Announcement

Collapse
No announcement yet.

1024 bit Diffie-Hellman key exchanges may be compromised.

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    [ENCRYPTION] 1024 bit Diffie-Hellman key exchanges may be compromised.

    Read this article:

    http://arstechnica.com/security/2016...f-crypto-keys/

    The use of 1024 bit prime number keys in Diffie-Hellman key exchanges can be compromised, making solving the key pair much easier.

    The problem, explained in the article, is that only a few actual prime numbers used and these can be compromised by having an embedded "trapdoor".

    If your software or your bank's software for instance, uses the 1024 bit keys, it may be breakable.

    Even Apache Servers use a limited set of 1024 bit primes for generating security keys.

    Watch for this to change, hopefully in the very near future. A move to 2048 bit keys is suggested in the article.
    Kubuntu 24.11 64bit under Kernel 6.11.7, Hp Pavilion, 6MB ram. Stay away from all things Google...

    #2
    Thanks for the heads up!

    The Diffi-Hellman problem reminds me of a similar problem ten years ago when a flaw in Debian's random number generator allowed hackers to guess RSA keys within hours. That hole was patched but a big problem remains with the entropy of RSA keys (I don't know how this plays out with D-H keys). When I first started using Linux in 1998 and created crypto keys one thing the process required me to do was to type on the keyboard and/or move the mouse around until the generation was complete. This was, supposedly, to generate more entropy for the key to use.

    Because of the fall of the 128b, 256 and 512b RSA keys, and the US government going anti-Constitution, I made a New Year's resolution to use 4096 bytes from now on, and that's is what my current RSA key is, along with a LONG password.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    Comment


      #3
      It's sad when the key is longer than the message it protects...

      Reading the article, I caught a hint that Apache may be moving to 2048 or 4096 bit keys too.

      "Yes, your Honor, I do encrypt my grocery list. It represents a major part of my income, so I do consider it worth protecting."

      And let's not get started on Yahoo email's FUBAR'd security. Why bother encrypting if they give away the key to the barn?
      Last edited by TWPonKubuntu; Oct 11, 2016, 04:06 PM. Reason: Additional thoughts...
      Kubuntu 24.11 64bit under Kernel 6.11.7, Hp Pavilion, 6MB ram. Stay away from all things Google...

      Comment


        #4
        Yup. Almost .... almost .... using crypto is almost a waste of time. It will be, or already is, if the government's D-Wave2 quantum computer is working on them now, as I suspect it is.
        "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
        – John F. Kennedy, February 26, 1962.

        Comment


          #5
          I suspect we're going to see a lot more one-time and blind key cyphers being used.

          "The blue whale flies by moonlight"
          Chapter 4, Page 9, third paragraph. 16x16 matrix.

          Just to advise on Thanksgiving vacation plans...
          Kubuntu 24.11 64bit under Kernel 6.11.7, Hp Pavilion, 6MB ram. Stay away from all things Google...

          Comment


            #6
            A) I read an op-ed piece, can't lay it to hand, about that there needs to be a COMPLETE rethinking of encryption...basically WITHIN the data stream.

            B) My bank requires:

            a) a HUGE alphanumeric password
            b) a "random time" asking of a verification question.
            c) selecting a PICTURE, out of multiple pictures, that I earlier picked, by clicking on the correct picture.

            Of all of that I, personally, consider that the ONLY valid "verification" is the choice of the picture.

            EVERY SINGLE TIME THAT a person uses a PHONE.........to access ANYthing that has to do with ANYthing that is "financial"

            The person should be asked to "pick a picture" that is the verification picture from a THREE by THREE grid....and within twenty seconds.

            And.........if the correct picture is not picked by the SECOND time, the site disconnects.

            And........too bad.........too sad............. but you are going to have to either pick out the correct picture in an hour......... or...........CALL AND BE ON THE NET AT THE SAME TIME WITH GPS on the phone and the person ALLOWS the GPS.


            NOTE 1:

            TWP commented on....

            Sherlock Holmes..... dancing men....but he discussed the thing about "blind key" that one has to have a copy of War and Piece to hand and then find the correct page and the correct lines and every third letter...

            "The blue whale flies by moonlight"
            Chapter 4, Page 9, third paragraph. 16x16 matrix.
            ummmm BRAVO TWP!!

            Note 2: WHAT ABOUT BLIND PEOPLE............

            THIS IS SO EASY IT IS NOT EVEN FUNNY IT IS laughable...

            All cell phones will "vibrate"..............the vibration can be assigned to a number set.

            The Blind person merely speaks the vibratory number set of the chosen picture, which can be picked AT RANDOM, by the blind person......

            Pick the picture that is in the second line number three and send me the vibration for that picture...

            buzz, blank, buzz, buzz, blank, whatever.

            The computing power is so exponentially large compared to what is needed to interact in THIS SMALL SET..... by vibration is........LAUGHABLE...

            The ONLY REASON that "banks" don't do this is because they think WITH REASON, that people are so DAM# lazy that if it required more than swiping left right that people will change banks....and...they are somewhat correct......they can PAY OFF all thefts and STILL make money.!!



            woodjustmyesperienceininternetsecuritysmoke
            Last edited by woodsmoke; Oct 11, 2016, 07:08 PM.

            Comment


              #7
              Woodsmoke, was it this one?:

              Apache Milagro: A New Security System for the Future of the Web
              http://lxer.com/module/newswire/ext_link.php?rid=234788
              Kubuntu 24.11 64bit under Kernel 6.11.7, Hp Pavilion, 6MB ram. Stay away from all things Google...

              Comment


                #8
                I see a fly in this ointment, the fact that three letter agencies will be looking more closely at encrypted messages.

                This paranoid wonders if this will get the encryptor (sp?) added to lists that one does not want to be a member of...

                Yes there is some protection in shear numbers, if everyone and his dog is using encryption (a good idea) then one becomes less visible. Flying below the radar and staying inside the flock are apt phrases here.
                Kubuntu 24.11 64bit under Kernel 6.11.7, Hp Pavilion, 6MB ram. Stay away from all things Google...

                Comment


                  #9
                  Well TWP...

                  Bravo!! THAT is one of the MANY reasons that you are a really kewl "Linux" person and that I'm just an old hardware kinda guy! :

                  woodthanksTWPsmoke

                  Comment


                    #10
                    Kewl!
                    Kubuntu 24.11 64bit under Kernel 6.11.7, Hp Pavilion, 6MB ram. Stay away from all things Google...

                    Comment


                      #11
                      Disable 1024-bit Diffie-Hellman primes
                      As the OP reported, following recent research it is likely that the NSA has been breaking 1024-bit Diffie-Hellman for some time now. To disable these switch the following settings to false in about:config:

                      security.ssl3.dhe_rsa_aes_128_sha
                      security.ssl3.dhe_rsa_aes_256_sha

                      Then consider checking your SSL configuration at https://www.howsmyssl.com
                      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                      – John F. Kennedy, February 26, 1962.

                      Comment


                        #12
                        GreyGeek, Thank you for the info.
                        Kubuntu 24.11 64bit under Kernel 6.11.7, Hp Pavilion, 6MB ram. Stay away from all things Google...

                        Comment

                        Working...
                        X