Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87r3km9rpo.fsf@alice.fifthhorseman.net>
Date: Thu, 22 Oct 2015 23:41:39 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Prime example of a can of worms

On Thu 2015-10-22 19:37:49 -0400, Kurt Seifried wrote:
> Sorry when I said a "large" pool I meant more then the current 5 or so that
> seem to be in popular use, but certainly not more than a few hundred.

ok, that's a relief :) but, running the numbers, even 100 hundred
2048-bit groups comes out to a quarter MiB of RAM.  (i figure 256 bytes
per prime, a well-known, shared generator)

Larger groups (or more groups) inflate the size even further.  I know
RAM is cheap these days but for embedded devices a quarter meg or more
of RAM is still not insignificant.

> Basically we're in agreement, I think nothing under 2048 should even be
> considered, and we probably need to bump that up in a few years anyways.

yep, agreed.

> I've also been going through source code to see how people use dh
> params/treat them, and I have some worrying results (basically what I
> expected though, everything is terrible as usual)

:/

> I'm going to be writing this up as an article rather than a long email as I
> have a few more sticky points to raise (security rabbit holes are so much
> fun).

I look forward to reading it.

  --dkg

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.