Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should ecdh-sha2-nistp256,384,521 be categorized as a failure? #213

Open
BareqAZ opened this issue Oct 19, 2023 · 5 comments
Open

Should ecdh-sha2-nistp256,384,521 be categorized as a failure? #213

BareqAZ opened this issue Oct 19, 2023 · 5 comments

Comments

@BareqAZ
Copy link
Contributor

BareqAZ commented Oct 19, 2023

Currently, the algorithms ecdh-sha2-nistp256, 384, and 521 are categorized as "fail" due to concerns that they may have been compromised by the NSA. This suspicion arises from the fact that the NSA has not disclosed how they determined the constants used in these elliptical curves. However, it's important to note that this is merely a suspicion and hasn't been proven.

These algorithms are widely used in large enterprises because the plain Diffie-Hellman algorithms are vulnerable to denial-of-service (DoS) attacks (CVE-2002-20001, CVE-2022-40735). This limits the choice of Key Exchange (KEX) algorithms.

Given that this is only a suspicion and not a confirmed fact, it might be more appropriate to classify these algorithms as a "warning" rather than categorizing them as outright failures. What are your thoughts on this?

@jtesta
Copy link
Owner

jtesta commented Oct 22, 2023

@BareqAZ: I actually did an in-depth research project on this topic a few years back. I really should publish it in a more legible format (currently you can find some presentation slides around on talks I gave, but they're not so easy to follow). The short version is that some people (myself included) see a lot of suspicious things around the NIST P-curves. Furthermore, there are other good community-made alternatives such as X25519 and X448, which also benefit from more rigorous testing (as academic knowledge has grown significantly since the late 1990's as to what properties good curves should have).

Disabling the P-curves does not impact compatibility whatsoever, as all modern SSH clients support X25519. In fact, OpenSSH's default key exchange has been X25519 since 2014.

Given the strong suspicions, as well as the fact that more modern alternatives are already well-supported says (to me, anyway) that its time for the world to move on from the NIST P-curves.

@BareqAZ
Copy link
Contributor Author

BareqAZ commented Oct 23, 2023

@jtesta digging into this now, I believe I found one of the talks you mentioned. It had a lot of valuable information, so I'm sharing the link here in case anyone else is interested: https://youtu.be/wcwILMlZDpE

I agree with the points discussed. Initially, I thought that if we label it as a "warning," it would mean we're simply alerting the user about the possibility of a backdoor, without automatically causing the test to fail. This approach would allow the user to make their own decision on how to proceed with this information. This is important because many regulated industries need to adhere to FIPS and NIST standards thus a lot of them are still using these algorithms by default so this failure will come as a surprise without much context.

@ecki
Copy link

ecki commented Dec 23, 2023

i would suggest a --haha-i-trust-nsa option, because in some context NIST curves are required and it is easier to skim results if they are clean of politics. you can still add a note "You explicitely trust the NIST curves, I will therefore not fail the audit for..." at the end.

@bbaassssiiee
Copy link

bbaassssiiee commented Jan 8, 2024

@jtesta digging into this now, I believe I found one of the talks you mentioned. It had a lot of valuable information, so I'm sharing the link here in case anyone else is interested: https://youtu.be/wcwILMlZDpE

Here is the talk How to manipulate standards by Daniel J. Bernstein: https://www.youtube.com/watch?v=Cj3PN5-n108
"Random numbers don't start with BADA55EC" (Bad Ass E.C.)

@sudo-nano
Copy link

Seconding @ecki, I think there should be a --trust-nsa option or similar for situations where NIST curves are required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants