.  It's not implausible
that a client would also want to reject a server that offers an
obviously non-prime DH modulus,, or a server's ephemeral DH public key
if it is clearly bad (e.g. p-1 or 1).

   --dkg


Attachment: pgpKKbOKTN3Qm.pgp
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux