Re: [exim-dev] [Bug 1837] small subgroup attack

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 1837] small subgroup attack

> On May 29, 2016, at 1:38 AM, Phil Pennock <pdp@???> wrote:
>
> In a world where ECC is not yet widespread in MTA, PFS requires DH. The
> documentation, and many packages (I believe) encourage people to
> generate primes.


Indeed, but a better fallback than the groups from this misguided RFC
would be a compiled-in 2048-bit safe prime group. I am not advocating
no DH, rather I am strongly advocating no DH groups from RFC 5114. This
is primarily while wearing my OpenSSL team member hat, not that snooty
Postfix guy barging in on the Exim list. :-)

> These are a fallback. My belief was that PFS with 2048-bit DH from an
> RFC is better than no PFS. Today ... I think that I believe the same.


This particular RFC is a bad idea. Replace its groups with a safe
group generated by the Exim developers, or generated at compile time,
if you're willing to tolerate slow builds on older systems. (Generating
2048-bit Sophie-Germain safe primes can take minutes).

FWIW, in Postfix I take the first (generated by developers) approach, see
lines 118 through 150 of:

https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dh.c

-- 
    Viktor.