3des cipher and DH group size

Hubert Kario hkario at redhat.com
Wed Feb 19 00:10:17 EST 2014 

----- Original Message -----
> From: "Markus Friedl" <mfriedl at gmail.com>
> To: "Hubert Kario" <hkario at redhat.com>
> Cc: openssh-unix-dev at mindrot.org
> Sent: Tuesday, 18 February, 2014 10:26:58 AM
> Subject: Re: 3des cipher and DH group size
> 
> 
> Am 04.02.2014 um 16:58 schrieb Hubert Kario <hkario at redhat.com>:
> 
> > Continuing the discussion from
> > https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032037.html
> > 
> > I have looked at the changes made to implement automatic selection of DH
> > groups and there are few changes confusing to me, to say the least.
> > 
> > Especially 1.97~1.96 rev diff of kex.c:
> > 
> >> +		 dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher));
> > 
> > Why "MAX("? Why security of chosen dh moduli should match the _most_
> > secure primitive? Since DH KEX is computationally expensive (think
> > smartphones),
> > shouldn't we try to use as small DH parameters as possible?
> 
> I don’t understand your excitement.

That wasn't excitement, that was surprise. Also, that were (are) genuine
questions.
 
> I chose MAX() here, because the old release did the same.
> 
> The old release basically did
> need = MAX(enckeylen, block size, ivlen, mackeylen)
> and all I did was to replace enckeylen (192 bits for 3DES) with cipher_seclen
> (112 bits).
> 
> You might argue that the old code was wrong, but I chose a minimal change
> to fall back to a conservative choice.

OK.

So, since now the DH group sizes themselves are conservative, perhaps we should revise it?

I mean that even when we're using just the cipher key size as the selection criteria
for DH key sizes, we still end up with much bigger DH sizes than old openssh proposed.

Old openssh:
3des with sha1: 2048 bit DH
aes128 with sha1: 2048 bit DH
aes192 with sha1: 2048 bit DH
aes256 with sha1: 4096 bit DH
default (aes128 with md5): 1024 bit DH

what I'm saying the code should do:
3des with sha1: 2048 bit DH
aes128 with sha1: 3072 bit DH
aes192 with sha1: 7680 bit DH
aes192 with sha256: 7680 bit DH
aes256 with sha1: 8192 bit DH
default (aes-128 with md5): 3072 bit DH

What the code actually does:
3des with sha1: 7680 bit DH
aes128 with sha1: 7680 bit DH
aes192 with sha1: 7680 bit DH
aes192 with sha256: 8192 bit DH
aes256 with sha1: 8192 bit DH
default (aes-128 with md5): 3072 bit DH

(I'm completely ignoring the fact that if you're connecting to any relatively
new openssh you'll get ECDH, not DH by default)

-- 
Regards,
Hubert Kario
BaseOS QE Security team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

More information about the openssh-unix-dev mailing list