Tuesday, November 28, 2017

Diffie-Hellman groups to avoid

Some vendors have put out documentation suggesting we avoid DH groups 1/2/5 (keys with <2048 modulus).

I just watched this video on how DH key exchange works: https://www.youtube.com/watch?v=3QnD2c4Xovk&feature=player_embedded

Now I know how to mix red and blue to get blargh and stupid Eve can't see how I did it.

So where do we go from here? Is the problem that the prime numbers in groups 1/2/5 are too short, and people have created something like a rainbow table of them?

How serious of a problem is this? Are these tables easily mathematically computed, or are they publicly shared on the Dark Web? Is this real life?

I asked my Cisco SE and he said it is down to every organisation's security policy, but most of the people I work with don't have a security policy. And even if they did, they aren't technically competent enough to judge the risk of running DH 2 vs NG encryption.

All I keep telling people is that bigger is better and we always install the best encryption available at the time, but things change. VPN tunnels stay up at 3DES for years and years, and they get forgotten because they are working fine.

Am I being overly paranoid?



No comments:

Post a Comment