3des cipher and DH group size

Damien Miller djm at mindrot.org
Thu Feb 13 15:08:15 EST 2014


On Wed, 12 Feb 2014, Hubert Kario wrote:

> The previous version did bind cipher to DH sizes so this expectation was
> met.

Yes, but using obsolete symmetric/DH group size equivalences.

> Problem is, that now when you're running in FIPS mode the chosen HMAC
> in worst case is sha1-based so the DH moduli end up being 7680 bits in
> size even when the selected cipher is 3DES:

Which is the correct recommended length for a 160-bit key according to
NIST. 

(It's ironic that you're effectively arguing to ignore NIST advice to
make FIPS mode work)

> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<7680<8192) sent
> 
> as a result, connection to cryptlib server in FIPS mode doesn't work.

We can't help other broken implementations.

Easy workarounds include using ECDH and specifying explicit KexAlgorithms.

-d


More information about the openssh-unix-dev mailing list