SchannelGroupPolicy icon indicating copy to clipboard operation
SchannelGroupPolicy copied to clipboard
verified publisher icon Crosse

Move Diffie-Hellman into WeakKeyEx category

Open slm4996 opened this issue 2 years ago • 4 comments

Noticed that we had a category WeakKeyEx, but were not using it for Diffie-Hellman Key Exchange Algorithm and options. This pull request places Diffie-Hellman and associated settings for Key Exchange Algorithms into the Weak Key Exchange Algorithms category.

slm4996 avatar Jan 19 '23 18:01 slm4996

But depending on the choice you make for the key length, DH is not weak, maybe it would be more useful to deprecate smaller key lengths (2048 bits and less)

Harvester57 avatar Jan 19 '23 20:01 Harvester57

I may be misunderstanding the DH key exchange, but isn't it capped at 2048 key lengths? To use better would require the use of Elliptic-Curve Diffie-Hellman (ECDH), which is broken out as its own entity?

Edit: If we do not shift DH to Weak Key Exchange Algorithms then the project readme should be updated, since it refers to Diffie-Hellman as a weak Key Exchange Algorithm.

slm4996 avatar Jan 19 '23 20:01 slm4996

DH can have the following values:

https://github.com/Crosse/SchannelGroupPolicy/blob/c9b9e40abb2e2281951165423e74681d378f7884/template/schannel.admx#L813-L834

Of those, only 1024 (as I understand it) is considered weak. Moreover, in the description field for the Diffie-Hellman settings, we have this warning:

https://github.com/Crosse/SchannelGroupPolicy/blob/c9b9e40abb2e2281951165423e74681d378f7884/template/en-US/schannel.adml#L357-L360

I think the best course of action would be to update the README, since 75% of the values one can choose for the key length are considered safe and we do our best to call out which ones those are. Does that sound okay?

Crosse avatar Jan 19 '23 21:01 Crosse

While I do agree with everything @Crosse has said, leaving Diffie-Hellman active but increasing the minimum key length could lead to lower performance VS ECDH and other key exchanges.

IBM has a good article with relevant information in the "additional information" section of https://www.ibm.com/support/pages/how-disable-ssltls-diffie-hellman-keys-less-2048-bits .

If we do not designate Diffie-Hellman as weak (at least with the default key length of 1024), then much additional information should be added the the Readme to prevent a novice user from making security or performance impacting choices.

Maybe the category shouldn't be "Weak Key Exchanges", but instead "Legacy Key Exchanges"?

slm4996 avatar Jan 21 '23 04:01 slm4996