mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pawel Sm7 <pawel....@gmail.com>
Subject RE: fallback to weaker DH algorithms, moduli file integrity and generating
Date Wed, 21 May 2014 12:19:43 GMT

for 3. Moduli file generator

Below I've created the code sample showing how moduli file could be recreated.
Not sure if the code is correct, as I checked using ssh-keygen that
the primes are unfortunately not safe.

Maybe I miss something? Could you please advice?


import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.SecureRandom;

import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPublicKeySpec;

public class DHKeyGenTest {

    public static void main(String[] args) throws Exception {
        BigInteger p, g;

        for (int i = 0; i < 100; i++) {
            SecureRandom rnd = new SecureRandom();
            p = BigInteger.probablePrime(1024, rnd);
            g = BigInteger.probablePrime(2, rnd);
            DHParameterSpec param = new DHParameterSpec(p, g);

            KeyPairGenerator kpg =
            KeyPair kp = kpg.generateKeyPair();

            KeyFactory kfactory = KeyFactory.getInstance("DiffieHellman");

            DHPublicKeySpec kspec = (DHPublicKeySpec)

            p = kspec.getP();
            g = kspec.getG();

            System.out.println("20140409160557 2 6 36 1023 " +
g.toString(16).toUpperCase() + " "
                    + p.toString(16).toUpperCase());


> Hello,
> I have 3 issues I would like to discuss.
> 1. Handling error scenarios if Prime cannot be found.
> Mina does not support fallback to weaker Diffie-Hellman algorithm if Prime
> cannot be found.
> The failure approach of fall-thru to weaker Diffie-Hellman algorithm, e.g.
> Group14 (embedded within the Code) if Prime cannot be found, either due to
> MODULI File Access Errors or Prime Not Found in the File, is the typical
> approach of most SSH Server Implementations.
> OpenSSH follows this paradigm. Also it would help in communications
> robustness.
> It would be also nice to have a log event when the fallback happens.
> Do you agree that this is an issue? When could it be implemented?

It makes sense to me.  Especially, the spec (
http://tools.ietf.org/html/rfc4419) says:

The server should return the smallest group it knows that is larger
   than the size the client requested.  If the server does not know a
   group that is larger than the client request, then it SHOULD return
   the largest group it knows.  In all cases, the size of the returned
   group SHOULD be at least 1024 bits.

So feel free to raise a JIRA about that.

> 2. Moduli file integrity handling.
> Could you create e.g. a SHA-256 hash fingerprint of the moduli file
> contents, store it somewhere and add validation of moduli file using the
> fingerprint.
> This way we can deal with unauthorized tampering of moduli file. It is
> potential security issue.

Not really sure I follow you.  The moduli file is embedded in the sshd-core
jar and is not externalized at the moment.
It should be externalized, so please raise a JIRA for that.  For
fingerprint, i'm not sure it should be embedded in the file as it would
make this file incompatible with the standard one, but giving it to sshd in
some way and verifying it before its use sounds good to me.

> 3. Moduli file generator
> Is there a roadmap to add a moduli generator so that there’s full support
> for group exchange generation and usage within Mina?
> e.g. Primes could be regenerated also when moduli file is corrupted.

See above.  Two things anyway : the format is fully compatible with the
standard moduli file so using the unix generator works fine.
Generating such primes can be very long and I'm not sure this is something
that should be done by sshd directly, though I don't have any problems with
sshd shipping a simple class to generate the primes.

I don't really plan to work on SSHD on the coming weeks for such
enhancements, but if you feel comfortable, attach patches or git pull
requests to those issues and I can review them.


> Regards,
> Pawel

View raw message