Quantcast

RFC5114 DHE modp groups

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RFC5114 DHE modp groups

Eckenfels. Bernd

Hello,

 

Because RFC 5114 was confusing me a bit with the use of DSA like generators for TLS I was searching around and found the following blog post, which I can kind of agree:

 

http://blog.intothesymmetry.com/2016/01/what-heck-is-rfc-5114.html

 

Especially it mentions that BCTLS uses the RFC group. I wonder if it would be better to go to the ffdhe2048 or some other (more NUMS) groups. Do you have any ideas on this?

 

Greetings

Bernd

--

Chief Architect (R&D), SEEBURGER AG, Germany
http://www.seeburger.com

 






     


SEEBURGER AG   Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:   Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1  
D-75015 Bretten Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0 Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de Registergericht/Commercial Register:
e-mail: [hidden email] HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.

This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RFC5114 DHE modp groups

David Hook

I suspect we're likely to migrate to the use of RFC 7919 (Peter D. might have an opinion on this as well though!).

There have been some concerns expressed that ffdhe2048 is not really secure enough anymore, and that ffdhe3072 is the smallest that should be used. This is also be worth considering if you are deciding on a group.

Regards,

David

On 14/10/16 23:01, Eckenfels. Bernd wrote:

Hello,

 

Because RFC 5114 was confusing me a bit with the use of DSA like generators for TLS I was searching around and found the following blog post, which I can kind of agree:

 

http://blog.intothesymmetry.com/2016/01/what-heck-is-rfc-5114.html

 

Especially it mentions that BCTLS uses the RFC group. I wonder if it would be better to go to the ffdhe2048 or some other (more NUMS) groups. Do you have any ideas on this?

 

Greetings

Bernd

--

Chief Architect (R&D), SEEBURGER AG, Germany
http://www.seeburger.com

 






     


SEEBURGER AG   Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:   Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1  
D-75015 Bretten
Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0
Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222

Internet: http://www.seeburger.de
Registergericht/Commercial Register:
e-mail: [hidden email]
HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.

This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RFC5114 DHE modp groups

Peter Dettman-3
Yes, we should be finishing off RFC 7919 soon (we implemented a very
early draft at one point).

For anyone curious as to what use we make of RFC 5114:

1) org.bouncycastle.crypto.agreement.DHStandardGroups just defines
DHParameters corresponding to the RFC 5114 groups (also RFCs
2409/4306/5996, and 3526).

2) org.bouncycastle.crypto.tls.DefaultTlsServer (likewise PSKTlsServer)
defines getDHParameters() method for returning the DHParameters the
server will use. Currently returns rfc5114_2048_256, but simply override
the method to supply different DHParameters.

Current TLS code accepts any group of at least 1024 bits (override by
subclassing the key exchange class). There are some improvements in the
works for TLS which include hooks for client-side validation of
server-selected DH groups similar to the current TlsSRPGroupVerifier.
The default implementation of this will accept any group from
DHStandardGroups of at least 1024 bits, but you will be able to easily
override the set of acceptable groups (and the minimum size of course).

Regards,
Pete Dettman


On 15/10/2016 12:13 PM, David Hook wrote:

>
> I suspect we're likely to migrate to the use of RFC 7919 (Peter D. might
> have an opinion on this as well though!).
>
> There have been some concerns expressed that ffdhe2048 is not really
> secure enough anymore, and that ffdhe3072 is the smallest that should be
> used. This is also be worth considering if you are deciding on a group.
>
> Regards,
>
> David
>
> On 14/10/16 23:01, Eckenfels. Bernd wrote:
>>
>> Hello,
>>
>>  
>>
>> Because RFC 5114 was confusing me a bit with the use of DSA like
>> generators for TLS I was searching around and found the following blog
>> post, which I can kind of agree:
>>
>>  
>>
>> http://blog.intothesymmetry.com/2016/01/what-heck-is-rfc-5114.html
>>
>>  
>>
>> Especially it mentions that BCTLS uses the RFC group. I wonder if it
>> would be better to go to the ffdhe2048 or some other (more NUMS)
>> groups. Do you have any ideas on this?


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: RFC5114 DHE modp groups

Eckenfels. Bernd
In reply to this post by David Hook
Hello Thanks David and Peter,

There is an update to the Blog post I mentioned

      http://blog.intothesymmetry.com/2016/10/the-rfc-5114-saga.html

and also a good analysis in the paper:

      "Measuring small subgroup attacks against Diffie-Hellman". https://eprint.iacr.org/2016/995.pdf

So, maybe the default use in TlsServer should be really reconsidered.

BTW: not sure of the world is ready to go to a 3k default, that would break Java <=8 clients, so for a default I would stick with ffdhe2048 or IKE group 14 (rfc3526)


From: David Hook [mailto:[hidden email]]
Sent: Saturday, October 15, 2016 6:13 AM
To: [hidden email]
Subject: Re: [dev-crypto] RFC5114 DHE modp groups


I suspect we're likely to migrate to the use of RFC 7919 (Peter D. might have an opinion on this as well though!).

There have been some concerns expressed that ffdhe2048 is not really secure enough anymore, and that ffdhe3072 is the smallest that should be used. This is also be worth considering if you are deciding on a group.

Regards,

David









SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RFC5114 DHE modp groups

Peter Dettman-3
Hi Bernd,
FYI, we've now switched the default TLS server DH group to the 2048-bit
group from RFC 3526, and deprecated the RFC5114 group parameters
(they'll be removed after the next release).

Pete.


On 21/10/2016 6:41 PM, Eckenfels. Bernd wrote:

> Hello Thanks David and Peter,
>
> There is an update to the Blog post I mentioned
>
>       http://blog.intothesymmetry.com/2016/10/the-rfc-5114-saga.html
>
> and also a good analysis in the paper:
>
>       "Measuring small subgroup attacks against Diffie-Hellman". https://eprint.iacr.org/2016/995.pdf
>
> So, maybe the default use in TlsServer should be really reconsidered.
>
> BTW: not sure of the world is ready to go to a 3k default, that would break Java <=8 clients, so for a default I would stick with ffdhe2048 or IKE group 14 (rfc3526)
>
>
> From: David Hook [mailto:[hidden email]]
> Sent: Saturday, October 15, 2016 6:13 AM
> To: [hidden email]
> Subject: Re: [dev-crypto] RFC5114 DHE modp groups
>
>
> I suspect we're likely to migrate to the use of RFC 7919 (Peter D. might have an opinion on this as well though!).
>
> There have been some concerns expressed that ffdhe2048 is not really secure enough anymore, and that ffdhe3072 is the smallest that should be used. This is also be worth considering if you are deciding on a group.
>
> Regards,
>
> David
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>


Loading...