Re: Do we really want to have the legacy provider as opt-in only?

2019-07-19 Thread Benjamin Kaduk
On Mon, Jul 15, 2019 at 02:19:22PM +0100, Matt Caswell wrote:
> 
> 
> On 15/07/2019 13:58, Tomas Mraz wrote:
> 
> > 
> > I understand that for the current digest algos implemented in the
> > legacy provider the problem might not be as pressing as these
> > algorithms are not widely used however which other algorithms are going
> > to be moved into the legacy provider?
> 
> My guess is that the ones likely to give us the most problems would be DES, 
> DSA
> and RC4

To add a bit of anecdata, Debian and Fedora are removing DES support from
(MIT) krb5.  So far all we've seen as bug reports are that the kernel may
still have that enctype in its list to use for NFS (as well as other,
still-useful, ones), and so we need to ignore it instead of bailing.
But given that it provides only ca. $20 of protection, it's not especially
surprising that we aren't seeing much using it.

On the other hand, krb5 is not going around and disabling RC4, even though
RFC 8429 is a thing.

-Ben


Re: Do we really want to have the legacy provider as opt-in only?

2019-07-19 Thread Benjamin Kaduk
On Tue, Jul 16, 2019 at 03:06:28PM -0400, Viktor Dukhovni wrote:
> On Mon, Jul 15, 2019 at 02:27:44PM +, Salz, Rich wrote:
> 
> > >>DSA
> > > 
> > > What is the cryptographic weakness of DSA that you are avoiding?
> > 
> > It's a good question. I don't recall the specific reason why that was 
> > added to
> > the list. Perhaps others can comment.
> > 
> > The only weakness I know about is that if you re-use the nonce, the private
> > key is leaked. It's more brittle than RSA-PKCS, but not as flawed as RC4.
> > 
> > I think this should be removed from the "legacy" list unless someone can 
> > point out why it's like the others in the list.
> 
[...]
> 4.  As mentioned key disclosure is more likely than with RSA.

Huh, and it looks like we don't even implement deterministic DSA (RFC
6979) which is a partial mitigation.

-Ben