search

openssl / openssl

TLS/SSL and crypto library
https://www.openssl.org
Apache License 2.0
25.65k stars 10.1k forks source link

Enable large Discrete Logarithm Diffie-Hellman groups #2558

Closed robert-scheck closed 7 years ago

robert-scheck commented 7 years ago

I hereby would like to proxify https://bugzilla.redhat.com/show_bug.cgi?id=1062925 to upstream, given I did not find any issue for this (hopefully I'm not causing a duplicate):

Peter Backes 2014-02-08 14:27:48 EST

Use at least 15360 bits group size for Discrete Logarithm Diffie-Hellman if you use a 256 bit block cipher. See various standards (especially NIST) cited at http://www.keylength.com/

This is not possible with openssl, because (see https://bugzilla.redhat.com/show_bug.cgi?id=1010607) "their crypto/dh/dh.h file has:

#ifndef OPENSSL_DH_MAX_MODULUS_BITS # define OPENSSL_DH_MAX_MODULUS_BITS 10000 #endif"

it should be 65536. Possibly, other changes need to be made to enable the use of such large groups.

Version-Release number of selected component (if applicable): openssl-1.0.1e-39.fc21.i686

Peter Backes 2014-02-09 18:05:04 EST

(In reply to Tomas Mraz from comment #1)

Please report this issue upstream. Note that computations with such large DH moduli are extremely slow and CPU cycle consuming so this means they are not too useful anyway.

This is incorrect, as noted already in https://bugzilla.redhat.com/show_bug.cgi?id=1010607. You may have these issues with ephemeral RSA keys, but they don't apply to discrete logarithm Diffie-Hellman. The only minor issue it has is the (moderate) amount of data transferred during key exchange.... Which is why elliptic curves are now preferred. But large Discrete Logarithm Diffie-Hellman group sizes should work anyway.

richsalz commented 7 years ago

So I read the whole thread on that bug. Whew. Lots of "I'm not a cryptographer..." comments. But one that stands out for me is https://bugzilla.redhat.com/show_bug.cgi?id=1010607#c42, who is a cryptographer and says he is not convinced there is a problem.

We are worried about denial of service attacks with 65Kbit modulii. We are not interested in changing it now, as well feel ECDH is a better long-term approach. You can always compile your version of openssl with a -D flag to set the number of bits. (Yes that might have interop issues, but since most implementations of ssh will not be rebuild/relinked, they will exist anyway,)

Sorry, closing this. If you want to re-open, please start a discussion on the openssl-dev mailing list, or perhaps another crypto-related list, to see if there's justfication.