DH_GRP_MIN is currently 1024, should it be bumped to 2048?

Mark D. Baushke mdb at juniper.net
Tue Jul 28 11:18:48 AEST 2015


Hi Darren,

Many thanks for your response.

Darren Tucker <dtucker at zip.com.au> writes:

> On Sat, Jul 25, 2015 at 9:25 AM, Mark D. Baushke <mdb at juniper.net> wrote:
> 
> > Greetings,
> >
> > Given the weakness with Diffie-Hellman modp groups less than 2048, is it
> > time to bump the suggested 1024 bit minimum value from the RFC 4419 to a
> > more current 2048 value for OpenSSH 7.0?
> >
> 
> DH_GRP_MIN is used for 2 things:
>  a) the client's minimum acceptable group size sent in the DH-GEX request.
>  b) the lower bound of the group size picked out of the moduli file.
> 
> For a), the OpenSSH client has asked for preferred sizes no less that 2k
> bits for a couple of years [1].  Changing the minimum in this case would
> have no effect on (RFC compliant) servers that have groups >= 2k, and would
> probably cause a connection failure on ones that do not.

Regarding RFC compliant servers, RFC 4419 specifies the 1024 bit minimum
as a 'SHOULD' value rather than a 'MUST' value. If we do care that the
default needs to be able to be adjusted by the SSH client AND the SSH
server, then perhaps it needs to be a configuration option that best
meets the paranoia of the user and the site administrator?

fwiw: NIST SP 800-131A[3] (see Table 4) currently wants the minimum
Diffie-Hellman Group to be enforced as a minimum of 2048 bits. Using
less than 2048 bit DH primes would not be a best practice as far as the
NIST folks are concerned.

[3] http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
    or its draft replacement
    http://csrc.nist.gov/publications/drafts/800-131A/sp800-131a_r1_draft.pdf

> For b), we recently removed the 1k groups from the moduli file, so the
> minimum that can be offered is 1.5 kbit.

Yes. This was a good change. I am not sure that removing primes less
than 2048 bit would not be even better... That said, because I care about
NIST SP 800-56Ar2[4] section 5.5.1.1 FFC Domain Parameter Generation, I
would rather that the g values selected in the correct cyclic subgroup.

[4] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf

> What would be the desired outcome of such a change to DH_GRP_MIN?

To allow the paranoia the the current best practices be able to be set
by the users of the client and the server.

> Rendering it such that DH-GEX doesn't work for a given connection
> makes it much more likely that the connection would use one of the
> fixed groups, and group1 in particular seems at much higher risk for
> LogJam style attacks than even a 1k group from a large and changing
> set.

You may be right, although I hope they do NOT choose 
diffie-hellman-group1-sha1

I would hope that they would be able to use one of

    * diffie-hellman-group14-sha1
    * curve25519-sha256 at libssh.org
    * RFC 5656 ECDH curves (ecdh-sha2-nistp{256,384,521})

Longer term I favor 
    * standard use of Curve25519
    * standard use of Curve488
    * standard use of Koblitz Curve K-233 (seems faster than the NISTP curves)
    * something the IRTF-CRSG suggests that can be standardized

> [1]
> https://anongit.mindrot.org/openssh.git/commit/?id=df62d71e64d29d1054e7a53d1a801075ef70335f
> [2]
> https://anongit.mindrot.org/openssh.git/commit/moduli?id=5ab7d5fa03ad55bc438fab45dfb3aeb30a3c237a

	Thank you,
	-- Mark


More information about the openssh-unix-dev mailing list