raising security in libssh
Open, WishlistPublic

Description

Dear Libssh team,
I prefer SSH because of its security, but libssh is not so secure. Here I am recommending some algorithms to be added to libssh.

Encryption Algorithms:
Twofish-256 CBC – I already submitted this
Chacha20-poly1305
Reasons:
Both are implemented by many servers and clients which makes library more compatible.
AES has faced a lot of cryptanalysis because of its popularity, some agencies may succeed to crack it without publishing that. Why don't we add two more flavours?

KEX Algorithms:
Deffei-Hellmann-Group-Exchange with a minimum group size of 3072
Reasons:
Size of 3072 is just to make sure it is better than DH-group14 that is already included.
NIST curves are not trusted by many cryptographers and I have included a long list (along with source links) showing that in appendix A.
some cryptographers see EC in general are problematic, and they consider Factorization problem is more secure than ECC.

Appendix A
Why NIST is not trusted ?
https://www.imsc.res.in/~ecc14/slides/costello.pdf - Page 3

Post-Snowden responses
Bruce Schneier
“I no longer trust the constants. I believe the NSA has manipulated them...”
Nigel Smart
“Shame on the NSA...”
IACR
“The membership of the IACR repudiates mass surveillance and the undermining of cryptographic solutions and standards”
TLS Working Group
formal request to CFRG for new elliptic curves for usage in TLS!!!

https://www.imsc.res.in/~ecc14/slides/costello.pdf - Page 4

Pre-Snowden suspicions re: NIST (and their curves)
2013 - Bernstein and Lange
“Jerry Solinas at the NSA used this [random method] to generate the NIST curves ... or so he says...”
2008 - Koblitz and Menezes
“However, in practice the NSA has had the resources and expertise to dominate NIST, and NIST has rarely played a significant independent role.”
2007 - Shumow and Ferguson
“We don’t know how Q = [d] P was chosen, so we don’t know if the algorithm designer [NIST] knows [the backdoor] d.” .. they are talking about Dual EC DRBG
1999 - Scott
“So, sigh, why didn't they [NIST] do it that way? Do they want to be distrusted?”

https://www.imsc.res.in/~ecc14/slides/costello.pdf - Page 5

Scott ‘99 talking about NIST's curve P256
s = c49d360886e704936a6678e1139d26b7819f7e90
“Consider now the possibility that one in a million of all curves have an exploitable structure that "they" know about, but we don't.. Then "they" simply generate a million random seeds until they find one that generates one of "their" curves...”

https://www.theverge.com/2013/12/20/5231006/nsa-paid-10-million-for-a-back-door-into-rsa-encryption-according-to

RSA has received 10 million USD from NSA to make Dual EC DRBG the default CSPRNG in their library 'b-Safe'.

I am not saying that NIST is intentionally inserting backdoors in their curves. I am just trying to borrow Schneier's word “Cryptographers are a conservative bunch: We don't like to use algorithms that have even a whiff of a problem .”

Moreover, neither Russia, China nor European Union use NIST standards, they have their own standards. So NIST is not the only de-facto standard for security. YES we need to support their algorithms because of their popularity, but we need to support more algorithms for better security. One more thing to mention is that adding all those algorithms is easier than tracking a single bug in the library itself, as all algorithms are supported in libgcrypt.

m.nasim created this task.Feb 21 2018, 9:26 PM
m.nasim triaged this task as Normal priority.
m.nasim updated the task description. (Show Details)Feb 21 2018, 9:31 PM
m.nasim lowered the priority of this task from Normal to Wishlist.Feb 26 2018, 9:00 PM
m.nasim updated the task description. (Show Details)