https://eprint.iacr.org/2016/995.pdf
Several recent standards, including NIST SP 800- 56A and RFC
5114, advocate the use of “DSA” parameters for Diffie-Hellman
key exchange. While it is possible to use such parameters
securely, additional validation checks are necessary to
prevent well-known and potentially devastating attacks. In this
paper, we observe that many Diffie-Hellman implementations do
not properly validate key exchange inputs. Combined with other
protocol properties and implementation choices, this can radically
decrease security. We measure the prevalence of these parameter
choices in the wild for HTTPS, POP3S, SMTP with STARTTLS,
SSH, IKEv1, and IKEv2, finding millions of hosts using
DSA and other non-“safe” primes for Diffie-Hellman
key exchange, many of them in combination with potentially
vulnerable behaviors. We examine over 20 open-source cryptographic
libraries and applications and observe that until January 2016,
not a single one validated subgroup orders by default.
This paper also actually understood the difficulties of IKE scanning!
And kudos to the authors for looking into so much deployment and open
source software!
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
