[strongSwan] Fwd: Re: Forward Secrecy

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Dec 22 01:54:55 CET 2017



On 22.12.2017 01:12, Colony.three wrote:
> 
>> You can't do that. The DH groups for IKE are standardized.
>> "bot search will compromise VPNs in seconds"? What do you mean with "compromise" exactly?
> 
> I said what I mean or course, in the next sentence:  "/Most VPNs today are in fact decrypted real-time and stored in the NSA's giant facility in Utah, according to the Snowden docs./" (Actually they first go through the decryption group in Ft Meade, MD)
> 
>> Discoverying the existence of a service does not compromise it in any way.
>> Unless you do stupid things like using PSKs and making them public or using a weak DH group, you can't decrypt them. I read the Snowden docs. And the ones from the Spiegel.
> 
> IPsec traffic can be easily identified of course, with packet inspection.  And with the precomputed (canned) DH group applied to it, it's a shortcut to the cleartext for a well-funded opponent (which implicitly has access to the fiber trunks).  It is not my goal to get in to an argument about this, Noel.  Please see Schnier's papers on this from 2014, and "I Hunt SysAdmins", et al. (I won't stoop to condescending you)
>

Neither is mine.
Which of Bruce Schneier's papers from 2014?

>> IKE and TLS do the DH exchange differently.
>> In TLS, the server sends its DH parameters to the client. In IKE, that does not happen. That is the reason you can use your own DH parameters with TLS, but can't with IKE.
> 
> I guess you will end this exchange now because this is hard for me to believe.  How has such a vuln been overlooked for so long by so many highly-competent people?  A common DH group for -everyone-?!  What do they think the point of it is?
> 
> 

There are many DH groups[1]. Pick one that is strong enough for your taste. 

I very much doubt the NSA can break anything above 1536 bits. Even 1024 bit is hard[2], because the lookup table required for it is humonguous.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites#Diffie-Hellman-Groups
[2] https://weakdh.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171222/5b2d3ed5/attachment-0001.sig>


More information about the Users mailing list