3des cipher and DH group size
Damien Miller
djm at mindrot.org
Thu Feb 13 15:08:15 EST 2014
On Wed, 12 Feb 2014, Hubert Kario wrote:
> The previous version did bind cipher to DH sizes so this expectation was
> met.
Yes, but using obsolete symmetric/DH group size equivalences.
> Problem is, that now when you're running in FIPS mode the chosen HMAC
> in worst case is sha1-based so the DH moduli end up being 7680 bits in
> size even when the selected cipher is 3DES:
Which is the correct recommended length for a 160-bit key according to
NIST.
(It's ironic that you're effectively arguing to ignore NIST advice to
make FIPS mode work)
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<7680<8192) sent
>
> as a result, connection to cryptlib server in FIPS mode doesn't work.
We can't help other broken implementations.
Easy workarounds include using ECDH and specifying explicit KexAlgorithms.
-d
More information about the openssh-unix-dev
mailing list