issues with DHE group parameter selection (PFS is not yet a panacea)

Posted Nov 7, 2013 7:57 UTC (Thu) by Fowl (subscriber, #65667)
In reply to: issues with DHE group parameter selection (PFS is not yet a panacea) by dkg
Parent article: Let's talk about perfect forward secrecy

At least, Firefox refuses to connect, with no (obvious) way of overriding. It uses NSS as do many other apps, so I hope that's baked in there.

> SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
> (Error code: ssl_error_weak_server_ephemeral_dh_key)

issues with DHE group parameter selection (PFS is not yet a panacea)

Posted Nov 7, 2013 8:43 UTC (Thu) by dkg (subscriber, #55359) [Link] (2 responses)

Yep. I'm glad that NSS doesn't fail open at 16-bit DH group :)

But NSS does fail open at a 512-bit DH group (that's where the ssl_error_weak_server_ephemeral_dh_key cutoff appears to be from brief testing). A DH group of 512 bits is considered roughly equivalent in strength to a 512-bit RSA key. For comparison, RSA-155 (an example 512-bit composite generated in 1991) was factored in 1999, and it seems likely that powerful adversaries today have a wee bit more computational capacity (moore's law suggests that there have been roughly 9 doublings of compute power since 1999, and the NSA is probably proportionally better equipped today than Herman te Riele was then, even after "adjusting for inflation"). If you're worried about the NSA, it seems likely that they have the capability to break any given 512-bit DLP secret key in a short period of time if they decide to throw some hardware and electricity at it.

Since we're talking about PFS, successful cracking only gains the attacker access to a single session, and not to an entire archive of cracked traffic; but if that particular session is considered valuable or interesting, and the DHE group used was 512 bits, the session's confidentiality is probably not going to resist a determined attacker for long.

issues with DHE group parameter selection (PFS is not yet a panacea)

Posted Nov 7, 2013 22:20 UTC (Thu) by dkg (subscriber, #55359) [Link]

In addition to the aforementioned 16-bit DH group offered by https://demo.cmrg.net/, I've now configured https://demo.cmrg.net:4433/ to offer a 504-bit DH group. It looks to me like NSS will happily connect to it, with no indication to the user that their expectations of confidentiality are likely to be unmet for this session if an adversary is logging it and wants to bother finding the discrete log of either side's public key.

NSS rejects a 503-bit DH group, though, probably because it is testing the number of bytes used to store P, and 504 "rounds up" to 512.

issues with DHE group parameter selection (PFS is not yet a panacea)

Posted Nov 8, 2013 11:52 UTC (Fri) by Jonno (subscriber, #49613) [Link]

It seems to me that if 768 bits is the lowest size commonly used, that should be the cut off for trusted communication, and sites using a smaller DHE group should be treated the same way as those presenting an invalid certificate (as in both cases you got something that isn't worse than plain HTTP, but not as secure as you would expect from HTTPS).

That said, I think it makes sense to require 2048 bit DHE groups for the green bar (EV Certificates), as those are supposed to be more trustworthy than regular HTTPS sites, and has a graceful fallback (regular HTTPS with padlock icon but no green bar).