[exim-dev] [Bug 1837] small subgroup attack

Page principale
Supprimer ce message
Répondre à ce message
Auteur: admin
Date:  
À: exim-dev
Anciens-sujets: [exim-dev] [Bug 1837] New: small subgroup attack
Sujet: [exim-dev] [Bug 1837] small subgroup attack
https://bugs.exim.org/show_bug.cgi?id=1837

Phil Pennock <pdp@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED


--- Comment #10 from Phil Pennock <pdp@???> ---
Current stance:

Missing q leaks one bit of information from an ephemeral context which is never
reused and is not a problem in Exim's environment. It's not ideal.

We're about to merge code changing the default to one we generate (small
sub-group, no q), and providing the new RFC 7919 values too.

The `openssl genpkey` command is not generic and does not let us get the
RFC7919 values. I have not found a way yet to get this information for
arbitrary other DH parameters instead of just those hard-coded ones.

AFAICT from OpenSSL "NEWS" file, CMS support for X9.42 DH came in with OpenSSL
1.0.2 and that is the feature needed for us to switch to the variant suggested
in this bug, using our current code. Exim needs to continue supporting older
versions of OpenSSL so that's not a viable path for us.

Rather than add lots of keys and change how the crypto is used at the same
time, I'm breaking this into two steps:

(1) Push the current changes, which still have the q problem for small
subgroups, accepting that it doesn't matter for Exim but is not ideal.

(2) Look at using DER encoded binary directly in source files, per Viktor's
suggestion, as done in Postfix. With that, we don't need to worry about CMS
support and we should be able to specify 'q' with any supported version of
OpenSSL. That's a lower-priority task.

--
You are receiving this mail because:
You are on the CC list for the bug.