Hi Emmanuel, On Thu, Jun 04, 2015 at 05:07:42PM +0200, Emmanuel Thomé wrote: > Hi, > > I heard that following logjam (which I'm a coauthor of), haproxy has > changed its default set of primes. > > That's a good start. However you give no information as to *how* you > generated the primes (correct me if I'm mistaken -- I just didn't see > such a thing in the commit log, but haven't searched further). This is a > problem. The recommended practice is to generate primes a reproducible > fashion.
I simply used "openssl dhparam <size>" as suggested, and am trusting openssl to provide something reasonably safe since this is how every user builds their own dhparam when they don't want to use the initial one. > Example 1: the Oakley primes are generated as follows (IIRC -- I haven't > checked back): p = 2^768-2^704 + 2^64-1 + 2^702*(floor(pi)+i) is a safe > prime, with i smallest such that this holds (safe prime means (p-1)/2 > prime too). > > Fictitious example 2 to generate a 1024-bit prime: take an integer seed > i, and concatenate SHA256(i)||SHA256(i+1)||SHA256(i+2)||SHA256(i+3) such > that the 1024-bit concatenation is a safe prime (e.g pick smallest such > i). I have no idea how openssl does it internally, I'm not a cryptanalyst, just a user and I have to trust openssl not to fail on me. > There's also a prime generation process in FIPS 186-3. > > Why does this matter ? Because the cost of attacking DLP mod p is not > uniform across all primes p (even safe primes). There's a class of > "special primes" for which the attack is easier. Easy-to-spot primes in > this class are those of the form 2^n-c for instance. But the class, > despite being completely negligible in weight, is somewhat broader. There > is a way to generate a prime within this class (and know the trapdoor -- > in fact you generate the trapdoor first), without someone being > able to see the quirk (even significant computing power would not detect > it). Isn't this the reason it takes ages for openssl to emit one set ? > Now you say: "this bitstring is random, and it is prime". Oh no I'm not saying this at all, and I even have no way to verify this. I'm just applying the method that is recommended for such a use and that people who understand this area consider safe for use. > Should I trust you ? Absolutely not. That question was brought before the dhparams were generated and the basic idea was that if people trust me for the code I merge, they don't take extra risks for a "random" present in the code. I mean if I have bad intents and am skilled enough to craft a special one, I can as well be smart enough to insert subtle bugs in the code that will have the same effect. > You should first convince me that it is really an innocent > bitstring. No, that's much better, you can simply force yours in each of your certs, that's what a number of people do and what they did when oakley2 was announced as unsafe. In short instead of having a choice between something known broken and doing yours, now you have the choice between something you don't know whether it's broken or not and yours. If you trust me not to cheat on you, you can use the new one. If you don't trust me (and you probably shouldn't since we don't know each other), you'd rather build yours. > A paranoid user would believe that it has been generated by > (say) NSA, which convinced you to claim that it's random material Yes but such paranoid users also accuse everyone of much funnier things so I don't care much about what they believe. > -- the secret goal being to foster the use of weak primes. The goal is to avoid using weak primes and at the same time not to incite clueless users (like me) to deploy them once then forget them even when they're cracked. Advanced users will generate theirs and will care about them because they follow such news. Mind you that if we hadn't had oakley in haproxy, I wouldn't have heard about logjam and would never have even known that any of my certs was relying on it, so I would still be using it years after the disclosure of its weakness. My take here is that if haproxy (as a community project) can help *me* stay safe enough, it surely can help other users like me. Best regards, Willy
