3des cipher and DH group size
hkario at redhat.com
Wed Feb 5 02:58:24 EST 2014
Continuing the discussion from https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032037.html
I have looked at the changes made to implement automatic selection of DH
groups and there are few changes confusing to me, to say the least.
Especially 1.97~1.96 rev diff of kex.c:
> + dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher));
Why "MAX("? Why security of chosen dh moduli should match the _most_
secure primitive? Since DH KEX is computationally expensive (think smartphones),
shouldn't we try to use as small DH parameters as possible?
> + dh_need = MAX(dh_need, newkeys->enc.block_size);
This is plain confusing. Which cipher's security level is influenced by its
+ dh_need = MAX(dh_need, newkeys->enc.iv_len);
I'd also say that the relationship between IV size and and security estimate
is a bit more complex. I.e. IV of size 96 bits won't lower the security level
of whole system to 96 bits.
+ dh_need = MAX(dh_need, newkeys->mac.key_len);
Shouldn't this use mac.mac_len? I mean MACs like hmac-md5-96 provide 96 bits of
security, not the 128 bits from key size.
BaseOS QE Security team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
More information about the openssh-unix-dev