[openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

Jakob Bohm jb-openssl at wisemo.com
Fri Nov 13 15:31:51 UTC 2015 

On 13/11/2015 14:40, Emilia Käsper wrote:
> Hi all,
>
> We are considering removing from OpenSSL 1.1 known broken or outdated 
> cryptographic primitives. As you may know the forks have already done 
> this but I'd like to seek careful feedback for OpenSSL first to ensure 
> we won't be breaking any major applications.
>
> These algorithms are currently candidates for removal:
>
> CAST
> IDEA
> MDC2
> MD2 [ already disabled by default ]
> RC5 [ already disabled by default ]
> RIPEMD
> SEED
> WHIRLPOOL
> ALL BINARY ELLIPTIC CURVES
>
> My preference would be to remove these algorithms completely (as in, 
> delete the code). Disabled-by-default code will either be re-enabled 
> by distros (if there's widespread need for it - in which case we might 
> as well leave it in) or will be poorly tested and is likely to just 
> silently rot and break. This code is bloat and maintentance burden for 
> us - my hope is that much of this code is effectively dead and can be 
> removed.
>
> *Are you aware of any mainstream need to continue supporting these 
> algorithms in OpenSSL 1.1?* Note that an older OpenSSL library or 
> binary, or a standalone implementation or another crypto toolkit can 
> always be used to continue supporting a legacy standalone application, 
> or to decrypt ciphertext from the distant past. I am looking for use 
> cases that could cause e.g. interop breakage between new and old 
> peers, or major pain to distro end-users.
>
> These algorithms are obsolete but removing them doesn't look feasible:
>
> BLOWFISH - probably still in use though I don't know where exactly?
> MD4 - used in NTLM
> RC2 - used in PKCS#12
>
> *Did I miss anything from the list?*
>
BlowFish is still hardcoded into some file formats that
are still in use, such as the PasswordSafe password
database format, I don't know if any related
implementations get the Blowfish code from OpenSSL
though.

IDEA was famously used in the original PGP encryption
format and as such remains useful when implementing
OpenPGP decryption on top of OpenSSL's libcrypto (as
opposed to implementing an OpenSSL emulation on top an
OpenPGP library like GNU did).  I don't know if any of
the 'OpenPGP in a high level language such as
perl/python/php' implementations use OpenSSL's IDEA
implementation as the backend though, but someone will
need to trawl through CPAN (for perl), the Linux dists
etc. to be sure.

MD2 is still present in the self-signature on some major
root certificates that are still trusted in signatures
on old/historic data and documents.  Note that the
default OpenSSL code currently skips checking the
self-signature on self-signed root certificates, but
that was done based as a workaround for the disabling
of MD2, and is based on the (unreliable) assumption
that checking their internal consistency had no value
in determining the trust.  Accepting MD2 only for this
limited role (and thus keeping the code around for that
case only) would be more secure.

The use of MD4 in NTLM is closely related to its use in
the password database format of computers that
interoperate with NTLM, SMB, CIFS, Microsoft Kerberos
extensions etc.  Those password databases and related
protocols will probably outlive NTLM itself by many
years.

WHIRLPOOL has been frequently recommended as the premier
non-NIST alternative to SHA-512, I have heard of no
reason to deprecate it.

The binary elliptic curve code in OpenSSL seems to have
a unique patent license heritage (via Sun I think) and
thus provides a unique source of such code for other
FOSS code as the Certicom and Sun patents change hands
in unpredictable ways.  I don't know if any major CA
issued ECDSA certificates using those curves, in which
case they remain important to the CMS and certificate
code in OpenSSL.  Again I have heard of no reason to
deprecate them.

I do not recall any common uses for the CAST cipher,
the MDC hash construct family or the RIPEMD hash
function family (at this time).

RC5 may be a patent problem and would probably be
disabled in most OpenSSL builds anyway.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151113/0d4bda82/attachment-0001.html>

More information about the openssl-users mailing list