Weak elliptic curves/algorithms in use on dropbear in ddwrt

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
thunderhead
DD-WRT User


Joined: 11 Nov 2017
Posts: 142

PostPosted: Sun Aug 18, 2019 13:36    Post subject: Weak elliptic curves/algorithms in use on dropbear in ddwrt Reply with quote
It seems the following known weak algorythm are in use on DD-WRT v3.0-r36070M kongac (might be different on a more recent build):

ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
diffie-hellman-group14-sha1

Can someone running a more recent build confirm? I will open a ticket if so. Here is a link to a simple python script that probes ssh vulnerabilities: https://github.com/jtesta/ssh-audit

_________________
*R7000 on DD-WRT v3.0-r43516 std (06/25/20)
Sponsor
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2576
Location: Indy

PostPosted: Tue Aug 20, 2019 14:56    Post subject: Reply with quote
Looking here should provide the answer:
    150 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
    151 * code (either ECDSA or ECDH) increases binary size - around 30kB
    152 * on x86-64 */
    153 #define DROPBEAR_ECDSA 0
    [...]
    168
    169 /* Enable elliptic curve Diffie Hellman key exchange, see note about
    170 * ECDSA above */
    171 #define DROPBEAR_ECDH 0
    172
    173 /* Group14 (2048 bit) is recommended. Group1 is less secure (1024 bit) though
    174 is the only option for interoperability with some older SSH programs */
    175 #define DROPBEAR_DH_GROUP1 1
    176 #define DROPBEAR_DH_GROUP16 0
    177 #define DROPBEAR_DH_GROUP14_SHA1 1
    178 #define DROPBEAR_DH_GROUP14_SHA256 1

_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo #
x64 OPNsense 20.7.1|FT2020.5: EA6900v1.1@1GHz, F7D8302@532|DD 44294: DIR-810L, WNDR4500v2 & 4000@533,
R6300v1, RT-N66U@663, E1500@353, WRT54G{Lv1.1,Sv6}@250
|OpenWRT 19.7.3: RT-ACRH13, R6220, WNDR3700v4
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7213
Location: Texas, USA

PostPosted: Tue Aug 20, 2019 16:02    Post subject: Reply with quote
https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54

From what I understand, ed25519 is fast, secure, and has a small footprint. RSA has to be 4096 bit length to be secure. I think all mine are SHA256. This is the reason why a reset to defaults is advised every so often, to regenerate the key on the router. Always a good idea to refresh it regularly, as much of a pain in the ass as it is. BUT, we probably could get away with going with ed25519 and save a lot of space and headache, perhaps?
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7027
Location: Dresden, Germany

PostPosted: Tue Aug 20, 2019 16:21    Post subject: Reply with quote
https://svn.dd-wrt.com//changeset/40712
_________________
"So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
qGUBcZWwBHb1
DD-WRT Novice


Joined: 27 Jan 2015
Posts: 32

PostPosted: Tue Aug 20, 2019 20:36    Post subject: Reply with quote
BrainSlayer wrote:
https://svn.dd-wrt.com//changeset/40712


BrainSlayer, I'd refer you back to this patch request that I made 3 years ago.

https://svn.dd-wrt.com//ticket/5714#no1



AFAIK, ed25519 support on dropbear is still not available.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7213
Location: Texas, USA

PostPosted: Tue Aug 20, 2019 23:53    Post subject: Reply with quote
I saw something in the defaults.h referring to curve25519, and I guess I presumed it was related somehow. Dropbear is definitely 'light'. I guess I am just used to openssh. I'm curious as to whether or not there is going to be a shift to LibreSSL from OpenSSL here.
qGUBcZWwBHb1
DD-WRT Novice


Joined: 27 Jan 2015
Posts: 32

PostPosted: Sun Aug 25, 2019 0:35    Post subject: Reply with quote
curve25519 is used for key exchange, ed25519 is for host key algo.

So, not the same thing. dropbear is definitely less featureful than openssh.

Switching to LibreSSL should be treated as a separate issue.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7213
Location: Texas, USA

PostPosted: Sat Dec 21, 2019 0:24    Post subject: Reply with quote
FYI, the change to remove Group14 SHA1 was reverted and Group1 SHA1 was disabled instead, because it conflicts with winSCP when GROUP1 SHA1 is disabled, which should have been the original request here, but someone apparently got confused.

https://svn.dd-wrt.com/ticket/6891

https://svn.dd-wrt.com/changeset/41762

https://svn.dd-wrt.com/changeset/41770

https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-09.html

As far as the other ticket, https://svn.dd-wrt.com//ticket/5714, I don't know if it will ever be 'fixed', but to maintain certain ssh and sftp/scp client compatibility, Group14 SHA1 is required.

_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum