Hello everybody, An issue was reported in RH bugzilla [1] about the size of the used DH group when combined with the 3des-cbc cipher. OpenSSH uses the actual key length for the size estimation. This is probably fine as far as the cipher has the same number of bits of security as the key length. But this is not true for 3TDEA where the key size is 168 resp 192 but it's security is only 112. Given that the key size in openssh is set to 192, DH group size is estimated to 7680. But according to NIST SP 800-57, the size of DH key should be 2048 so openssh doesn't follow that and it might cause problems with key exchanges with some servers. Would it make sense to extend the Cipher struct with the bits for security and estimate the DH size from this value? Or do special handling just of 3des? What do you think? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1053107 Thanks, Petr -- Petr Lautrbach Security Technologies Red Hat Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140121/2256b157/attachment.bin>
On 01/21/2014 05:14 PM, Petr Lautrbach wrote:> Hello everybody, > > An issue was reported in RH bugzilla [1] about the size of the used DH > group when combined with the 3des-cbc cipher. OpenSSH uses the > actual key length for the size estimation. This is probably fine as far > as the cipher has the same number of bits of security as the key > length. But this is not true for 3TDEA where the key size is 168 resp > 192 but it's security is only 112. > > Given that the key size in openssh is set to 192, DH group size is > estimated to 7680. But according to NIST SP 800-57, the size of DH key > should be 2048 so openssh doesn't follow that and it might cause > problems with key exchanges with some servers. >It was confirmed that openssh can't connect to the server with a server string 'SSH-2.0-cryptlib' using diffie-hellman-group-exchange-sha1 and 3des-cbc with SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192). It's due to a issue in its code [1] which takes only requested value and is limited only to 4096 bits. So I've made a patch [2] as a POF which adds a security length column and uses this value for dh_estimation. For 3des-cbc it's 14 which makes 2048 of preferred DH group size: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) and I've got confirmed that is solves the issue with this particular server. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1026430#c5 [2] http://fedorapeople.org/~plautrba/openssh/cipher-security-size.patch Petr -- Petr Lautrbach Security Technologies Red Hat Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140124/4df877b7/attachment.bin>
Maybe Matching Threads
- Connection stalls at debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
- MINGW Help
- [Bug 1131] buffer_append_space: alloc not supported Error with V 4.2p1
- [Bug 1814] New: scp get file prepends -- before filename
- [Bug 2011] sandbox selection needs some kind of fallback mechanism