DH modulus size
Andy Lutomirski
luto at amacapital.net
Thu Oct 3 13:44:03 EST 2013
With the default openssh configuration, the selected cipher is
aes128-ctr. This means that dh_estimate gets called with bits=128, so
dh_estimate selects a DH modulus size of 1024 bits.
This seems questionable. Since the NSA seems to be sniffing most
internet traffic, keeping SSH sessions secure against after-the-fact
offline attack matters, and 1024-bit DH is not convincingly secure
against well-funded adversaries.
(On the other hand, 128-bit symmetric keys are probably secure against
anyone without a rather large quantum computer.)
Various current estimates suggest that the DH modulus should be
somewhere between 2048 bits and 4096 bits, even with 128-bit symmetric
keys. See, for example [1].
Would you accept a patch to change the group size estimate to something like:
int
dh_estimate(int bits)
{
if (bits <= 80)
return (1024);
if (bits <= 192)
return (3072);
return (4096);
}
Redhat [2] and Fedora [3] have open bugs about this.
[1] http://www.keylength.com/en/5/
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1010607
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1012577
More information about the openssh-unix-dev
mailing list