3des cipher and DH group size
Markus Friedl
mfriedl at gmail.com
Tue Feb 18 20:26:58 EST 2014
Am 04.02.2014 um 16:58 schrieb Hubert Kario <hkario at redhat.com>:
> Continuing the discussion from https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032037.html
>
> I have looked at the changes made to implement automatic selection of DH
> groups and there are few changes confusing to me, to say the least.
>
> Especially 1.97~1.96 rev diff of kex.c:
>
>> + dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher));
>
> Why "MAX("? Why security of chosen dh moduli should match the _most_
> secure primitive? Since DH KEX is computationally expensive (think smartphones),
> shouldn't we try to use as small DH parameters as possible?
I don’t understand your excitement.
I chose MAX() here, because the old release did the same.
The old release basically did
need = MAX(enckeylen, block size, ivlen, mackeylen)
and all I did was to replace enckeylen (192 bits for 3DES) with cipher_seclen (112 bits).
You might argue that the old code was wrong, but I chose a minimal change
to fall back to a conservative choice.
-m
More information about the openssh-unix-dev
mailing list