diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index b490e33d7..cff9391ea 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -619,11 +619,11 @@ * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA * - * \warning The possibility for the use of custom groups - * in the use of DHM in TLS constitutes a security - * risk. If possible, it is recommended to use - * EC-based key exchanges instead. See the documentation - * at the top of dhm.h for more information. + * \warning Using DHE constitutes a security risk as it + * is not possible to validate custom DH parameters. + * If possible, it is recommended users should consider + * preferring other methods of key exchange. + * See dhm.h for more details. * */ #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED @@ -725,11 +725,11 @@ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA * - * \warning The possibility for the use of custom groups - * in the use of DHM in TLS constitutes a security - * risk. If possible, it is recommended to use - * EC-based key exchanges instead. See the documentation - * at the top of dhm.h for more information. + * \warning Using DHE constitutes a security risk as it + * is not possible to validate custom DH parameters. + * If possible, it is recommended users should consider + * preferring other methods of key exchange. + * See dhm.h for more details. * */ #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED @@ -1850,11 +1850,11 @@ * This module is used by the following key exchanges: * DHE-RSA, DHE-PSK * - * \warning The possibility for the use of custom groups - * in the use of DHM in TLS constitutes a security - * risk. If possible, it is recommended to use - * EC-based key exchanges instead. See the documentation - * at the top of dhm.h for more information. + * \warning Using DHE constitutes a security risk as it + * is not possible to validate custom DH parameters. + * If possible, it is recommended users should consider + * preferring other methods of key exchange. + * See dhm.h for more details. * */ #define MBEDTLS_DHM_C diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index ed39f8db4..9ef814650 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -25,22 +25,20 @@ * of non-safe primes both decreases the difficulty of the underlying * discrete logarithm problem and can lead to small subgroup attacks * leaking private exponent bits when invalid public keys are used - * and not detected. This is especially relevant if the same DHM parameters - * are reused for multiple key exchanges as in static DHM, while the - * criticality of small-subgroup attacks is lower for ephemeral DHM. + * and not detected. This is especially relevant if the same DHM + * parameters are reused for multiple key exchanges as in static DHM, + * while the criticality of small-subgroup attacks is lower for + * ephemeral DHM. * * For performance reasons, the code does neither perform primality * nor safe primality tests, nor the expensive checks for invalid - * subgroups. + * subgroups. Moreover, even if these were performed, non-standardized + * primes cannot be trusted because of the possibility of backdoors + * that can't be effectively checked for. * - * The possibility for the use of custom, non-safe primes in DHM - * is a deficiency in the TLS protocol that has been adressed only - * recently through the addition of the named group extension from - * RFC 7919, which however is not yet implemented in Mbed TLS. - * - * If possible, we recommend to use elliptic curve based key - * exchanges instead of DHM-based ones, because the former only - * accepts standardized groups. + * We therefore consider DHE a security risk. If possible, it is + * recommended users should consider preferring other methods of + * key exchange. * */ #ifndef MBEDTLS_DHM_H