You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by Guillaume Nodet <gn...@apache.org> on 2014/06/03 15:19:05 UTC

Re: fallback to weaker DH algorithms, moduli file integrity and generating

Probable primes are just ... probable, not certain.
To use them in DH, we'd need to make sure they are actually prime numbers,
and that takes a *very* long time.
That's what the ssh-keygen -T does : it verifies candidates and discard non
prime numbers.
What's your constraints to want to generate those numbers at runtime ?
If we externalize the file, I think this should provide a good enough way
to change them (if the file is read each time a DH is created), so that you
could generate the moduli file with ssh-keygen and just copy it at the
right place for SSHD to pick it up.

Guillaume


2014-05-21 14:19 GMT+02:00 Pawel Sm7 <pa...@gmail.com>:

> Hello,
>
> for 3. Moduli file generator
>
> Below I've created the code sample showing how moduli file could be
> recreated.
> Not sure if the code is correct, as I checked using ssh-keygen that
> the primes are unfortunately not safe.
>
> Maybe I miss something? Could you please advice?
> Regards,
>
> Pawel
>
>
>
> import java.math.BigInteger;
> import java.security.KeyFactory;
> import java.security.KeyPair;
> import java.security.KeyPairGenerator;
> import java.security.SecureRandom;
>
> import javax.crypto.spec.DHParameterSpec;
> import javax.crypto.spec.DHPublicKeySpec;
>
> public class DHKeyGenTest {
>
>     public static void main(String[] args) throws Exception {
>         BigInteger p, g;
>
>         for (int i = 0; i < 100; i++) {
>             SecureRandom rnd = new SecureRandom();
>             p = BigInteger.probablePrime(1024, rnd);
>             g = BigInteger.probablePrime(2, rnd);
>             DHParameterSpec param = new DHParameterSpec(p, g);
>
>             KeyPairGenerator kpg =
> KeyPairGenerator.getInstance("DiffieHellman");
>             kpg.initialize(param);
>             KeyPair kp = kpg.generateKeyPair();
>
>             KeyFactory kfactory = KeyFactory.getInstance("DiffieHellman");
>
>             DHPublicKeySpec kspec = (DHPublicKeySpec)
> kfactory.getKeySpec(kp.getPublic(),
>                 DHPublicKeySpec.class);
>
>             p = kspec.getP();
>             g = kspec.getG();
>
>             System.out.println("20140409160557 2 6 36 1023 " +
> g.toString(16).toUpperCase() + " "
>                     + p.toString(16).toUpperCase());
>         }
>     }
>
> }
>
>
> > Hello,
> >
> > I have 3 issues I would like to discuss.
> >
> > 1. Handling error scenarios if Prime cannot be found.
> > Mina does not support fallback to weaker Diffie-Hellman algorithm if
> Prime
> > cannot be found.
> >
> > The failure approach of fall-thru to weaker Diffie-Hellman algorithm,
> e.g.
> > Group14 (embedded within the Code) if Prime cannot be found, either due
> to
> > MODULI File Access Errors or Prime Not Found in the File, is the typical
> > approach of most SSH Server Implementations.
> > OpenSSH follows this paradigm. Also it would help in communications
> > robustness.
> > It would be also nice to have a log event when the fallback happens.
> > Do you agree that this is an issue? When could it be implemented?
> >
>
> It makes sense to me.  Especially, the spec (
> http://tools.ietf.org/html/rfc4419) says:
>
> The server should return the smallest group it knows that is larger
>    than the size the client requested.  If the server does not know a
>    group that is larger than the client request, then it SHOULD return
>    the largest group it knows.  In all cases, the size of the returned
>    group SHOULD be at least 1024 bits.
>
>
> So feel free to raise a JIRA about that.
>
>
> >
> > 2. Moduli file integrity handling.
> > Could you create e.g. a SHA-256 hash fingerprint of the moduli file
> > contents, store it somewhere and add validation of moduli file using the
> > fingerprint.
> > This way we can deal with unauthorized tampering of moduli file. It is
> > potential security issue.
> >
>
> Not really sure I follow you.  The moduli file is embedded in the sshd-core
> jar and is not externalized at the moment.
> It should be externalized, so please raise a JIRA for that.  For
> fingerprint, i'm not sure it should be embedded in the file as it would
> make this file incompatible with the standard one, but giving it to sshd in
> some way and verifying it before its use sounds good to me.
>
>
> >
> > 3. Moduli file generator
> > Is there a roadmap to add a moduli generator so that there’s full support
> > for group exchange generation and usage within Mina?
> > e.g. Primes could be regenerated also when moduli file is corrupted.
> >
>
> See above.  Two things anyway : the format is fully compatible with the
> standard moduli file so using the unix generator works fine.
> Generating such primes can be very long and I'm not sure this is something
> that should be done by sshd directly, though I don't have any problems with
> sshd shipping a simple class to generate the primes.
>
> I don't really plan to work on SSHD on the coming weeks for such
> enhancements, but if you feel comfortable, attach patches or git pull
> requests to those issues and I can review them.
>
> Cheers,
> Guillaume
>
>
> >
> >
> > Regards,
> >
> > Pawel
> >
>