On 22/05/2015 07:18, Jeffrey Walton wrote: > On Fri, May 22, 2015 at 12:51 AM, Jakob Bohm <jb-openssl at wisemo.com> wrote: >> On 22/05/2015 03:57, Jeffrey Walton wrote: >>>> As an additional change for 1.0.2c or later (no need to >>>> delay the urgent fix), maybe adjust internal operations >>>> to discourage use of hardcoded DH groups for TLS DH (but >>>> NOT for generic DH-like operations such as openssl-based >>>> implementations of SRP). >>> That's going to be tough because standards groups like the TLS WG are >>> actively promoting fully specified, named parameters and curves. >>> >>> See, for example, "Negotiated Finite Field Diffie-Hellman Ephemeral >>> Parameters for TLS", >>> https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-09; and >>> the discussion of magic primes at "Re: [TLS] Another IRINA bug in >>> TLS", https://www.ietf.org/mail-archive/web/tls/current/msg16417.html. >>> (The thread is due to the recent attacks on DH). >> The latter thread contains posts from respected experts >> asking not to use fixed parameters for DH... > Well, I'm not sure how much more respected one can get than Daniel > Kahn Gillmore, Stephen Farrell, Eric Recorla; or have better > credentials than practicing cryptographers. > > How high is your bar :) Whom did I say were not highly respected cryptographers? I read the thread as some of the highly respected experts saying that the LogJam supplemental finding (some fixed DH groups of once recommended size used by so many it makes expensive attacks pay) shows why fixed DH groups should not be mandatory, while other respected experts talk about other subjects. I saw posts from respected experts arguing how to shoehorn non-fixed DH curves back into the drafts of how to use fixed DH curves (rather than simply dropping that protocol change for DH). I saw posts from respected experts arguing if the cost of client side primality checks of DH parameters would exceed the cost of using a secure enough group size. I saw no posts in that thread arguing why fixed DH groups would be a good thing. I saw no posts discussing if DH parameters signed by the trusted server really need to be fully validated client side, or if cheaper checks (range, length, correspondence to seed etc.) would be good enough given better uses for the CPU time. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded