[Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group

Mark D. Baushke mdb at juniper.net
Mon Jun 15 17:09:19 AEST 2015 

Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> > From: "Roginsky, Allen" <allen.roginsky at nist.gov>
> > Subject: RE: Question on SP 800-56A rev2
> >
> > The reason the y^q=1 (mod p) tests exists is to verify that y is in the
> > required subgroup.
> 
> I think this answer "begs the question" -- yes, the mathematical test
> verifies that y generates a subgroup of size q.  But the question we
> were discussing is why does the subgroup need to be of size q instead of
> size p-1?  

I forwarded your post to Allen Raginsky with this note:

> > From: Mark Baushke [mailto:mdb at juniper.net]
> > Sent: Friday, June 12, 2015 10:23 PM
> > To: Roginsky, Allen
> > Subject: Fwd: [Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group
> > 
> > Hi Allen,
> > 
> > It seems that there is a followup question to your statements…
> > 
> > It really is sort of the root question, whey does anyone actually
> > care if we have a q-ordered subgroup or not? Is there an attack
> > which is not published on this kind of issue?
> > 
> > -- Mark

I have received this reply from Allen...

	-- Mark

 ------- forwarded message -------
From: "Roginsky, Allen" <allen.roginsky at nist.gov>
To: Mark Baushke <mdb at juniper.net>
Subject: RE: [Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to
 unconfigured DH groups or at least document this behaviour and use a stronger
 group
Date: Mon, 15 Jun 2015 06:17:55 +0000

Hi Mark,

The private key x may be placed in the smaller subgroup – of size q – precisely because there are no known attacks against the DH method that could exploit the structure of this subgroup.  The public key must be in a larger group because there are attacks exploiting the structure of the DH public key (the attacks against the discreet logarithm problem in the multiplicative group of a finite field).

Regards,
Allen

 ------- end of forwarded message -------

More information about the openssh-unix-dev mailing list