Re: [exim-dev] [Bug 1837] small subgroup attack

Pàgina inicial
Delete this message
Reply to this message
Autor: Phil Pennock
Data:  
A: Viktor Dukhovni
CC: exim-dev
Assumpte: Re: [exim-dev] [Bug 1837] small subgroup attack
On 2016-05-29 at 01:50 -0400, Viktor Dukhovni wrote:
> This particular RFC is a bad idea. Replace its groups with a safe
> group generated by the Exim developers, or generated at compile time,
> if you're willing to tolerate slow builds on older systems. (Generating
> 2048-bit Sophie-Germain safe primes can take minutes).
>
> FWIW, in Postfix I take the first (generated by developers) approach, see
> lines 118 through 150 of:
>
> https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dh.c


I'm perfectly happy to change the default. I chose it on the basis of
"well, at least there's an RFC, and it's 2048 bit, so as good as any
other and likely somewhat better".

In std-crypto.c we define a list of named DH constants, eg "ike23". We
also define "default", which happens to be the same as "ike23".

I'm happy to add an entry "postfix1", with provenance, "ripped from the
Postfix source". :D

More seriously, perhaps just "exim.dev.20160529" as a keyname, and make
it the default. Actually, generating 3 sets now, numbered each with
suffices.

Also, `exim -bI:dhparams` should be a thing. Ugh.

This is very definitely a Work In Progress, but is my rough thinking.
When I've slept, I want to:
* Fix the PKCS3 generation so we can update the IKE constants
* Add -bI:dhparams
* Test it actually works

http://git.exim.org/exim.git/shortlog/refs/heads/pdp_new_dhparam
https://github.com/Exim/exim/commits/pdp_new_dhparam

Since this adds cryptographic magic values where folks can't validate
against an RFC and instead have to trust that I'm not deliberately
sabotaging things, I think it's appropriate for any commit adding such
values to be PGP-signed (commit object, not just the usual release
tags). I've done this, you can see the "Verified" tag on GitHub.

-Phil