On 09/22/2017 06:55 PM, Tim Broberg wrote:> Do I understand correctly, that you find the security of group 14 unacceptable and yet you left it enabled?In the end, I'm trying to ensure a minimum equivalent of 128-bits of security. Group14 is 2048-bits, which roughly translates to 112-bits. [1] To this end, I disabled the "diffie-hellman-group14-sha1" and "diffie-hellman-group14-sha256" kex algorithms, but the problem is that the group exchange "diffie-hellman-group-exchange-sha256" is not respecting the admin's wishes, and falls back to group14, even when specifically told not to (by the admin removing 2048-bit groups in /etc/ssh/moduli). There's currently no way to ensure 100% that 2048-bit DH is disabled. - Joe [1] See NIST Special Publication 800-57, Part 1, Revision 4, p. 53, <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf>.
I see.
Yes, using explicitly disabled algorithms is a very surprising behavior.
- Tim.
On 9/23/17, 10:32 AM, "Joseph S Testa II" <jtesta at
positronsecurity.com> wrote:
On 09/22/2017 06:55 PM, Tim Broberg wrote:
> Do I understand correctly, that you find the security of group 14
unacceptable and yet you left it enabled?
In the end, I'm trying to ensure a minimum equivalent of 128-bits of
security. Group14 is 2048-bits, which roughly translates to 112-bits. [1]
To this end, I disabled the "diffie-hellman-group14-sha1" and
"diffie-hellman-group14-sha256" kex algorithms, but the problem is
that
the group exchange "diffie-hellman-group-exchange-sha256" is not
respecting the admin's wishes, and falls back to group14, even when
specifically told not to (by the admin removing 2048-bit groups in
/etc/ssh/moduli).
There's currently no way to ensure 100% that 2048-bit DH is disabled.
- Joe
[1] See NIST Special Publication 800-57, Part 1, Revision 4, p. 53,
<https://urldefense.proofpoint.com/v2/url?u=http-3A__nvlpubs.nist.gov_nistpubs_SpecialPublications_NIST.SP.800-2D57pt1r4.pdf&d=DwICaQ&c=Zok6nrOF6Fe0JtVEqKh3FEeUbToa1PtNBZf6G01cvEQ&r=WxtmI2HcpDF2j1UPw-tBSatMtcAHcEc-gP6FGr3XijQ&m=fr1RUDYTTiem9YAE7u99sskaxPHiNB54oK08WY93mS8&s=GY-4snvYRtttrYTbXRzbrHkN-gQ9t-xJIaXAodVLK8M&e=>.
On 25 September 2017 at 03:40, Tim Broberg <Tim.Broberg at servicenow.com> wrote:> I see. > > Yes, using explicitly disabled algorithms is a very surprising behavior.Well from a protocol standpoint it's not using a disabled algorithm. Which client does dh-gex with a 2k max? -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.