Diffie Hellman key exchange algorithms

Damien Miller djm at mindrot.org
Tue Sep 25 15:10:47 EST 2007

On Tue, 25 Sep 2007, Rob Waite wrote:

> Isn't dh_estimate() only used on the client to find the desired group
> size?


> This is then taken by the server and used to find p and g correct?


> OpenSSH is not configurable in this manner... but if someone wanted to force
> larger primes...
> couldn't they do this by altering the code?

Yes - OpenSSH allows the client to request DH groups up to 8192 bits.

> In the code changes I sent
> earlier... you could
> force group exchange.

It's the default anyway :)

> And if you picked only large primes in your moduli
> file...
> you should be able to force the client to get a large p as long as it is
> within the min
> and max sent by the client. I just started looking at the code again (it has
> been a while)
> but it seems like the server can control at the very least the size of the
> public and private
> numbers generated from p. He would not be able to control how powerful the
> client made
> their public and private numbers from the given p... but at least data sent
> out from the server would
> be forced to have the symmetric key encrypted using larges primes for the
> assymmetric.

The client don't have any special control over the output of the DH 
protocol - the only get to specify one input (the server specifies the
others), and OpenSSH will refuse to accept the obviously bogus values of
that (see dh_pub_is_valid() in dh.c).

> That is assuming that the server has its own symmetric cipher key and the
> client has their own.
> If they do in fact share the same key... then I guess you would not be
> protected as the client

The SSH protocol uses separate keys for client-to-server and

> could generate a small private number from p... no matter how large.

The client doesn't get to choose what number they generate as it has to
match exactly what the server generated (DH is a deterministic protocol,
even if some of the inputs should be based on random numbers). If the
client and server's DH output differ then the IVs and {crypto, MAC} keys
will differ two and the connection will fail as soon as either end tries
to send any data.


More information about the openssh-unix-dev mailing list