You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by Pawel Sm7 <pa...@gmail.com> on 2014/04/30 16:36:57 UTC

fallback to weaker DH algorithms, moduli file integrity and generating

Hello,

I have 3 issues I would like to discuss.

1. Handling error scenarios if Prime cannot be found.
Mina does not support fallback to weaker Diffie-Hellman algorithm if Prime
cannot be found.

The failure approach of fall-thru to weaker Diffie-Hellman algorithm, e.g.
Group14 (embedded within the Code) if Prime cannot be found, either due to
MODULI File Access Errors or Prime Not Found in the File, is the typical
approach of most SSH Server Implementations.
OpenSSH follows this paradigm. Also it would help in communications
robustness.
It would be also nice to have a log event when the fallback happens.
Do you agree that this is an issue? When could it be implemented?

2. Moduli file integrity handling.
Could you create e.g. a SHA-256 hash fingerprint of the moduli file
contents, store it somewhere and add validation of moduli file using the
fingerprint.
This way we can deal with unauthorized tampering of moduli file. It is
potential security issue.

3. Moduli file generator
Is there a roadmap to add a moduli generator so that there’s full support
for group exchange generation and usage within Mina?
e.g. Primes could be regenerated also when moduli file is corrupted.


Regards,

Pawel

Re: fallback to weaker DH algorithms, moduli file integrity and generating

Posted by Guillaume Nodet <gn...@apache.org>.

2014-04-30 16:36 GMT+02:00 Pawel Sm7 <pa...@gmail.com>:

> Hello,
>
> I have 3 issues I would like to discuss.
>
> 1. Handling error scenarios if Prime cannot be found.
> Mina does not support fallback to weaker Diffie-Hellman algorithm if Prime
> cannot be found.
>
> The failure approach of fall-thru to weaker Diffie-Hellman algorithm, e.g.
> Group14 (embedded within the Code) if Prime cannot be found, either due to
> MODULI File Access Errors or Prime Not Found in the File, is the typical
> approach of most SSH Server Implementations.
> OpenSSH follows this paradigm. Also it would help in communications
> robustness.
> It would be also nice to have a log event when the fallback happens.
> Do you agree that this is an issue? When could it be implemented?
>

It makes sense to me.  Especially, the spec (
http://tools.ietf.org/html/rfc4419) says:

The server should return the smallest group it knows that is larger
   than the size the client requested.  If the server does not know a
   group that is larger than the client request, then it SHOULD return
   the largest group it knows.  In all cases, the size of the returned
   group SHOULD be at least 1024 bits.


So feel free to raise a JIRA about that.


>
> 2. Moduli file integrity handling.
> Could you create e.g. a SHA-256 hash fingerprint of the moduli file
> contents, store it somewhere and add validation of moduli file using the
> fingerprint.
> This way we can deal with unauthorized tampering of moduli file. It is
> potential security issue.
>

Not really sure I follow you.  The moduli file is embedded in the sshd-core
jar and is not externalized at the moment.
It should be externalized, so please raise a JIRA for that.  For
fingerprint, i'm not sure it should be embedded in the file as it would
make this file incompatible with the standard one, but giving it to sshd in
some way and verifying it before its use sounds good to me.


>
> 3. Moduli file generator
> Is there a roadmap to add a moduli generator so that there’s full support
> for group exchange generation and usage within Mina?
> e.g. Primes could be regenerated also when moduli file is corrupted.
>

See above.  Two things anyway : the format is fully compatible with the
standard moduli file so using the unix generator works fine.
Generating such primes can be very long and I'm not sure this is something
that should be done by sshd directly, though I don't have any problems with
sshd shipping a simple class to generate the primes.

I don't really plan to work on SSHD on the coming weeks for such
enhancements, but if you feel comfortable, attach patches or git pull
requests to those issues and I can review them.

Cheers,
Guillaume


>
>
> Regards,
>
> Pawel
>

Re: fallback to weaker DH algorithms, moduli file integrity and generating

Posted by Pawel Sm7 <pa...@gmail.com>.

Hello,

I would like to get back to the fingerprint validation - no problem
with adding properties to ServerFactoryManager.
I can create JIRA issue for that and create the code.

When the code will be ready, should I just send it to you? (I am not
the MINA committer).

Regards,

Pawel


2014-10-16 23:35 GMT+02:00 Guillaume Nodet <gn...@apache.org>:
> I'm quite reluctant to add code which is completely unused.
> I think it should be possible to modify the DHGEX class to leverage that
> code if a boolean property is set on the ServerFactoryManager.
> Something like MODULI_CHECK_FINGERPRINT and also a MODULI_FINGERPRINT_SALT
> and MODULI_FINGERPRINT_URL maybe.
> If the first one is true, then use the code you pasted below to actually
> verify the fingerprints, else simply ignore it.
>
> If you're wiling to work on that, please create a JIRA issue.
>
> 2014-10-15 16:53 GMT+02:00 Pawel Sm7 <pa...@gmail.com>:
>
>> Hello,
>>
>> My plan would be not to change Mina SSHD existing classes, but give
>> people using Mina SSHD a new class to use fingerprints if needed.
>>
>>
>>
>> It could be used e.g.:
>>
>> In org.apache.sshd.server.kex.DHGEX:
>>
>> private DH chooseDH(int min, int prf, int max) throws Exception {
>>         ModuliFingerprint mf = new ModuliFingerprint();
>>         mf.setSalt(.....);
>>
>>         try {
>>             mf.checkModuliFingerprint(MODULI_FILE, MODULI_FINGERPRINT);
>>         } catch (Exception e) {
>>             throw e;
>>         }
>> ......
>>
>> Here if moduli was tampered, fingerprints do not match and exception
>> is generated. SSHD is not started.
>>
>> Earlier you need to generate fingerprint for the existing moduli file
>> using createModuliFingerprint() method.
>>
>>
>> I didn't want to update Mina SSHD existing classes because everyone
>> who wants to use fingerprints needs to generate its own secret salt
>> using setSalt() method as in the example above. It has to be secret,
>> so I did not want to force existing SSHD classes to use fingerprints.
>>
>> Please let me know your opinion.
>>
>> Regards,
>>
>> Pawel
>>
>>
>>
>> 2014-10-13 17:52 GMT+02:00 Guillaume Nodet <gn...@apache.org>:
>> > How do you plan to change sshd to use this class ?
>> >
>> > 2014-10-13 17:07 GMT+02:00 Pawel Sm7 <pa...@gmail.com>:
>> >
>> >> Hello,
>> >>
>> >> Please find attached proposal of moduli fingerprint functionality.
>> >>
>> >> Please let me know if you have any comments and if you plan add this
>> >> functionality to Apache Mina SSHD.
>> >>
>> >> Regards,
>> >>
>> >> Pawel
>> >>
>> >>
>> >> 2014-04-30 16:36 GMT+02:00 Pawel Sm7 <pa...@gmail.com>:
>> >> > Hello,
>> >> >
>> >> > I have 3 issues I would like to discuss.
>> >> >
>> >> > 1. Handling error scenarios if Prime cannot be found.
>> >> > Mina does not support fallback to weaker Diffie-Hellman algorithm if
>> >> Prime
>> >> > cannot be found.
>> >> >
>> >> > The failure approach of fall-thru to weaker Diffie-Hellman algorithm,
>> >> e.g.
>> >> > Group14 (embedded within the Code) if Prime cannot be found, either
>> due
>> >> to
>> >> > MODULI File Access Errors or Prime Not Found in the File, is the
>> typical
>> >> > approach of most SSH Server Implementations.
>> >> > OpenSSH follows this paradigm. Also it would help in communications
>> >> > robustness.
>> >> > It would be also nice to have a log event when the fallback happens.
>> >> > Do you agree that this is an issue? When could it be implemented?
>> >> >
>> >> > 2. Moduli file integrity handling.
>> >> > Could you create e.g. a SHA-256 hash fingerprint of the moduli file
>> >> > contents, store it somewhere and add validation of moduli file using
>> the
>> >> > fingerprint.
>> >> > This way we can deal with unauthorized tampering of moduli file. It is
>> >> > potential security issue.
>> >> >
>> >> > 3. Moduli file generator
>> >> > Is there a roadmap to add a moduli generator so that there’s full
>> support
>> >> > for group exchange generation and usage within Mina?
>> >> > e.g. Primes could be regenerated also when moduli file is corrupted.
>> >> >
>> >> >
>> >> > Regards,
>> >> >
>> >> > Pawel
>> >>
>>

Re: fallback to weaker DH algorithms, moduli file integrity and generating

Posted by Guillaume Nodet <gn...@apache.org>.

I'm quite reluctant to add code which is completely unused.
I think it should be possible to modify the DHGEX class to leverage that
code if a boolean property is set on the ServerFactoryManager.
Something like MODULI_CHECK_FINGERPRINT and also a MODULI_FINGERPRINT_SALT
and MODULI_FINGERPRINT_URL maybe.
If the first one is true, then use the code you pasted below to actually
verify the fingerprints, else simply ignore it.

If you're wiling to work on that, please create a JIRA issue.

2014-10-15 16:53 GMT+02:00 Pawel Sm7 <pa...@gmail.com>:

> Hello,
>
> My plan would be not to change Mina SSHD existing classes, but give
> people using Mina SSHD a new class to use fingerprints if needed.
>
>
>
> It could be used e.g.:
>
> In org.apache.sshd.server.kex.DHGEX:
>
> private DH chooseDH(int min, int prf, int max) throws Exception {
>         ModuliFingerprint mf = new ModuliFingerprint();
>         mf.setSalt(.....);
>
>         try {
>             mf.checkModuliFingerprint(MODULI_FILE, MODULI_FINGERPRINT);
>         } catch (Exception e) {
>             throw e;
>         }
> ......
>
> Here if moduli was tampered, fingerprints do not match and exception
> is generated. SSHD is not started.
>
> Earlier you need to generate fingerprint for the existing moduli file
> using createModuliFingerprint() method.
>
>
> I didn't want to update Mina SSHD existing classes because everyone
> who wants to use fingerprints needs to generate its own secret salt
> using setSalt() method as in the example above. It has to be secret,
> so I did not want to force existing SSHD classes to use fingerprints.
>
> Please let me know your opinion.
>
> Regards,
>
> Pawel
>
>
>
> 2014-10-13 17:52 GMT+02:00 Guillaume Nodet <gn...@apache.org>:
> > How do you plan to change sshd to use this class ?
> >
> > 2014-10-13 17:07 GMT+02:00 Pawel Sm7 <pa...@gmail.com>:
> >
> >> Hello,
> >>
> >> Please find attached proposal of moduli fingerprint functionality.
> >>
> >> Please let me know if you have any comments and if you plan add this
> >> functionality to Apache Mina SSHD.
> >>
> >> Regards,
> >>
> >> Pawel
> >>
> >>
> >> 2014-04-30 16:36 GMT+02:00 Pawel Sm7 <pa...@gmail.com>:
> >> > Hello,
> >> >
> >> > I have 3 issues I would like to discuss.
> >> >
> >> > 1. Handling error scenarios if Prime cannot be found.
> >> > Mina does not support fallback to weaker Diffie-Hellman algorithm if
> >> Prime
> >> > cannot be found.
> >> >
> >> > The failure approach of fall-thru to weaker Diffie-Hellman algorithm,
> >> e.g.
> >> > Group14 (embedded within the Code) if Prime cannot be found, either
> due
> >> to
> >> > MODULI File Access Errors or Prime Not Found in the File, is the
> typical
> >> > approach of most SSH Server Implementations.
> >> > OpenSSH follows this paradigm. Also it would help in communications
> >> > robustness.
> >> > It would be also nice to have a log event when the fallback happens.
> >> > Do you agree that this is an issue? When could it be implemented?
> >> >
> >> > 2. Moduli file integrity handling.
> >> > Could you create e.g. a SHA-256 hash fingerprint of the moduli file
> >> > contents, store it somewhere and add validation of moduli file using
> the
> >> > fingerprint.
> >> > This way we can deal with unauthorized tampering of moduli file. It is
> >> > potential security issue.
> >> >
> >> > 3. Moduli file generator
> >> > Is there a roadmap to add a moduli generator so that there’s full
> support
> >> > for group exchange generation and usage within Mina?
> >> > e.g. Primes could be regenerated also when moduli file is corrupted.
> >> >
> >> >
> >> > Regards,
> >> >
> >> > Pawel
> >>
>

Re: fallback to weaker DH algorithms, moduli file integrity and generating

Posted by Pawel Sm7 <pa...@gmail.com>.

Hello,

My plan would be not to change Mina SSHD existing classes, but give
people using Mina SSHD a new class to use fingerprints if needed.



It could be used e.g.:

In org.apache.sshd.server.kex.DHGEX:

private DH chooseDH(int min, int prf, int max) throws Exception {
        ModuliFingerprint mf = new ModuliFingerprint();
        mf.setSalt(.....);

        try {
            mf.checkModuliFingerprint(MODULI_FILE, MODULI_FINGERPRINT);
        } catch (Exception e) {
            throw e;
        }
......

Here if moduli was tampered, fingerprints do not match and exception
is generated. SSHD is not started.

Earlier you need to generate fingerprint for the existing moduli file
using createModuliFingerprint() method.


I didn't want to update Mina SSHD existing classes because everyone
who wants to use fingerprints needs to generate its own secret salt
using setSalt() method as in the example above. It has to be secret,
so I did not want to force existing SSHD classes to use fingerprints.

Please let me know your opinion.

Regards,

Pawel



2014-10-13 17:52 GMT+02:00 Guillaume Nodet <gn...@apache.org>:
> How do you plan to change sshd to use this class ?
>
> 2014-10-13 17:07 GMT+02:00 Pawel Sm7 <pa...@gmail.com>:
>
>> Hello,
>>
>> Please find attached proposal of moduli fingerprint functionality.
>>
>> Please let me know if you have any comments and if you plan add this
>> functionality to Apache Mina SSHD.
>>
>> Regards,
>>
>> Pawel
>>
>>
>> 2014-04-30 16:36 GMT+02:00 Pawel Sm7 <pa...@gmail.com>:
>> > Hello,
>> >
>> > I have 3 issues I would like to discuss.
>> >
>> > 1. Handling error scenarios if Prime cannot be found.
>> > Mina does not support fallback to weaker Diffie-Hellman algorithm if
>> Prime
>> > cannot be found.
>> >
>> > The failure approach of fall-thru to weaker Diffie-Hellman algorithm,
>> e.g.
>> > Group14 (embedded within the Code) if Prime cannot be found, either due
>> to
>> > MODULI File Access Errors or Prime Not Found in the File, is the typical
>> > approach of most SSH Server Implementations.
>> > OpenSSH follows this paradigm. Also it would help in communications
>> > robustness.
>> > It would be also nice to have a log event when the fallback happens.
>> > Do you agree that this is an issue? When could it be implemented?
>> >
>> > 2. Moduli file integrity handling.
>> > Could you create e.g. a SHA-256 hash fingerprint of the moduli file
>> > contents, store it somewhere and add validation of moduli file using the
>> > fingerprint.
>> > This way we can deal with unauthorized tampering of moduli file. It is
>> > potential security issue.
>> >
>> > 3. Moduli file generator
>> > Is there a roadmap to add a moduli generator so that there’s full support
>> > for group exchange generation and usage within Mina?
>> > e.g. Primes could be regenerated also when moduli file is corrupted.
>> >
>> >
>> > Regards,
>> >
>> > Pawel
>>

Re: fallback to weaker DH algorithms, moduli file integrity and generating

Posted by Guillaume Nodet <gn...@apache.org>.

How do you plan to change sshd to use this class ?

2014-10-13 17:07 GMT+02:00 Pawel Sm7 <pa...@gmail.com>:

> Hello,
>
> Please find attached proposal of moduli fingerprint functionality.
>
> Please let me know if you have any comments and if you plan add this
> functionality to Apache Mina SSHD.
>
> Regards,
>
> Pawel
>
>
> 2014-04-30 16:36 GMT+02:00 Pawel Sm7 <pa...@gmail.com>:
> > Hello,
> >
> > I have 3 issues I would like to discuss.
> >
> > 1. Handling error scenarios if Prime cannot be found.
> > Mina does not support fallback to weaker Diffie-Hellman algorithm if
> Prime
> > cannot be found.
> >
> > The failure approach of fall-thru to weaker Diffie-Hellman algorithm,
> e.g.
> > Group14 (embedded within the Code) if Prime cannot be found, either due
> to
> > MODULI File Access Errors or Prime Not Found in the File, is the typical
> > approach of most SSH Server Implementations.
> > OpenSSH follows this paradigm. Also it would help in communications
> > robustness.
> > It would be also nice to have a log event when the fallback happens.
> > Do you agree that this is an issue? When could it be implemented?
> >
> > 2. Moduli file integrity handling.
> > Could you create e.g. a SHA-256 hash fingerprint of the moduli file
> > contents, store it somewhere and add validation of moduli file using the
> > fingerprint.
> > This way we can deal with unauthorized tampering of moduli file. It is
> > potential security issue.
> >
> > 3. Moduli file generator
> > Is there a roadmap to add a moduli generator so that there’s full support
> > for group exchange generation and usage within Mina?
> > e.g. Primes could be regenerated also when moduli file is corrupted.
> >
> >
> > Regards,
> >
> > Pawel
>