mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guillaume Nodet <gno...@apache.org>
Subject Re: fallback to weaker DH algorithms, moduli file integrity and generating
Date Tue, 03 Jun 2014 13:19:05 GMT
Probable primes are just ... probable, not certain.
To use them in DH, we'd need to make sure they are actually prime numbers,
and that takes a *very* long time.
That's what the ssh-keygen -T does : it verifies candidates and discard non
prime numbers.
What's your constraints to want to generate those numbers at runtime ?
If we externalize the file, I think this should provide a good enough way
to change them (if the file is read each time a DH is created), so that you
could generate the moduli file with ssh-keygen and just copy it at the
right place for SSHD to pick it up.

Guillaume


2014-05-21 14:19 GMT+02:00 Pawel Sm7 <pawel.sm7@gmail.com>:

> Hello,
>
> for 3. Moduli file generator
>
> Below I've created the code sample showing how moduli file could be
> recreated.
> Not sure if the code is correct, as I checked using ssh-keygen that
> the primes are unfortunately not safe.
>
> Maybe I miss something? Could you please advice?
> Regards,
>
> Pawel
>
>
>
> import java.math.BigInteger;
> import java.security.KeyFactory;
> import java.security.KeyPair;
> import java.security.KeyPairGenerator;
> import java.security.SecureRandom;
>
> import javax.crypto.spec.DHParameterSpec;
> import javax.crypto.spec.DHPublicKeySpec;
>
> public class DHKeyGenTest {
>
>     public static void main(String[] args) throws Exception {
>         BigInteger p, g;
>
>         for (int i = 0; i < 100; i++) {
>             SecureRandom rnd = new SecureRandom();
>             p = BigInteger.probablePrime(1024, rnd);
>             g = BigInteger.probablePrime(2, rnd);
>             DHParameterSpec param = new DHParameterSpec(p, g);
>
>             KeyPairGenerator kpg =
> KeyPairGenerator.getInstance("DiffieHellman");
>             kpg.initialize(param);
>             KeyPair kp = kpg.generateKeyPair();
>
>             KeyFactory kfactory = KeyFactory.getInstance("DiffieHellman");
>
>             DHPublicKeySpec kspec = (DHPublicKeySpec)
> kfactory.getKeySpec(kp.getPublic(),
>                 DHPublicKeySpec.class);
>
>             p = kspec.getP();
>             g = kspec.getG();
>
>             System.out.println("20140409160557 2 6 36 1023 " +
> g.toString(16).toUpperCase() + " "
>                     + p.toString(16).toUpperCase());
>         }
>     }
>
> }
>
>
> > Hello,
> >
> > I have 3 issues I would like to discuss.
> >
> > 1. Handling error scenarios if Prime cannot be found.
> > Mina does not support fallback to weaker Diffie-Hellman algorithm if
> Prime
> > cannot be found.
> >
> > The failure approach of fall-thru to weaker Diffie-Hellman algorithm,
> e.g.
> > Group14 (embedded within the Code) if Prime cannot be found, either due
> to
> > MODULI File Access Errors or Prime Not Found in the File, is the typical
> > approach of most SSH Server Implementations.
> > OpenSSH follows this paradigm. Also it would help in communications
> > robustness.
> > It would be also nice to have a log event when the fallback happens.
> > Do you agree that this is an issue? When could it be implemented?
> >
>
> It makes sense to me.  Especially, the spec (
> http://tools.ietf.org/html/rfc4419) says:
>
> The server should return the smallest group it knows that is larger
>    than the size the client requested.  If the server does not know a
>    group that is larger than the client request, then it SHOULD return
>    the largest group it knows.  In all cases, the size of the returned
>    group SHOULD be at least 1024 bits.
>
>
> So feel free to raise a JIRA about that.
>
>
> >
> > 2. Moduli file integrity handling.
> > Could you create e.g. a SHA-256 hash fingerprint of the moduli file
> > contents, store it somewhere and add validation of moduli file using the
> > fingerprint.
> > This way we can deal with unauthorized tampering of moduli file. It is
> > potential security issue.
> >
>
> Not really sure I follow you.  The moduli file is embedded in the sshd-core
> jar and is not externalized at the moment.
> It should be externalized, so please raise a JIRA for that.  For
> fingerprint, i'm not sure it should be embedded in the file as it would
> make this file incompatible with the standard one, but giving it to sshd in
> some way and verifying it before its use sounds good to me.
>
>
> >
> > 3. Moduli file generator
> > Is there a roadmap to add a moduli generator so that there’s full support
> > for group exchange generation and usage within Mina?
> > e.g. Primes could be regenerated also when moduli file is corrupted.
> >
>
> See above.  Two things anyway : the format is fully compatible with the
> standard moduli file so using the unix generator works fine.
> Generating such primes can be very long and I'm not sure this is something
> that should be done by sshd directly, though I don't have any problems with
> sshd shipping a simple class to generate the primes.
>
> I don't really plan to work on SSHD on the coming weeks for such
> enhancements, but if you feel comfortable, attach patches or git pull
> requests to those issues and I can review them.
>
> Cheers,
> Guillaume
>
>
> >
> >
> > Regards,
> >
> > Pawel
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message