micah <micah <at> riseup.net> writes: > Encouraging custom DH groups is not a good idea, as this opens up the > triple handshake attack possibility[0]. > > 0. https://www.secure-resumption.com/ (search for Initial DHE Handshake) > <-- details an attack where a server can send custom groups
Interesting, but: ① This already works, as clients *do* (and do have to) accept those groups. ② “We instead recommend that a set of well-known good groups be standardized for use in DHE” will open up not only the precomputation problem (though it’s not “as bad” with larger bitsizes), but also the difficulty of selec‐ ting one (whom are you going to trust, and NUMS numbers may not actually be good here). Since their recommendation would require a protocol change anyway, I suggest (as I have been doing for a while) that even the DH part of the handshake be protected by the server (and, optionally, client) certificate. This way, you basically first open up a non-PFS connection and handle out a PFS connection inside it then switch to that. The PFS attacks currently all seem to require being able to MITM it, which is not possible if the server key was not handed out yet (I’d expect people to change it after handing out the old one). This would also allow servers to send a bit extra random bytes to the client, securely, which (especially mobile devices with only flash storage) they can then use to mix into their own entropy pool in a safe way “if they want to” (or just ignore them), as added benefit. tl;dr: without a protocol change, clients *are* going to accept custom DH groups, so the recommendation to use custom ones currently is not bad. It may not be “good” (for 2048+-bit groups), but doesn’t add more harm. bye, //mirabilos
