Bug#750094: Misleading warning
On Wed, Jun 4, 2014 at 5:50 PM, Daniel Kahn Gillmor wrote: > On 06/04/2014 03:30 AM, Nikos Mavrogiannopoulos wrote: >> I agree with your points. In fact the current warning was setup to >> cover (0). There could be another warning for (1), but gnutls-cli >> prints the size of the prime anyway if DHE is negotiated so I'm not >> sure how much another warning would help. > I was thinking it'd be useful in that a warning is distinct from a > routine printout. people with their own sense of what a threshhold > should be can work from the routine information; but if we're providing > a distinct warning, it would be for people who aren't making those kinds > of decisions explicitly. That got pretty low on my todo list, if there is any patch on that I'll review it, but not planning in adding it myself. > yeah, choosing a threshhold is hard, and probably would need to change > over time, but at the moment, we have some concrete recommendations we > can use. > For example, ECRYPT II's 2011-2012 report suggests on page 30 that > defense against just small/medium organizations to preserve > confidentiality for a few months should be around 70 bits > (symmetric-equivalent), which means a DLOG group a bit below 1024 bits. > We could even use the ECRYPT language in the warning. I've now tied the warning to the security levels we have (and specifically the very weak one). regards, Nikos -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#750094: Misleading warning
Hi Daniel, nice to meet you. >> |<1>| Note that the security level of the Diffie-Hellman key exchange >> has been lowered to 256 bits and this may allow decryption of the >> session data > 0) a warning that the configuration has lowered the DH key exchange > strength and may cause weakness (what we're seeing here) -- Juliusz, can > you propose an alternate text for this warning? Note that the current configuration of either gnutls or your client software allows Diffie-Hellman key exchange to succeed with as little as 256 bits, which is not enough to guarantee a reasonable level of security. Please reconfigure gnutls or your client software with a more reasonable value (at least 1024, preferably 2048 or more). Please tweak the values at will, I'm not a crypto specialist. > 1) a warning in the _gnutls_audit_log when the dh bits is *actually* > lower than whatever cutoff we deem to be absurdly unacceptable. Yes, that would be helpful. > I worry a little bit about either warning, mainly because it seems to > imply that anything higher than 512 bits *won't* allow decryption of the > session data, which probably isn't the case for, say, a 513-bit group :P Very true, hence the "at least 1024, prerefably 2048 or more" in the suggested message above. -- Juliusz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#750094: Misleading warning
On 06/04/2014 03:30 AM, Nikos Mavrogiannopoulos wrote: > I agree with your points. In fact the current warning was setup to > cover (0). There could be another warning for (1), but gnutls-cli > prints the size of the prime anyway if DHE is negotiated so I'm not > sure how much another warning would help. I was thinking it'd be useful in that a warning is distinct from a routine printout. people with their own sense of what a threshhold should be can work from the routine information; but if we're providing a distinct warning, it would be for people who aren't making those kinds of decisions explicitly. > I've put that warning once I saw people arguing in various fora to set > dh-bits less than 256 bits in order to improve compatibility. Indeed > 513 is not much more secure, and the warning could be changed to less > than 700 or so. yeah, choosing a threshhold is hard, and probably would need to change over time, but at the moment, we have some concrete recommendations we can use. For example, ECRYPT II's 2011-2012 report suggests on page 30 that defense against just small/medium organizations to preserve confidentiality for a few months should be around 70 bits (symmetric-equivalent), which means a DLOG group a bit below 1024 bits. We could even use the ECRYPT language in the warning. --dkg signature.asc Description: OpenPGP digital signature
Bug#750094: Misleading warning
On Tue, Jun 3, 2014 at 12:33 AM, Daniel Kahn Gillmor wrote: > over on https://bugs.debian.org/750094, >> This warning is printed before any TLS negotiation happens, so it does not >> reflect the parameters that were actually negotiated. The wording should >> be changed in order to make it clear that the actual negotiated parameters >> might be different. > this can be replicated without the --starttls or -p 80, just with: > gnutls-cli --dh-bits 256 www.debian.org > the warning happens before the TLS handshake happens. > I'm forwarding this to the gnutls-devel mailing list. > It seems to me there could be two different kinds of warnings: > 0) a warning that the configuration has lowered the DH key exchange > strength and may cause weakness (what we're seeing here) -- Juliusz, can > you propose an alternate text for this warning? > 1) a warning in the _gnutls_audit_log when the dh bits is *actually* > lower than whatever cutoff we deem to be absurdly unacceptable. I agree with your points. In fact the current warning was setup to cover (0). There could be another warning for (1), but gnutls-cli prints the size of the prime anyway if DHE is negotiated so I'm not sure how much another warning would help. > I worry a little bit about either warning, mainly because it seems to > imply that anything higher than 512 bits *won't* allow decryption of the > session data, which probably isn't the case for, say, a 513-bit group :P > Nikos, any thoughts on what makes sense to do here? I've put that warning once I saw people arguing in various fora to set dh-bits less than 256 bits in order to improve compatibility. Indeed 513 is not much more secure, and the warning could be changed to less than 700 or so. regards, Nikos -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#750094: Misleading warning
over on https://bugs.debian.org/750094, On 06/01/2014 10:01 AM, Juliusz Chroboczek wrote: > Package: gnutls-bin > Version: 3.2.14-1 > > Try the following: > > gnutls-cli --dh-bits 256 --starttls -p 80 www.debian.org > > It prints the following warning: > > |<1>| Note that the security level of the Diffie-Hellman key exchange > has been lowered to 256 bits and this may allow decryption of the > session data > > This warning is printed before any TLS negotiation happens, so it does not > reflect the parameters that were actually negotiated. The wording should > be changed in order to make it clear that the actual negotiated parameters > might be different. this can be replicated without the --starttls or -p 80, just with: gnutls-cli --dh-bits 256 www.debian.org the warning happens before the TLS handshake happens. I'm forwarding this to the gnutls-devel mailing list. It seems to me there could be two different kinds of warnings: 0) a warning that the configuration has lowered the DH key exchange strength and may cause weakness (what we're seeing here) -- Juliusz, can you propose an alternate text for this warning? 1) a warning in the _gnutls_audit_log when the dh bits is *actually* lower than whatever cutoff we deem to be absurdly unacceptable. I worry a little bit about either warning, mainly because it seems to imply that anything higher than 512 bits *won't* allow decryption of the session data, which probably isn't the case for, say, a 513-bit group :P Nikos, any thoughts on what makes sense to do here? --dkg signature.asc Description: OpenPGP digital signature
Bug#750094: Misleading warning
Package: gnutls-bin Version: 3.2.14-1 Try the following: gnutls-cli --dh-bits 256 --starttls -p 80 www.debian.org It prints the following warning: |<1>| Note that the security level of the Diffie-Hellman key exchange has been lowered to 256 bits and this may allow decryption of the session data This warning is printed before any TLS negotiation happens, so it does not reflect the parameters that were actually negotiated. The wording should be changed in order to make it clear that the actual negotiated parameters might be different. -- Juliusz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org