3des cipher and DH group size

Hubert Kario hkario at redhat.com
Wed Feb 5 02:58:24 EST 2014

Hi all!

Continuing the discussion from https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032037.html

I have looked at the changes made to implement automatic selection of DH
groups and there are few changes confusing to me, to say the least.

Especially 1.97~1.96 rev diff of kex.c:

> +		 dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher));

Why "MAX("? Why security of chosen dh moduli should match the _most_
secure primitive? Since DH KEX is computationally expensive (think smartphones),
shouldn't we try to use as small DH parameters as possible?

> + 		dh_need = MAX(dh_need, newkeys->enc.block_size);

This is plain confusing. Which cipher's security level is influenced by its
block size?

+		dh_need = MAX(dh_need, newkeys->enc.iv_len);

I'd also say that the relationship between IV size and and security estimate
is a bit more complex. I.e. IV of size 96 bits won't lower the security level
of whole system to 96 bits.

+		dh_need = MAX(dh_need, newkeys->mac.key_len);

Shouldn't this use mac.mac_len? I mean MACs like hmac-md5-96 provide 96 bits of
security, not the 128 bits from key size.

Hubert Kario
BaseOS QE Security team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

More information about the openssh-unix-dev mailing list