Re: Why is the default DH keysize only 512 bits?
Jason Wittlin-Cohen <[EMAIL PROTECTED]> wrote: > So, if dh_key_length is being ignored, how is the DH key size > determined? By the DH parameter file? Apparently. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why is the default DH keysize only 512 bits?
Alan DeKok wrote:
Jason Wittlin-Cohen <[EMAIL PROTECTED]> wrote:
I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits.
If you're talking about the key length in the EAP-TLS module, it
looks like those aren't being used for anything. See the source.
It does look like the EAP-TLS code is setting a 512-bit ephemeral
RSA key, but my reading of the OpenSSL docs indicates it won't be
used, because SSL_OP_EPHEMERAL_RSA isn't being set. So that code
could be deleted entirely.
I originally thought that the DH
keysize would be determined by the DH parameter file and only realized
that it was still using 512 bit keys when I ran freeradius in debug
mode.
Which prints out configuration entries that aren't being used.
$ cd src/modules/rlm_eap
$ grep -r key_length .
./libeap/mppe_keys.c: PRF(s->session->master_key, s->session->master_key_length,
./libeap/mppe_keys.c: PRF(s->session->master_key, s->session->master_key_length,
./types/rlm_eap_tls/rlm_eap_tls.c: { "rsa_key_length", PW_TYPE_INTEGER,
./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, rsa_key_length), NULL, "512" },
./types/rlm_eap_tls/rlm_eap_tls.c: { "dh_key_length", PW_TYPE_INTEGER,
./types/rlm_eap_tls/rlm_eap_tls.c: offsetof(EAP_TLS_CONF, dh_key_length), NULL, "512" },
./types/rlm_eap_tls/rlm_eap_tls.h: int rsa_key_length;
./types/rlm_eap_tls/rlm_eap_tls.h: int dh_key_length;
See? They're config options that aren't used. They should be deleted.
So, if dh_key_length is being ignored, how is the DH key size
determined? By the DH parameter file?
Jason
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why is the default DH keysize only 512 bits?
Jason Wittlin-Cohen <[EMAIL PROTECTED]> wrote:
> I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits.
If you're talking about the key length in the EAP-TLS module, it
looks like those aren't being used for anything. See the source.
It does look like the EAP-TLS code is setting a 512-bit ephemeral
RSA key, but my reading of the OpenSSL docs indicates it won't be
used, because SSL_OP_EPHEMERAL_RSA isn't being set. So that code
could be deleted entirely.
> I originally thought that the DH
> keysize would be determined by the DH parameter file and only realized
> that it was still using 512 bit keys when I ran freeradius in debug
> mode.
Which prints out configuration entries that aren't being used.
$ cd src/modules/rlm_eap
$ grep -r key_length .
./libeap/mppe_keys.c: PRF(s->session->master_key,
s->session->master_key_length,
./libeap/mppe_keys.c: PRF(s->session->master_key,
s->session->master_key_length,
./types/rlm_eap_tls/rlm_eap_tls.c: { "rsa_key_length", PW_TYPE_INTEGER,
./types/rlm_eap_tls/rlm_eap_tls.c:offsetof(EAP_TLS_CONF,
rsa_key_length), NULL, "512" },
./types/rlm_eap_tls/rlm_eap_tls.c: { "dh_key_length", PW_TYPE_INTEGER,
./types/rlm_eap_tls/rlm_eap_tls.c:offsetof(EAP_TLS_CONF,
dh_key_length), NULL, "512" },
./types/rlm_eap_tls/rlm_eap_tls.h: int rsa_key_length;
./types/rlm_eap_tls/rlm_eap_tls.h: int dh_key_length;
See? They're config options that aren't used. They should be deleted.
> Also, it might be a good idea to put a comment in the TLS cipher suite
> comment section that the Microsoft Windows supplicant in Windows XP SP2
> uses RC4-MD5 by default (TLS_RSA_WITH_RC4_128_MD5).
OK... the "cipher_list" configuration entry can be edited to force
particular methods, if you so desire.
> OpenSSL's 'HIGH' setting is probably the best for a Windows XP user
> as it uses EDH-RSA-DES-CBC3-SHA (TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA),
> so SHA1 is used for integrity, and DH is used for key exchange.
OK. That's good to note in the comments.
> Windows XP SP2 and earlier versions of Windows do not support AES
> for use in any of the EAP modes. Apparently, if you want to use AES
> you need to upgrade to Vista (See Security in Vista
OK...
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Why is the default DH keysize only 512 bits?
I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits. As DH keys have approximately the same strength as RSA keys, and 512 bit RSA keys have already been broken, wouldn't it be adviseable to use at least 1024 bit DH keys as the minimum size. 1024 bits is currently the minimum recommended size for a DSA/RSA certificate. It might also be a good idea to include the option commented out in eap.conf so users know that it's something they can change. I originally thought that the DH keysize would be determined by the DH parameter file and only realized that it was still using 512 bit keys when I ran freeradius in debug mode. As fas as performance goes, I've tested with 2048 bit and 3072 bit DH keys with no performance degredation. Authentication occurs in 1-2 seconds using the Funk Odyssey client on Windows XP SP2 with 3072 bit RSA certificates and 3072 bit DH key exchange. Also, it might be a good idea to put a comment in the TLS cipher suite comment section that the Microsoft Windows supplicant in Windows XP SP2 uses RC4-MD5 by default (TLS_RSA_WITH_RC4_128_MD5). First, MD5 is deprecated and weak. SHA-1 should be used in its place. Secondly, DH is preferable to RSA for key exchange because it provides perfect forward secrecy. If RSA is used for encryption, a compromise of the client private key would allow an attacker to gain access to the master keys used to encrypt all prior wireless sessions whereas fresh DH keys are produced on each authentication and deleted after use. OpenSSL's 'HIGH' setting is probably the best for a Windows XP user as it uses EDH-RSA-DES-CBC3-SHA (TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA), so SHA1 is used for integrity, and DH is used for key exchange. Windows XP SP2 and earlier versions of Windows do not support AES for use in any of the EAP modes. Apparently, if you want to use AES you need to upgrade to Vista (See Security in Vista) or use a 3rd party supplicant like the Funk Odyssey Client which I use (uses TLS_DH_RSA_WITH_AES_256_CBC_SHA with default Freeradius setup). Jason Wittlin-Cohen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
