[GTALUG] War Story: Fedora 33 update silently broke Dovecot (IMAP / POP3 server)
D. Hugh Redelmeier
hugh at mimosa.com
Sun May 9 13:09:39 EDT 2021
| From: Giles Orr via talk <talk at gtalug.org>
| And it's considered a bad idea to use a
| widely known DH parameter (like the one that ships with the software,
| or that sits on a Mozilla server).
I'm not sure that's correct. The counter-argument is that some are
weak and some are strong and it would be better to use ones attested to
in a process you consider trustable. That seems to be what is
recommended the Mozilla link I included and by RFC 7919 that it links to
(I haven't read it or the updates and errata).
| This is a semi-useful read:
| https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters.
I don't trust stack exchange but I do find it useful. That isn't
actually a contradiction.
| I say "semi-useful" because honestly some of it was over my head. And
| that leads to reading about Logjam ( https://weakdh.org/ ).
The DH (Diffie-Hellman) exchange is the magic that makes privacy on
the internet work. It's really cute and simple. Weakness: it cannot
defend against an active man-in-the-middle attack.
It's actually simple. The SE first answer, second paragraph, explains
how it works. Let me fill in some missing bits:
The integers, modulo p [a prime], form a mathematical group.
g, p are the DH parameters and are publicly known.
a is Alice's secret, never to go on the wire.
b is Bob's secret, never to go on the wire
"^" denotes exponentiation (think repeated multiplication).
All arithmetic is modulo p
Alice sends Bob:
g^a
Bob sends Alice
g^b
Alice can compute
(g^b) ^ a
Bob Can compute
(g^a) ^ b
And those are both the same!
Now Alice and Bob share a secret that nobody else has. That's all
that's needed for bootstrapping privacy.
Avoiding an active man-in-the-middle attack is much harder
logistically. For that you need some kind of authentication (what one
chooses to mean by authentication is a very interesting decision).
That's part of why we have the horror show of certificates. They are
not necessary but they are sufficient (as long as the certificate
system isn't broken).
| With Ansible I've automated the generation of a new DH parameter file
| on each new server:
|
| openssl dhparam -out <filename> <size>
|
| Generating this file takes a significant amount of time (minutes) if
| "size" is reasonably large (2096, although I would recommend 4192)
| even on a modern machine.
You consider the numbers you gave as a typo (according to later mail).
Actually, there is an argument to be made that if you are rolling your
own, don't use popular powers of two.
A bad guy might have hardware optimized for powers of two (they are
used in the vast majority of cases). Or precomputed tables. If you
don't use a power of two, you through him off his book.
The core of this is that we think that g^a is much much much cheaper
to compute than the corresponding discrete log (i.e. compute a, given
g and g^a).
More information about the talk
mailing list