3des cipher and DH group size

Petr Lautrbach plautrba at redhat.com
Tue Jan 28 06:57:40 EST 2014


Dne 25.1.2014 11:17, Darren Tucker napsal(a):
> On Fri, Jan 24, 2014 at 05:28:03PM +0100, Petr Lautrbach wrote:
>> On 01/21/2014 05:14 PM, Petr Lautrbach wrote:
>>> Hello everybody,
>>>
>>> An issue was reported in RH bugzilla [1] about the size of the used DH
>>> group  when combined with the 3des-cbc cipher. OpenSSH uses the
>>> actual key length for the size estimation. This is probably fine as far
>>> as the cipher has the same number of bits of security as the key
>>> length. But this is not true for 3TDEA where the key size is 168 resp
>>> 192 but it's security is only 112.
>>>
>>> Given that the key size in openssh is set to 192, DH group size is
>>> estimated to 7680. But according to NIST SP 800-57, the size of DH key
>>> should be 2048 so openssh doesn't follow that  and it might cause
>>> problems with key exchanges with some servers.
>>>
>>
>> It was confirmed that openssh can't connect to the server with a server string
>> 'SSH-2.0-cryptlib' using diffie-hellman-group-exchange-sha1 and 3des-cbc with
>> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192).
>
> Thanks for the patch.  Since we are so close to the 6.5 release I have
> committed a smaller change that should still resolve the problem
> (confirmed by checking the debug output for the requested group sizes).
>

Works, thanks.

I'll try to communicate a change with the other side to follow RFC and 
provide at least  the largest group it knows.

Petr
-- 
Petr Lautrbach <plautrba at redhat.com>, Red Hat, Inc.


More information about the openssh-unix-dev mailing list