[openssl-users] Vulnerability >> logjam << downgrades TLS connections to 512 Bit

Jakob Bohm jb-openssl at wisemo.com
Fri May 22 05:55:45 UTC 2015

On 22/05/2015 07:18, Jeffrey Walton wrote:
> On Fri, May 22, 2015 at 12:51 AM, Jakob Bohm <jb-openssl at wisemo.com> wrote:
>> On 22/05/2015 03:57, Jeffrey Walton wrote:
>>>> As an additional change for 1.0.2c or later (no need to
>>>> delay the urgent fix), maybe adjust internal operations
>>>> to discourage use of hardcoded DH groups for TLS DH (but
>>>> NOT for generic DH-like operations such as openssl-based
>>>> implementations of SRP).
>>> That's going to be tough because standards groups like the TLS WG are
>>> actively promoting fully specified, named parameters and curves.
>>> See, for example, "Negotiated Finite Field Diffie-Hellman Ephemeral
>>> Parameters for TLS",
>>> https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-09; and
>>> the discussion of magic primes at "Re: [TLS] Another IRINA bug in
>>> TLS", https://www.ietf.org/mail-archive/web/tls/current/msg16417.html.
>>> (The thread is due to the recent attacks on DH).
>> The latter thread contains posts from respected experts
>> asking not to use fixed parameters for DH...
> Well, I'm not sure how much more respected one can get than Daniel
> Kahn Gillmore, Stephen Farrell, Eric Recorla; or have better
> credentials than practicing cryptographers.
> How high is your bar :)
Whom did I say were not highly respected cryptographers?

I read the thread as some of the highly respected experts
saying that the LogJam supplemental finding (some fixed
DH groups of once recommended size used by so many it
makes expensive attacks pay) shows why fixed DH groups
should not be mandatory, while other respected experts
talk about other subjects.

I saw posts from respected experts arguing how to shoehorn
non-fixed DH curves back into the drafts of how to use
fixed DH curves (rather than simply dropping that protocol
change for DH).

I saw posts from respected experts arguing if the cost of
client side primality checks of DH parameters would exceed
the cost of using a secure enough group size.

I saw no posts in that thread arguing why fixed DH groups
would be a good thing.

I saw no posts discussing if DH parameters signed by the
trusted server really need to be fully validated client
side, or if cheaper checks (range, length, correspondence
to seed etc.) would be good enough given better uses for
the CPU time.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list