Re: Weak DH primes and openssh

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On Fri 2015-05-29 10:14:45 -0400, Hubert Kario wrote:
> On Saturday 30 May 2015 00:09:47 Damien Miller wrote:
>> On Fri, 29 May 2015, Hubert Kario wrote:
>> > Not really, no.
>> > 
>> > We can use this time an initial seed of "OpenSSH 1024 bit prime, attempt
>> > #1". Next time we generate the primes we can use the initial seed of
>> > "2017 OpenSSH 1024 bit prime, attempt #1", but we can use just as well a
>> > "2nd generation OpenSSH 1024 bit DH parameters, try number 1". Then we
>> > can also change the algorithm to use this seed for M-R witnesses, or not.
>> > Then we can use SHA-512 instead of SHA-256, or some SHA-3 variant.
>> 
>> If you're constantly changing the parameters, then this is the opposite of
>> NUMS. Anyway, I don't think a NUMS-like approach is necessary. It certainly
>> isn't with users independently generating primality certificates.
>
> yes, I'm not saying that we should regenerate them constantly, I'm just saying 
> that if the decision was ever to do that again, it's basically impossible to 
> predict now what those numbers will be

I agree with Damien here, i don't see the point of choosing a
fixed-string seed if we're going to change it arbitrarily in the future.

And if the seed string is something semantically similar to "2017
OpenSSH 1024 bit prime, attempt #1", then there actually aren't all that
many of them to choose from, so an adversary who can do precomputation
attacks can pick the most-likely seeds and then send sockpuppets to
argue for one of them when the time comes. :/

The other alternative if you wanted fixed seeds would be to use some
high-entropy value from the real world that would be unpredictable, hard
to control, but not too hard to verify (e.g. a digest of the
concatenated UTF-8 representations of the top headline from each of the
10 highest-circulation newspapers on the day of re-generation, or
something similar).

          --dkg
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux