Weak DH primes and openssh
Damien Miller
djm at mindrot.org
Mon Jun 1 11:23:51 AEST 2015
On Sun, 31 May 2015, Daniel Kahn Gillmor wrote:
> The other alternative if you wanted fixed seeds would be to use some
> high-entropy value from the real world that would be unpredictable,
> hard to control, but not too hard to verify (e.g. a digest of the
> concatenated UTF-8 representations of the top headline from each of
> the 10 highest-circulation newspapers on the day of re-generation, or
> something similar).
IMO it's still pointless - NUMS-style generation might be useful in
cases where there exists suspicion (but no proof) that some parameter
choices might be trapdoor-able. There's not even the faintest hint
that this might be the case for the DLP in arbitrary strong prime modp
groups.
If vendors are concerned about the moduli that OpenSSH ships, I'd
recommend either generating your own (using ssh-keygen or some
independent means) or auditing what we do using primo or some similar
ECPP tool.
Getting a good, open-source primality prover would be nice too...
-d
More information about the openssh-unix-dev
mailing list