Re: [openssl-users] Openssl software failure for RSA 16K modulus
> We have cryptographic accelerators on cavium platforms which minimize CPU > usage. So our customers are looking for 16K support. Well, sorry, but by default most other sides won't be able to use them. Not sure anything else to say. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
Bonjour, Le 22 juil. 2016 à 08:44, Gupta, Saurabh> a écrit : 1: I didn't get it, Why this behaviour is not coming for other ciphers while doing the server/client handshake? It should fail for other ciphers also. Ciphers: working DHE-RSA-AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 .. etc Because the key exchange is performed using DHE or ECDHE here, and parameters are much smaller than your server authentication key. If you configure a 16k DH group and choose to use DHE as the key exchange algorithm, you’ll surely fall under the same error. Ciphers: Not working AES128-SHA AES256-SHA .. etc RSA key exchange. 2: if anyway I want to use 16k modulus, Do we have solution to avoid this issue so that it won't harm to other application or create any new attack? 3: ECC cipher is not my main concerned. You should be concerned about the security provided by your choices, and not pure raw numbers. 4: I didn't face any issue like memory utilisation or CPU utilisation is more if I'm running more than one client in the case of 16k modulus. Your measuring tools are bad, change them ;) Signing with a 16k RSA key is way slower than with a 2048bits key, and again way slower than using ECC. According to NIST, equivalent « security levels »: RSA15360, DH15360, ECC512 (or 521) RSA7680, DH7680, ECC384 RSA3072, DH3072, ECC256 Measurements done on my machine: Signing with ECDSA over the P521 curve is 600x faster than signing with a 15kRSA key. Performing a key exchange with ECDH over the P521 curve is about 180x faster than decrypting with a 15k RSA key. Using the P384 curve and a 7kRSA key, the numbers are 180x faster and 50x faster. Using the P256 curve and a 4kRSA key, numbers are about 90x faster for both operations. I don’t have any measurements for DH key exchange, but it should cost twice more than doing a private RSA operation, and also impacts the client, and when used within TLS it comes in addition to an RSA signing operation. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
> The DoS issue is still there. How can you prevent the "other side" from > consuming all your CPU with a large key? > Who needs 16K RSA keys, such that openssl by default should support that for > everyone? We have cryptographic accelerators on cavium platforms which minimize CPU usage. So our customers are looking for 16K support. Regards, Saurabh -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
> 2: if anyway I want to use 16k modulus, Do we have solution to avoid this > issue so that it won't harm to other application or create any new attack? No. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
1: I didn't get it, Why this behaviour is not coming for other ciphers while doing the server/client handshake? It should fail for other ciphers also. Ciphers: working DHE-RSA-AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 .. etc Ciphers: Not working AES128-SHA AES256-SHA .. etc Protocols: tls1/tls1_1/tls1_2 2: if anyway I want to use 16k modulus, Do we have solution to avoid this issue so that it won't harm to other application or create any new attack? 3: ECC cipher is not my main concerned. 4: I didn't face any issue like memory utilisation or CPU utilisation is more if I'm running more than one client in the case of 16k modulus. Regards, Saurabh -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
> Wait, is OpenSSL "sanity checking" a message size dictated by the same ends > local configuration against a fixed arbitrary limit rather than a limit > computed > from that local configuration? Yup. Call it a limitation of C, if you want. "#define MAX_..." is just too hard to avoid. It has been this way forever. There was an open ticket about removing all fixed-sized limits, I think. But I doubt that will happen. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
On 21/07/2016 17:28, Salz, Rich wrote: Again, I’m not saying using a 16kRSA key is a good idea. It’s not a good idea, one should really consider ECC instead (both for performance and network reasons). But keeping this 2048 bytes limit is not a security decision. It’s the result of a trade-off choice, right. And that doesn't make it a bad decision either. +1 Wait, is OpenSSL "sanity checking" a message size dictated by the same ends local configuration against a fixed arbitrary limit rather than a limit computed from that local configuration? That sounds doubly buggy as it will be too high a limit for some configurations and too low a limit for some other configurations. The situation would be different for limits that would depend on the sanity of remote values (such as the key length in a client certificate sent to a server checking the limit or the key length in a server certificate sent to a client checking the limit). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
> Again, I’m not saying using a 16kRSA key is a good idea. It’s not a good idea, > one should really consider ECC instead (both for performance and network > reasons). But keeping this 2048 bytes limit is not a security decision. It’s > the > result of a trade-off choice, right. And that doesn't make it a bad decision > either. +1 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
> Le 21 juil. 2016 à 15:08, Salz, Richa écrit : > >> By raising the limit, you don’t suddenly put every application at risk of a >> DoS, >> because these applications won’t suddenly use a 16k RSA key. > > Yes we do, because the other side could send a key, not local config. Server A code is modified to accept client key exchange messages up to 4kB. Server A is configured with a 2048bits RSA key. Client A connects to Server A, initiates the TLS handshake, receives the certificate, properly generates a 2048bits client key exchange message (using RSA key exchange), sends the message (about 260 octets); Server A accepts it and will do the job. Client B connects to Server A, initiates the TLS handshake, receives the certificate, but for whatever reason decides to send a client key exchange message composed of what could be a 16kb RSA block (about 2056 bytes); Server A will accept the message, but will refuse to perform the RSA decryption (because it’s larger than the modulus length). I don’t see where the harm can hide. There’s no more CPU eaten, network transfer has already happened at this moment, memory is already allocated. Again, I’m not saying using a 16kRSA key is a good idea. It’s not a good idea, one should really consider ECC instead (both for performance and network reasons). But keeping this 2048 bytes limit is not a security decision. It’s the result of a trade-off choice, right. And that doesn't make it a bad decision either. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
> Instead of raising the limit of client key exchange message length more than > 2048, why can't we add the > "ssl3_check_client_hello" functionality in the ssl/s3_srvr.c because that > will "permit appropriate message length". The DoS issue is still there. How can you prevent the "other side" from consuming all your CPU with a large key? Who needs 16K RSA keys, such that openssl by default should support that for everyone? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
> By raising the limit, you don't suddenly put every application at risk of a > DoS, > because these applications won't suddenly use a 16k RSA key. Instead of raising the limit of client key exchange message length more than 2048, why can't we add the "ssl3_check_client_hello" functionality in the ssl/s3_srvr.c because that will "permit appropriate message length". I came across this functionality when I compared the code of openssl-1.0.1p and openssl-1.0.2e. Regards, Saurabh From: openssl-users <openssl-users-boun...@openssl.org> on behalf of openssl-users-requ...@openssl.org <openssl-users-requ...@openssl.org> Sent: Thursday, July 21, 2016 6:38 PM To: openssl-users@openssl.org Subject: openssl-users Digest, Vol 20, Issue 18 Send openssl-users mailing list submissions to openssl-users@openssl.org To subscribe or unsubscribe via the World Wide Web, visit https://mta.openssl.org/mailman/listinfo/openssl-users or, via email, send a message with subject or body 'help' to openssl-users-requ...@openssl.org You can reach the person managing the list at openssl-users-ow...@openssl.org When replying, please edit your Subject line so it is more specific than "Re: Contents of openssl-users digest..." Today's Topics: 1. Re: Openssl software failure for RSA 16K modulus (Salz, Rich) 2. Re: Openssl software failure for RSA 16K modulus (Salz, Rich) 3. Re: Help finding replacement for ASN1_seq_unpack_X509 (Jim Carroll) 4. Re: [openssl-users] Helpfinding replacement for ASN1_seq_unpack_X509 (Salz, Rich) 5. Re: Openssl software failure for RSA 16K modulus (Erwann Abalea) 6. Re: Openssl software failure for RSA 16K modulus (Salz, Rich) -- Message: 1 Date: Thu, 21 Jul 2016 12:15:15 + From: "Salz, Rich" <rs...@akamai.com> To: "openssl-users@openssl.org" <openssl-users@openssl.org> Subject: Re: [openssl-users] Openssl software failure for RSA 16K modulus Message-ID: <f3934079655b4d8fa3328b21ea62e...@usma1ex-dag1mb1.msg.corp.akamai.com> Content-Type: text/plain; charset="Windows-1252" > Largest accepted client key exchange message length seems to be set to 2048 > bytes. > Key exchange for an RSA16k is slightly larger than that (exactly 2048 bytes > of pure crypto payload, plus a few bytes of overhead). > OpenSSL is too conservative here. Why not use an ECC key? We have to make trade-offs. Who uses a 16K RSA key? -- Message: 2 Date: Thu, 21 Jul 2016 12:17:44 +0000 From: "Salz, Rich" <rs...@akamai.com> To: "openssl-users@openssl.org" <openssl-users@openssl.org> Subject: Re: [openssl-users] Openssl software failure for RSA 16K modulus Message-ID: <e8e3f6f5b5a849ab8000dab434aac...@usma1ex-dag1mb1.msg.corp.akamai.com> Content-Type: text/plain; charset="Windows-1252" > We have to make trade-offs. Who uses a 16K RSA key? Let me add some clarification. Is it worth putting every application that uses OpenSSL at risk for a DoS attack with a 16K RSA key? -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- Message: 3 Date: Thu, 21 Jul 2016 08:52:24 -0400 From: "Jim Carroll" <j...@carroll.com> To: <openssl-users@openssl.org> Subject: Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509 Message-ID: <00e201d1e34e$ba83f760$2f8be620$@carroll.com> We are porting M2Crypto which is a python swig wrapper around OpenSSL. It currently supports OpenSSL 0.9.8 and we are porting it to 1.1.0. The 1.1.0 branch is really cool (clean, elegant code), but there were a few refactoring's that affected M2Crypto. Most were trivial getter/setter type changes, but a few were in the are of getting rid of some ASN1 processing (which happens to be our weakest point of understanding). We're left with porting the final bit -- which is related to X509 cert handling. Here's a sample use. The caller builds up the call with a the following 'psuedo-sequence'. get_der() is the function we are working on finishing. X508* load_cert_bio(char* filename) { BIO* bio = BIO_new_file(filename, "r"); return PEM_read_bio_X509(bio, NULL, NULL, NULL); } unsigned char* get_der(int* len_out) { X509* cert = load_cert_bio("x509.pem"); X509* ca = load_cert_bio("ca.pem"); STACK_OF(X509)* stack = sk_x509_new_null(); sk_x509_push(stack, cert); sk_x509_push(stack, ca); return ASN1_seq_pack_X509(stack, i2d_X509, NULL, len_out); } The ASN1_seq_pack_
Re: [openssl-users] Openssl software failure for RSA 16K modulus
>By raising the limit, you don’t suddenly put every application at risk of a >DoS, > because these applications won’t suddenly use a 16k RSA key. Yes we do, because the other side could send a key, not local config. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
> Le 21 juil. 2016 à 14:17, Salz, Richa écrit : > >> We have to make trade-offs. Who uses a 16K RSA key? > > Let me add some clarification. Is it worth putting every application that > uses OpenSSL at risk for a DoS attack with a 16K RSA key? By raising the limit, you don’t suddenly put every application at risk of a DoS, because these applications won’t suddenly use a 16k RSA key. Anyway, OpenSSL 1.0.2+ now sets some limits on message sizes (defensive), some tradeoffs have to be done on those limits. According to some sources (NIST and ECRYPT II), 16k RSA provides an equivalent security level of a 512bits ECC key. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
> We have to make trade-offs. Who uses a 16K RSA key? Let me add some clarification. Is it worth putting every application that uses OpenSSL at risk for a DoS attack with a 16K RSA key? -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
> Largest accepted client key exchange message length seems to be set to 2048 > bytes. > Key exchange for an RSA16k is slightly larger than that (exactly 2048 bytes > of pure crypto payload, plus a few bytes of overhead). > OpenSSL is too conservative here. Why not use an ECC key? We have to make trade-offs. Who uses a 16K RSA key? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
Largest accepted client key exchange message length seems to be set to 2048 bytes. Key exchange for an RSA16k is slightly larger than that (exactly 2048 bytes of pure crypto payload, plus a few bytes of overhead). OpenSSL is too conservative here. Cordialement, Erwann Abalea Le 21 juil. 2016 à 10:32, Gupta, Saurabh> a écrit : This issue, I'm facing for openssl-1.0.2e/g/h version. Run openssl server: Used 16K Certificate and Key ./openssl s_server -cert sercert16384.pem -key server16384 Run openssl client: ./openssl s_client -connect :port_number -cipher AES128-SHA -tls1 ERROR 139812135450280:error:1408E098:SSL routines:ssl3_get_message:excessive message size:s3_both.c:417: This error is coming while using AES128-SHA as a cipher and tls1/1_1/1_2 protocols. It's working fine with ssl3 protocol. Note: 1. This issue, I didn't face for the openssl-1.0.1p/e version. Can you please confirm. is this known issue? if it is the known issue. Can you please share that fix? Regards, Saurabh -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users