Strengthening Diffie-Hellman in SSH and TLS

Conjecture on cracked primes for the Diffie-Hellman asymmetric algorithm is in recent news, suggesting that several nations have broken primes in common use and can read all traffic:

http://www.theregister.co.uk/2015/10/19/nsa_crypto_breaking_theory/

https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/

To protect ssh, edit the file /etc/ssh/moduli and comment lines where the 5th field is less than 2047:


#    $OpenBSD: moduli,v 1.8 2012/08/29 05:06:54 dtucker Exp $
# Time Type Tests Tries Size Generator Modulus
#20120821044040 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A770E2EC9F
…
#20120821044502 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F96361507
…
20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
 

To protect TLS for HTTPS, compute your own Diffie-Hellman primes like so:


[root@host ~]# openssl dhparam -out foo 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
................................................................................................................................................................................................................................................................................+..................................................................+..............................................................................................................................................................+................+.................................................................................................................................................................+......................................................................................+..................................................+...................+................................................+....+.........................+...............................................................................................................................................................................................................................................................+...........................................................................+.....................................................................................................................................................+.....+................................................................................................................+..++*++*
[root@limsprd ~]# cat foo
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAnRcLNdZeit18uYSAtEeumAOKIlAvkH5XLVw3V+jbltAjH09RJa8i
n+8bZlLGO7Rg01Exlf3FqMyK5uJTE3FkkCD2Xmv/UR+YS2c4XjzBfxELVC1C8V0J
fvgge4plUX04gG1AN3uwsLp6DgC4Ee06hEuKG6Nh6YX5tHawmPwsRqPM7GRjD4Rc
GYUJCWxh6lKuf63rHUwBH8i44FrQtJHL4lbbqxqQM1K3c2R/g+EcPoTd2VLxlT8y
gbN2rKsSi6/VggOSZ9f8DHNJB5lpuZgd6k7VymCAvc+mtFWVpBvSOWxaT7Wo5wLe
ID3exEDZl/DTDuijs/Tc0zPtoyC7vOPxawIBAg==
-----END DH PARAMETERS-----
 

Then add the BEGIN/END block above immediately after the “END CERTIFICATE” statement for your public key.

Charles Fisher has an electrical engineering degree from the University of Iowa and works as a systems and database administrator for a Fortune 500 mining and manufacturing corporation.

Load Disqus comments