SSL and hardcoded DH prime

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL and hardcoded DH prime

Alexander Petrovsky-2
Hello!

We have stumble upon default DH prime (2048 bits) in Erlang when we try to establish TLS session with cisco spa303 (VoIP hardphone) via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately, this hardphone can work only with 1024 bit DH prime.


In my synthetical tests, new DH prime generation is fast enough (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000 iterations.

Why Ingela has hardcoded this DH prime and is any reason why I shouldn't generate DH prime in real-time?

--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL and hardcoded DH prime

Ingela Andin
Hi!

It is only the default value that is hard coded (a recommend value), you may configure your own parameters with dh or dhfile option. 

Regards Ingela

Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <[hidden email]>:
Hello!

We have stumble upon default DH prime (2048 bits) in Erlang when we try to establish TLS session with cisco spa303 (VoIP hardphone) via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately, this hardphone can work only with 1024 bit DH prime.


In my synthetical tests, new DH prime generation is fast enough (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000 iterations.

Why Ingela has hardcoded this DH prime and is any reason why I shouldn't generate DH prime in real-time?

--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL and hardcoded DH prime

Alexander Petrovsky-2
Yeah, Ingela, thanks! About default value and dh, dhfile options I know. The main question - is the any reasons don’t generate DH prime in real-time?

чт, 23 авг. 2018 г. в 20:12, Ingela Andin <[hidden email]>:
Hi!

It is only the default value that is hard coded (a recommend value), you may configure your own parameters with dh or dhfile option. 

Regards Ingela

Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <[hidden email]>:
Hello!

We have stumble upon default DH prime (2048 bits) in Erlang when we try to establish TLS session with cisco spa303 (VoIP hardphone) via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately, this hardphone can work only with 1024 bit DH prime.


In my synthetical tests, new DH prime generation is fast enough (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000 iterations.

Why Ingela has hardcoded this DH prime and is any reason why I shouldn't generate DH prime in real-time?

--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL and hardcoded DH prime

Paul Peregud-2
Its a long-ish process. But you can run it during installation or first run.

$ time openssl dhparam -out dhparam.pem 2048
...
real    0m3,623s
user    0m3,612s
sys    0m0,000s



On Thu, Aug 23, 2018 at 5:27 PM Alexander Petrovsky <[hidden email]> wrote:
Yeah, Ingela, thanks! About default value and dh, dhfile options I know. The main question - is the any reasons don’t generate DH prime in real-time?

чт, 23 авг. 2018 г. в 20:12, Ingela Andin <[hidden email]>:
Hi!

It is only the default value that is hard coded (a recommend value), you may configure your own parameters with dh or dhfile option. 

Regards Ingela

Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <[hidden email]>:
Hello!

We have stumble upon default DH prime (2048 bits) in Erlang when we try to establish TLS session with cisco spa303 (VoIP hardphone) via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately, this hardphone can work only with 1024 bit DH prime.


In my synthetical tests, new DH prime generation is fast enough (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000 iterations.

Why Ingela has hardcoded this DH prime and is any reason why I shouldn't generate DH prime in real-time?

--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


--
Best regards,
Paul Peregud
+48602112091

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

SSL and hardcoded DH prime

Alexander Petrovsky-2
No, I can use dh option in Erlang and generate in des format DH prime and DH generator. It’s very fast.

чт, 23 авг. 2018 г. в 22:07, Paul Peregud <[hidden email]>:
Its a long-ish process. But you can run it during installation or first run.

$ time openssl dhparam -out dhparam.pem 2048
...
real    0m3,623s
user    0m3,612s
sys    0m0,000s



On Thu, Aug 23, 2018 at 5:27 PM Alexander Petrovsky <[hidden email]> wrote:
Yeah, Ingela, thanks! About default value and dh, dhfile options I know. The main question - is the any reasons don’t generate DH prime in real-time?

чт, 23 авг. 2018 г. в 20:12, Ingela Andin <[hidden email]>:
Hi!

It is only the default value that is hard coded (a recommend value), you may configure your own parameters with dh or dhfile option. 

Regards Ingela

Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <[hidden email]>:
Hello!

We have stumble upon default DH prime (2048 bits) in Erlang when we try to establish TLS session with cisco spa303 (VoIP hardphone) via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately, this hardphone can work only with 1024 bit DH prime.


In my synthetical tests, new DH prime generation is fast enough (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000 iterations.

Why Ingela has hardcoded this DH prime and is any reason why I shouldn't generate DH prime in real-time?

--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


--
Best regards,
Paul Peregud
+48602112091
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL and hardcoded DH prime

Frank Muller
How? Show us please!!!

No, I can use dh option in Erlang and generate in des format DH prime and DH generator. It’s very fast.

чт, 23 авг. 2018 г. в 22:07, Paul Peregud <[hidden email]>:
Its a long-ish process. But you can run it during installation or first run.

$ time openssl dhparam -out dhparam.pem 2048
...
real    0m3,623s
user    0m3,612s
sys    0m0,000s



On Thu, Aug 23, 2018 at 5:27 PM Alexander Petrovsky <[hidden email]> wrote:
Yeah, Ingela, thanks! About default value and dh, dhfile options I know. The main question - is the any reasons don’t generate DH prime in real-time?

чт, 23 авг. 2018 г. в 20:12, Ingela Andin <[hidden email]>:
Hi!

It is only the default value that is hard coded (a recommend value), you may configure your own parameters with dh or dhfile option. 

Regards Ingela

Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <[hidden email]>:
Hello!

We have stumble upon default DH prime (2048 bits) in Erlang when we try to establish TLS session with cisco spa303 (VoIP hardphone) via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately, this hardphone can work only with 1024 bit DH prime.


In my synthetical tests, new DH prime generation is fast enough (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000 iterations.

Why Ingela has hardcoded this DH prime and is any reason why I shouldn't generate DH prime in real-time?

--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


--
Best regards,
Paul Peregud
+48602112091
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL and hardcoded DH prime

Alexander Petrovsky-2
From official ssl doc 

{dh, public_key:der_encoded()}

The DER-encoded Diffie-Hellman parameters. If specified, it overrides option dhfile.


пт, 24 авг. 2018 г. в 6:11, Frank Muller <[hidden email]>:
How? Show us please!!!

No, I can use dh option in Erlang and generate in des format DH prime and DH generator. It’s very fast.

чт, 23 авг. 2018 г. в 22:07, Paul Peregud <[hidden email]>:
Its a long-ish process. But you can run it during installation or first run.

$ time openssl dhparam -out dhparam.pem 2048
...
real    0m3,623s
user    0m3,612s
sys    0m0,000s



On Thu, Aug 23, 2018 at 5:27 PM Alexander Petrovsky <[hidden email]> wrote:
Yeah, Ingela, thanks! About default value and dh, dhfile options I know. The main question - is the any reasons don’t generate DH prime in real-time?

чт, 23 авг. 2018 г. в 20:12, Ingela Andin <[hidden email]>:
Hi!

It is only the default value that is hard coded (a recommend value), you may configure your own parameters with dh or dhfile option. 

Regards Ingela

Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <[hidden email]>:
Hello!

We have stumble upon default DH prime (2048 bits) in Erlang when we try to establish TLS session with cisco spa303 (VoIP hardphone) via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately, this hardphone can work only with 1024 bit DH prime.


In my synthetical tests, new DH prime generation is fast enough (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000 iterations.

Why Ingela has hardcoded this DH prime and is any reason why I shouldn't generate DH prime in real-time?

--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


--
Best regards,
Paul Peregud
+48602112091
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL and hardcoded DH prime

Frank Muller
It’s not about that. Generating a 2048 DH can take a long time. And you said it’s fast and you want to make it real time. 

From official ssl doc 

{dh, public_key:der_encoded()}

The DER-encoded Diffie-Hellman parameters. If specified, it overrides option dhfile.


пт, 24 авг. 2018 г. в 6:11, Frank Muller <[hidden email]>:
How? Show us please!!!

No, I can use dh option in Erlang and generate in des format DH prime and DH generator. It’s very fast.

чт, 23 авг. 2018 г. в 22:07, Paul Peregud <[hidden email]>:
Its a long-ish process. But you can run it during installation or first run.

$ time openssl dhparam -out dhparam.pem 2048
...
real    0m3,623s
user    0m3,612s
sys    0m0,000s



On Thu, Aug 23, 2018 at 5:27 PM Alexander Petrovsky <[hidden email]> wrote:
Yeah, Ingela, thanks! About default value and dh, dhfile options I know. The main question - is the any reasons don’t generate DH prime in real-time?

чт, 23 авг. 2018 г. в 20:12, Ingela Andin <[hidden email]>:
Hi!

It is only the default value that is hard coded (a recommend value), you may configure your own parameters with dh or dhfile option. 

Regards Ingela

Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <[hidden email]>:
Hello!

We have stumble upon default DH prime (2048 bits) in Erlang when we try to establish TLS session with cisco spa303 (VoIP hardphone) via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately, this hardphone can work only with 1024 bit DH prime.


In my synthetical tests, new DH prime generation is fast enough (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000 iterations.

Why Ingela has hardcoded this DH prime and is any reason why I shouldn't generate DH prime in real-time?

--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


--
Best regards,
Paul Peregud
+48602112091
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL and hardcoded DH prime

Alexander Petrovsky-2
Oh, shame on me, I forget that it's not a random number, it's random prime, so, you are absolutely right, it's not so fast. Thanks.

пт, 24 авг. 2018 г. в 10:48, Frank Muller <[hidden email]>:
It’s not about that. Generating a 2048 DH can take a long time. And you said it’s fast and you want to make it real time. 

From official ssl doc 

{dh, public_key:der_encoded()}

The DER-encoded Diffie-Hellman parameters. If specified, it overrides option dhfile.


пт, 24 авг. 2018 г. в 6:11, Frank Muller <[hidden email]>:
How? Show us please!!!

No, I can use dh option in Erlang and generate in des format DH prime and DH generator. It’s very fast.

чт, 23 авг. 2018 г. в 22:07, Paul Peregud <[hidden email]>:
Its a long-ish process. But you can run it during installation or first run.

$ time openssl dhparam -out dhparam.pem 2048
...
real    0m3,623s
user    0m3,612s
sys    0m0,000s



On Thu, Aug 23, 2018 at 5:27 PM Alexander Petrovsky <[hidden email]> wrote:
Yeah, Ingela, thanks! About default value and dh, dhfile options I know. The main question - is the any reasons don’t generate DH prime in real-time?

чт, 23 авг. 2018 г. в 20:12, Ingela Andin <[hidden email]>:
Hi!

It is only the default value that is hard coded (a recommend value), you may configure your own parameters with dh or dhfile option. 

Regards Ingela

Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <[hidden email]>:
Hello!

We have stumble upon default DH prime (2048 bits) in Erlang when we try to establish TLS session with cisco spa303 (VoIP hardphone) via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately, this hardphone can work only with 1024 bit DH prime.


In my synthetical tests, new DH prime generation is fast enough (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000 iterations.

Why Ingela has hardcoded this DH prime and is any reason why I shouldn't generate DH prime in real-time?

--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


--
Best regards,
Paul Peregud
+48602112091
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991



--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL and hardcoded DH prime

Frank Muller
No problem, thanks!


Oh, shame on me, I forget that it's not a random number, it's random prime, so, you are absolutely right, it's not so fast. Thanks.

пт, 24 авг. 2018 г. в 10:48, Frank Muller <[hidden email]>:
It’s not about that. Generating a 2048 DH can take a long time. And you said it’s fast and you want to make it real time. 

From official ssl doc 

{dh, public_key:der_encoded()}

The DER-encoded Diffie-Hellman parameters. If specified, it overrides option dhfile.


пт, 24 авг. 2018 г. в 6:11, Frank Muller <[hidden email]>:
How? Show us please!!!

No, I can use dh option in Erlang and generate in des format DH prime and DH generator. It’s very fast.

чт, 23 авг. 2018 г. в 22:07, Paul Peregud <[hidden email]>:
Its a long-ish process. But you can run it during installation or first run.

$ time openssl dhparam -out dhparam.pem 2048
...
real    0m3,623s
user    0m3,612s
sys    0m0,000s



On Thu, Aug 23, 2018 at 5:27 PM Alexander Petrovsky <[hidden email]> wrote:
Yeah, Ingela, thanks! About default value and dh, dhfile options I know. The main question - is the any reasons don’t generate DH prime in real-time?

чт, 23 авг. 2018 г. в 20:12, Ingela Andin <[hidden email]>:
Hi!

It is only the default value that is hard coded (a recommend value), you may configure your own parameters with dh or dhfile option. 

Regards Ingela

Den tors 23 aug. 2018 kl 16:57 skrev Alexander Petrovsky <[hidden email]>:
Hello!

We have stumble upon default DH prime (2048 bits) in Erlang when we try to establish TLS session with cisco spa303 (VoIP hardphone) via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately, this hardphone can work only with 1024 bit DH prime.


In my synthetical tests, new DH prime generation is fast enough (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000 iterations.

Why Ingela has hardcoded this DH prime and is any reason why I shouldn't generate DH prime in real-time?

--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


--
Best regards,
Paul Peregud
+48602112091
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991



--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL and hardcoded DH prime

Hans Nilsson R (AL/EAB)
In reply to this post by Alexander Petrovsky-2
Hi!

You can't just grab any prime and use it in DH.  Any prime will work, but very
few primes are safe to use.  And to find a safe prime is a slow process...

Only one out of 400000 1024-bits primes are safe according to

 https://security.stackexchange.com/questions/5263/where-do-i-get-prime-numbers-for-diffie-hellman-can-i-use-them-twice

/Hans

On 08/23/2018 04:57 PM, Alexander Petrovsky wrote:

> Hello!
>
> We have stumble upon default DH prime (2048 bits) in Erlang when we try to
> establish TLS session with cisco spa303 (VoIP hardphone)
> via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately,
> this hardphone can work only with 1024 bit DH prime.
>
> I wonder, why Ingela hardcoded this DH prime -
> https://github.com/erlang/otp/commit/3458af579af6600870c5ada69b81085f47e9f52b
>
> In my synthetical tests, new DH prime generation is fast enough
> (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000
> iterations.
>
> Why Ingela has hardcoded this DH prime and is any reason why I shouldn't
> generate DH prime in real-time?
>
>
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL and hardcoded DH prime

Alexander Petrovsky-2
Oh, thanks, I don't know about that, it's very helpful.

пт, 24 авг. 2018 г. в 11:41, Hans Nilsson R <[hidden email]>:
Hi!

You can't just grab any prime and use it in DH.  Any prime will work, but very
few primes are safe to use.  And to find a safe prime is a slow process...

Only one out of 400000 1024-bits primes are safe according to

 https://security.stackexchange.com/questions/5263/where-do-i-get-prime-numbers-for-diffie-hellman-can-i-use-them-twice

/Hans

On 08/23/2018 04:57 PM, Alexander Petrovsky wrote:
> Hello!
>
> We have stumble upon default DH prime (2048 bits) in Erlang when we try to
> establish TLS session with cisco spa303 (VoIP hardphone)
> via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. Unfortunately,
> this hardphone can work only with 1024 bit DH prime.
>
> I wonder, why Ingela hardcoded this DH prime -
> https://github.com/erlang/otp/commit/3458af579af6600870c5ada69b81085f47e9f52b
>
> In my synthetical tests, new DH prime generation is fast enough
> (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000
> iterations.
>
> Why Ingela has hardcoded this DH prime and is any reason why I shouldn't
> generate DH prime in real-time?
>
>
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


--
Петровский Александр / Alexander Petrovsky,

Skype: askjuise
Phone: +7 931 9877991


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL and hardcoded DH prime

Hans Nilsson R (AL/EAB)
Check the ssh-keygen command with -G and -T

   https://man.openbsd.org/ssh-keygen#MODULI_GENERATION

or try the Erlang/OTP function public_key:dh_gex_group/4 which randomly selects a good prime from a pre-generated list of such:

1> public_key:dh_gex_group(1024, 1024, 1024, undefined).
{ok,{1023,
     {5,

137423569441246262992289626302405506810075372518201635033473127540045433614984773406065519964899878780586235832348933590594300290793347611716697640359482924853366011641117770719027755146909495326369377183195861495553717174988136205384838926110458474346294939275424613035724229598089601829380531182016066518343}}}
2> public_key:dh_gex_group(1024, 1024, 1024, undefined).
{ok,{1023,
     {2,

137423569441246262992289626302405506810075372518201635033473127540045433614984773406065519964899878780586235832348933590594300290793347611716697640359482924853366011641117770719027755146909495326369377183195861495553717174988136205384838926110458474346294939275424613035724229598089601829380531182016051761379}}}
3>

/Hans

On 08/24/2018 10:52 AM, Alexander Petrovsky wrote:

> Oh, thanks, I don't know about that, it's very helpful.
>
> пт, 24 авг. 2018 г. в 11:41, Hans Nilsson R <[hidden email]>:
>
>> Hi!
>>
>> You can't just grab any prime and use it in DH.  Any prime will work, but
>> very
>> few primes are safe to use.  And to find a safe prime is a slow process...
>>
>> Only one out of 400000 1024-bits primes are safe according to
>>
>>
>> https://security.stackexchange.com/questions/5263/where-do-i-get-prime-numbers-for-diffie-hellman-can-i-use-them-twice
>>
>> /Hans
>>
>> On 08/23/2018 04:57 PM, Alexander Petrovsky wrote:
>>> Hello!
>>>
>>> We have stumble upon default DH prime (2048 bits) in Erlang when we try
>> to
>>> establish TLS session with cisco spa303 (VoIP hardphone)
>>> via TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite.
>> Unfortunately,
>>> this hardphone can work only with 1024 bit DH prime.
>>>
>>> I wonder, why Ingela hardcoded this DH prime -
>>>
>> https://github.com/erlang/otp/commit/3458af579af6600870c5ada69b81085f47e9f52b
>>>
>>> In my synthetical tests, new DH prime generation is fast enough
>>> (crypto:strong_rand_bytes(256)), about 17 us in 99 percentile in 1000000
>>> iterations.
>>>
>>> Why Ingela has hardcoded this DH prime and is any reason why I shouldn't
>>> generate DH prime in real-time?
>>>
>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> [hidden email]
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>> _______________________________________________
>> erlang-questions mailing list
>> [hidden email]
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
>

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

smime.p7s (5K) Download Attachment