Re: DH Group Exchange in SSH (RFC 4419) - Avoiding Backsdoors

[Damien Miller <djm%mindrot.org@localhost>]

On Thu, 29 Sep 2016, Mark D. Baushke wrote:

> > NOBUS backdoors aren't the only concern; another motivation was
> > logjam-style precomputation attacks.
>
> Yes, the creation of a new set of DH parameters allows us to avoid
> logjam precomputation attacks against a well known set of DH groups.
>
> That said, with NOBUS, how is an SSH client able to identify improper
> ephemeral DH parameters that have been intesionally weakened?

I think there's little point - a peer that wants to leak has myraid
ways to do so. E.g. it could leak keys via nonces, random padding, DH
public values, optional packet padding, etc.

Leaking by backdooring DH groups is possibly the worst way to do it -
the only reason they can't be properly tested by a client is that its
too expensive to do so at connection time. That doesn't mean that it
couldn't be done post-hoc or even passively, since the values are sent
in the clear (at least for the inital KEX).

That's not the case with the other leak paths. E.g. leaking a PRNG
seed by encrypting it with a public key and putting it in the KEXINIT
nonce is undetectable on the wire and NOBUS as far as you trust your PK
crypto.

-d