-
-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should ecdh-sha2-nistp256,384,521 be categorized as a failure? #213
Comments
@BareqAZ: I actually did an in-depth research project on this topic a few years back. I really should publish it in a more legible format (currently you can find some presentation slides around on talks I gave, but they're not so easy to follow). The short version is that some people (myself included) see a lot of suspicious things around the NIST P-curves. Furthermore, there are other good community-made alternatives such as X25519 and X448, which also benefit from more rigorous testing (as academic knowledge has grown significantly since the late 1990's as to what properties good curves should have). Disabling the P-curves does not impact compatibility whatsoever, as all modern SSH clients support X25519. In fact, OpenSSH's default key exchange has been X25519 since 2014. Given the strong suspicions, as well as the fact that more modern alternatives are already well-supported says (to me, anyway) that its time for the world to move on from the NIST P-curves. |
@jtesta digging into this now, I believe I found one of the talks you mentioned. It had a lot of valuable information, so I'm sharing the link here in case anyone else is interested: https://youtu.be/wcwILMlZDpE I agree with the points discussed. Initially, I thought that if we label it as a "warning," it would mean we're simply alerting the user about the possibility of a backdoor, without automatically causing the test to fail. This approach would allow the user to make their own decision on how to proceed with this information. This is important because many regulated industries need to adhere to FIPS and NIST standards thus a lot of them are still using these algorithms by default so this failure will come as a surprise without much context. |
i would suggest a |
Here is the talk How to manipulate standards by Daniel J. Bernstein: https://www.youtube.com/watch?v=Cj3PN5-n108 |
Seconding @ecki, I think there should be a |
Currently, the algorithms ecdh-sha2-nistp256, 384, and 521 are categorized as "fail" due to concerns that they may have been compromised by the NSA. This suspicion arises from the fact that the NSA has not disclosed how they determined the constants used in these elliptical curves. However, it's important to note that this is merely a suspicion and hasn't been proven.
These algorithms are widely used in large enterprises because the plain Diffie-Hellman algorithms are vulnerable to denial-of-service (DoS) attacks (CVE-2002-20001, CVE-2022-40735). This limits the choice of Key Exchange (KEX) algorithms.
Given that this is only a suspicion and not a confirmed fact, it might be more appropriate to classify these algorithms as a "warning" rather than categorizing them as outright failures. What are your thoughts on this?
The text was updated successfully, but these errors were encountered: