[openssl-dev] Weak DH and the Logjam

[mancha]

On Wed, May 20, 2015 at 11:31:00PM +0200, Kurt Roeckx wrote:
> On Wed, May 20, 2015 at 08:58:54PM +0000, mancha wrote:
> > On Wed, May 20, 2015 at 07:17:43PM +0200, Kurt Roeckx wrote:
> > > On Wed, May 20, 2015 at 07:11:42AM +0000, mancha wrote:
> > > > Hello.
> > > > 
> > > > Given Adrien et al. recent paper [1] together with their
> > > > proof-of-concept attacks against 512-bit DH groups [2], it might
> > > > be a good time to resurrect a discussion Daniel Kahn Gillmor has
> > > > started here in the past.
> > > 
> > > Please see
> > > http://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
> > > 
> > > 
> > > Kurt
> > 
> > Hi Kurt. Thanks for the link and congrats to EK for a well-written
> > blog.
> > 
> > A few questions...
> > 
> > 1. On ECC:
> > 
> > Did I correctly understand that starting with 1.0.2b, OpenSSL
> > clients will only include secp256r1, secp384r1, and secp521r1 on the
> > prime side and sect283k1, sect283r1, sect409k1, sect409r1,
> > sect571k1, sect571r1 on the binary side in supported elliptic curves
> > extensions?
> 
> It also has the 3 brainpool curves and secp256k1.

Yep, forgot about the addition of brainpool curves in 1.0.2.

> > Will OpenSSL consider making this change in 1.0.1 as well?
> 
> 1.0.1 doesn't support the auto ecdh, so we at least can't do exactly
> the same there.  But maybe we should also update the default used by
> the client?

The following pull request for 1.0.1-stable removes elliptic curves that
provide less than the equivalent of 128 bits of symmetric key security
from the list clients announce via supported elliptic curves extensions.  

  https://github.com/openssl/openssl/pull/288

--mancha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150521/20a7286a/attachment.sig>