On Wed, May 20, 2015 at 11:55:42PM +0200, L.R. D.S. wrote:
> Anyone write today on @misc and @tech about this, so I'll ask just to make
> sure:
> is OpenIKED and/or OpenSMTPD vulnerable to this new "Logjam Attack"?
> This vulnerability allow "a man-in-the-middle attacker to downgrade
> vulnerable TLS
> connections to 512-bit export-grade cryptography" and "[Since] Millions of
> HTTPS,
> SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key
> exchange"
> "[using it] an attacker can quickly break individual connections" [...]
> "attacks on
> VPNs are consistent with having achieved such a break."[1]. They have a proof
> of
> concept[2] and a research paper[3].
>
As far as OpenSMTPD is concerned:
"The attack affects any server that supports DHE_EXPORT ciphers,
and affects all modern web browsers." (from weakdh.org)
The default cipher-suite is "HIGH:!aNULL:!MD5" which doesn't support any
DHE_EXPORT cipher (obvious but verified with both LibreSSL and OpenSSL):
$ openssl ciphers HIGH:!aNULL:!MD5|grep EXPORT
$
"Millions of HTTPS, SSH, and VPN servers all use the same prime numbers
for Diffie-Hellman key exchange. [...]"
Yes, there is a very popular set of 512-bits DH parameters that everyone
uses because it was considered safe to share the params if generated the
right way. It is part of tons of examples, documented as "safe to reuse"
and it ended pretty much everywhere (openssl s_server to name one).
We have switched to 1024-bits DH parameters 4 years ago:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl.c.diff?r1=1.31&r2=1.32&f=h
The DH parameters were generated by myself on a safe machine, so there's
very very low chances "millions of servers" are sharing the same ones ;)
The article suggests that 1024-bits DH isn't enough and that you need it
to be at least 2048-bits, however before we bump this default, we need a
fair amount of testing: last time I tried, it broke A LOT of exchanges.
Discussions will take place with regard to what we'll do anways...
--
Gilles Chehade
https://www.poolp.org @poolpOrg
