Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-22 Thread Salz, Rich 
> We have cryptographic accelerators on cavium platforms which minimize CPU 
> usage. So our customers are looking for 16K support.

Well, sorry, but by default most other sides won't be able to use them.  Not 
sure anything else to say.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-22 Thread Erwann Abalea 
Bonjour,

Le 22 juil. 2016 à 08:44, Gupta, Saurabh 
> a écrit :


1: I didn't get it, Why this behaviour is not coming for other ciphers while 
doing the server/client handshake?

It should fail for other ciphers also.


Ciphers:  working

DHE-RSA-AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
.. etc

Because the key exchange is performed using DHE or ECDHE here, and parameters 
are much smaller than your server authentication key.
If you configure a 16k DH group and choose to use DHE as the key exchange 
algorithm, you’ll surely fall under the same error.

Ciphers: Not working
AES128-SHA
AES256-SHA
.. etc

RSA key exchange.

2: if anyway I want to use 16k modulus, Do we have solution to avoid this issue 
so that it won't harm to other application or create any new attack?

3: ECC cipher is not my main concerned.

You should be concerned about the security provided by your choices, and not 
pure raw numbers.


4: I didn't face any issue like memory utilisation or CPU utilisation is more 
if I'm running more than one client in the case of 16k modulus.

Your measuring tools are bad, change them ;)
Signing with a 16k RSA key is way slower than with a 2048bits key, and again 
way slower than using ECC.

According to NIST, equivalent « security levels »:
RSA15360, DH15360, ECC512 (or 521)
RSA7680, DH7680, ECC384
RSA3072, DH3072, ECC256

Measurements done on my machine:
Signing with ECDSA over the P521 curve is 600x faster than signing with a 
15kRSA key.
Performing a key exchange with ECDH over the P521 curve is about 180x faster 
than decrypting with a 15k RSA key.

Using the P384 curve and a 7kRSA key, the numbers are 180x faster and 50x 
faster.
Using the P256 curve and a 4kRSA key, numbers are about 90x faster for both 
operations.

I don’t have any measurements for DH key exchange, but it should cost twice 
more than doing a private RSA operation, and also impacts the client, and when 
used within TLS it comes in addition to an RSA signing operation.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-22 Thread Gupta, Saurabh 
> The DoS issue is still there.  How can you prevent the "other side" from 
> consuming all your CPU with a large key?

> Who needs 16K RSA keys, such that openssl by default should support that for 
> everyone?


We have cryptographic accelerators on cavium platforms which minimize CPU 
usage. So our customers are looking for 16K support.


Regards,
Saurabh
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-22 Thread Salz, Rich 
> 2: if anyway I want to use 16k modulus, Do we have solution to avoid this 
> issue so that it won't harm to other application or create any new attack?

No.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-22 Thread Gupta, Saurabh 
1: I didn't get it, Why this behaviour is not coming for other ciphers while 
doing the server/client handshake?

It should fail for other ciphers also.


Ciphers:  working

DHE-RSA-AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
.. etc

Ciphers: Not working
AES128-SHA
AES256-SHA
.. etc


Protocols:

tls1/tls1_1/tls1_2


2: if anyway I want to use 16k modulus, Do we have solution to avoid this issue 
so that it won't harm to other application or create any new attack?

3: ECC cipher is not my main concerned.

4: I didn't face any issue like memory utilisation or CPU utilisation is more 
if I'm running more than one client in the case of 16k modulus.

Regards,
Saurabh
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Salz, Rich 

> Wait, is OpenSSL "sanity checking" a message size dictated by the same ends
> local configuration against a fixed arbitrary limit rather than a limit 
> computed
> from that local configuration?

Yup.  Call it a limitation of C, if you want.  "#define MAX_..." is just too 
hard to avoid.

It has been this way forever. There was an open ticket about removing all 
fixed-sized limits, I think.  But I doubt that will happen.



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Jakob Bohm 

On 21/07/2016 17:28, Salz, Rich wrote:

Again, I’m not saying using a 16kRSA key is a good idea. It’s not a good idea,
one should really consider ECC instead (both for performance and network
reasons). But keeping this 2048 bytes limit is not a security decision. It’s the
result of a trade-off choice, right. And that doesn't make it a bad decision
either.

+1


Wait, is OpenSSL "sanity checking" a message size dictated by
the same ends local configuration against a fixed arbitrary
limit rather than a limit computed from that local
configuration?  That sounds doubly buggy as it will be too
high a limit for some configurations and too low a limit for
some other configurations.

The situation would be different for limits that would depend
on the sanity of remote values (such as the key length in a
client certificate sent to a server checking the limit or the
key length in a server certificate sent to a client checking
the limit).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Salz, Rich 
> Again, I’m not saying using a 16kRSA key is a good idea. It’s not a good idea,
> one should really consider ECC instead (both for performance and network
> reasons). But keeping this 2048 bytes limit is not a security decision. It’s 
> the
> result of a trade-off choice, right. And that doesn't make it a bad decision
> either.

+1
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Erwann Abalea 

> Le 21 juil. 2016 à 15:08, Salz, Rich  a écrit :
> 
>> By raising the limit, you don’t suddenly put every application at risk of a 
>> DoS,
>> because these applications won’t suddenly use a 16k RSA key.
> 
> Yes we do, because the other side could send a key, not local config.

Server A code is modified to accept client key exchange messages up to 4kB.
Server A is configured with a 2048bits RSA key.

Client A connects to Server A, initiates the TLS handshake, receives the 
certificate, properly generates a 2048bits client key exchange message (using 
RSA key exchange), sends the message (about 260 octets); Server A accepts it 
and will do the job.

Client B connects to Server A, initiates the TLS handshake, receives the 
certificate, but for whatever reason decides to send a client key exchange 
message composed of what could be a 16kb RSA block (about 2056 bytes); Server A 
will accept the message, but will refuse to perform the RSA decryption (because 
it’s larger than the modulus length).

I don’t see where the harm can hide. There’s no more CPU eaten, network 
transfer has already happened at this moment, memory is already allocated.

Again, I’m not saying using a 16kRSA key is a good idea. It’s not a good idea, 
one should really consider ECC instead (both for performance and network 
reasons). But keeping this 2048 bytes limit is not a security decision. It’s 
the result of a trade-off choice, right. And that doesn't make it a bad 
decision either.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Salz, Rich 

> Instead of raising the limit of client key exchange message length more than 
> 2048, why can't we add the 
> "ssl3_check_client_hello" functionality in the ssl/s3_srvr.c because that 
> will "permit appropriate message length".

The DoS issue is still there.  How can you prevent the "other side" from 
consuming all your CPU with a large key?

Who needs 16K RSA keys, such that openssl by default should support that for 
everyone?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Gupta, Saurabh 
> By raising the limit, you don't suddenly put every application at risk of a 
> DoS,
> because these applications won't suddenly use a 16k RSA key.


Instead of raising the limit of client key exchange message length more than 
2048, why can't we add the

"ssl3_check_client_hello" functionality in the ssl/s3_srvr.c because that will 
"permit appropriate message length".


I came across this functionality when I compared the code of openssl-1.0.1p and 
openssl-1.0.2e.


Regards,
Saurabh



From: openssl-users <openssl-users-boun...@openssl.org> on behalf of 
openssl-users-requ...@openssl.org <openssl-users-requ...@openssl.org>
Sent: Thursday, July 21, 2016 6:38 PM
To: openssl-users@openssl.org
Subject: openssl-users Digest, Vol 20, Issue 18

Send openssl-users mailing list submissions to
openssl-users@openssl.org

To subscribe or unsubscribe via the World Wide Web, visit
https://mta.openssl.org/mailman/listinfo/openssl-users
or, via email, send a message with subject or body 'help' to
openssl-users-requ...@openssl.org

You can reach the person managing the list at
openssl-users-ow...@openssl.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of openssl-users digest..."


Today's Topics:

   1. Re: Openssl software failure for RSA 16K modulus (Salz, Rich)
   2. Re: Openssl software failure for RSA 16K modulus (Salz, Rich)
   3. Re: Help  finding replacement for ASN1_seq_unpack_X509
  (Jim Carroll)
   4. Re: [openssl-users]   Helpfinding replacement for
  ASN1_seq_unpack_X509 (Salz, Rich)
   5. Re: Openssl software failure for RSA 16K modulus (Erwann Abalea)
   6. Re: Openssl software failure for RSA 16K modulus (Salz, Rich)


--

Message: 1
Date: Thu, 21 Jul 2016 12:15:15 +
From: "Salz, Rich" <rs...@akamai.com>
To: "openssl-users@openssl.org" <openssl-users@openssl.org>
Subject: Re: [openssl-users] Openssl software failure for RSA 16K
modulus
Message-ID:
<f3934079655b4d8fa3328b21ea62e...@usma1ex-dag1mb1.msg.corp.akamai.com>
Content-Type: text/plain; charset="Windows-1252"


> Largest accepted client key exchange message length seems to be set to 2048 
> bytes.
> Key exchange for an RSA16k is slightly larger than that (exactly 2048 bytes 
> of pure crypto payload, plus a few bytes of overhead).

> OpenSSL is too conservative here.

Why not use an ECC key?

We have to make trade-offs.  Who uses a 16K RSA key?


--

Message: 2
Date: Thu, 21 Jul 2016 12:17:44 +0000
From: "Salz, Rich" <rs...@akamai.com>
To: "openssl-users@openssl.org" <openssl-users@openssl.org>
Subject: Re: [openssl-users] Openssl software failure for RSA 16K
modulus
Message-ID:
<e8e3f6f5b5a849ab8000dab434aac...@usma1ex-dag1mb1.msg.corp.akamai.com>
Content-Type: text/plain; charset="Windows-1252"

> We have to make trade-offs.  Who uses a 16K RSA key?

Let me add some  clarification.  Is it worth putting every application that 
uses OpenSSL at risk for a DoS attack with a 16K RSA key?

--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz




--

Message: 3
Date: Thu, 21 Jul 2016 08:52:24 -0400
From: "Jim Carroll" <j...@carroll.com>
To: <openssl-users@openssl.org>
Subject: Re: [openssl-users] Help   finding replacement for
ASN1_seq_unpack_X509
Message-ID: <00e201d1e34e$ba83f760$2f8be620$@carroll.com>

 We are porting M2Crypto which is a python swig wrapper around OpenSSL. It
currently supports OpenSSL 0.9.8 and we are porting it to 1.1.0.  The 1.1.0
branch is really cool (clean, elegant code), but there were a few
refactoring's that affected M2Crypto.  Most were trivial getter/setter type
changes, but a few were in the are of getting rid of some ASN1 processing
(which happens to be our weakest point of understanding).

We're left with porting the final bit -- which is related to X509 cert
handling.  Here's a sample use. The caller builds up the call with a the
following 'psuedo-sequence'. get_der() is the function we are working on
finishing.

X508* load_cert_bio(char* filename) {
BIO* bio = BIO_new_file(filename, "r");
return PEM_read_bio_X509(bio, NULL, NULL, NULL);
}

unsigned char* get_der(int* len_out) {
X509* cert = load_cert_bio("x509.pem");
X509* ca = load_cert_bio("ca.pem");

STACK_OF(X509)* stack = sk_x509_new_null();
sk_x509_push(stack, cert);
sk_x509_push(stack, ca);

return ASN1_seq_pack_X509(stack, i2d_X509, NULL, len_out);
}

The ASN1_seq_pack_

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Salz, Rich 

>By raising the limit, you don’t suddenly put every application at risk of a 
>DoS,
> because these applications won’t suddenly use a 16k RSA key.

Yes we do, because the other side could send a key, not local config.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Erwann Abalea 

> Le 21 juil. 2016 à 14:17, Salz, Rich  a écrit :
> 
>> We have to make trade-offs.  Who uses a 16K RSA key?
> 
> Let me add some  clarification.  Is it worth putting every application that 
> uses OpenSSL at risk for a DoS attack with a 16K RSA key?

By raising the limit, you don’t suddenly put every application at risk of a 
DoS, because these applications won’t suddenly use a 16k RSA key.
Anyway, OpenSSL 1.0.2+ now sets some limits on message sizes (defensive), some 
tradeoffs have to be done on those limits. According to some sources (NIST and 
ECRYPT II), 16k RSA provides an equivalent security level of a 512bits ECC key.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Salz, Rich 
> We have to make trade-offs.  Who uses a 16K RSA key?

Let me add some  clarification.  Is it worth putting every application that 
uses OpenSSL at risk for a DoS attack with a 16K RSA key?

--  
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Salz, Rich 

> Largest accepted client key exchange message length seems to be set to 2048 
> bytes. 
> Key exchange for an RSA16k is slightly larger than that (exactly 2048 bytes 
> of pure crypto payload, plus a few bytes of overhead).

> OpenSSL is too conservative here.

Why not use an ECC key?

We have to make trade-offs.  Who uses a 16K RSA key?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Erwann Abalea 
Largest accepted client key exchange message length seems to be set to 2048 
bytes.
Key exchange for an RSA16k is slightly larger than that (exactly 2048 bytes of 
pure crypto payload, plus a few bytes of overhead).

OpenSSL is too conservative here.

Cordialement,
Erwann Abalea

Le 21 juil. 2016 à 10:32, Gupta, Saurabh 
> a écrit :

This issue, I'm facing for openssl-1.0.2e/g/h version.

Run openssl server: Used 16K Certificate and Key
./openssl s_server -cert sercert16384.pem -key server16384

Run openssl client:
./openssl s_client -connect :port_number -cipher AES128-SHA -tls1

ERROR

139812135450280:error:1408E098:SSL routines:ssl3_get_message:excessive message 
size:s3_both.c:417:


This error is coming while using AES128-SHA as a cipher and tls1/1_1/1_2 
protocols. It's working fine with ssl3 protocol.

Note:
1. This issue, I didn't face for the openssl-1.0.1p/e version.

Can you please confirm. is this known issue?
if it is the known issue. Can you please share that fix?

Regards,
Saurabh
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users