Minimum Diffie-Hellman (DH) group size

RESOLVED DUPLICATE of bug 1138554

Status

NSS
Libraries
--
major
RESOLVED DUPLICATE of bug 1138554
3 years ago
3 years ago

People

(Reporter: mancha, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8608073 [details] [diff] [review]
Increase DHE minimum group size

Hello.

Adrian et al. recently published a paper [1] describing new TLS attacks that leverage their ability to easily compute arbitrary discrete logs in 512-bit groups. Proof-of-concept demonstrations are provided in [2].

Mozilla should consider raising the minimum DHE group size from 512 to at least 1024 bits (suggested patch is attached).

Note: because of the way NSS currently handles bits vs. bytes when computing sizes, checking dh_p.len < 512/8 effectively allows DH group sizes 505 bits and greater (505 bits requires 64 bytes).

Similarly, after applying my patch, NSS will effectively allow DH groups 1017 bits and greater (1017 bits requires 128 bytes).

A separate bug should be opened to fix the handling of leading zero bits in length calculations.

PS It is my understanding Google Chrome will also be rejecting DH group sizes smaller than 1024 bits.

----
[1] https://weakdh.org/imperfect-forward-secrecy.pdf
[2] https://weakdh.org/logjam.html
(Reporter)

Comment 1

3 years ago
Though 1024 bit minimums for DHE groups is considerably better than NSS's current 512 bit minimum, it's important to realize the change is not particularly forward-looking.

NIST's approximate security equivalencies provides a bit of context:

DH Group     Symmetric Sec.
Size (bits)  Strength (bits)

1024              80
2048             112
3072             128

Maybe a better approach than hard-coded minimums is a pref tunable (i.e. security.tls.dhe.min.bits).

Ideally, the ecosystem will prioritize convergence towards more secure key agreement mechanisms (e.g. finite field DH with 3072+ bit groups or EC DH with secure curves over large fields).

Mozilla can play a key leadership role in shepherding this process.

Comment 2

3 years ago
Since DHE group size security roughly correlates to the same in RSA, NSS et al. probably should have been moved to 1024 bits as a minimum some time ago; it won't be long until 1024-bit RSA gets the axe as well.

As a reference site, note that you can use the badssl.com website to test weak DHE group errors:

https://dh480.badssl.com/  (currently does generate an error)
https://dh512.badssl.com/  (does not generate an error)

Given that the low water mark will likely be moving very soon, I will look into creating a dh1024 site sometime in the next day or so.  The error for a weak ephemeral key (like many of the crypto errors in FF) is pretty opaque; if we're going to start running into a lot more errors with the killing of 512-bit DHE, we should probably also clean up that error page.
Summary: Minimum DH group size (logjam) → Minimum Diffie-Hellman (DH) group size (logjam)

Comment 3

3 years ago
Also, Chromium is set to have this change in (at least) Chrome 45, but it may get backported to earlier versions:

https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/WyGIpevBV1s

They've also already disabled TLS False-Start when DH is used.

Updated

3 years ago
Alias: LogJam
Summary: Minimum Diffie-Hellman (DH) group size (logjam) → Minimum Diffie-Hellman (DH) group size
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1138554
(Reporter)

Comment 5

3 years ago
I'm unable to track bug 1138554. Can someone please add me to the bug or change the bug's perms?

Thanks!
Logjam is already public. Is it necessary to hide bug 1138554 anymore?

Comment 7

3 years ago
It's public now.
Alias: LogJam
You need to log in before you can comment on or make changes to this bug.