[Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group
Mark D. Baushke
mdb at juniper.net
Mon Jun 15 17:09:19 AEST 2015
Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
> > From: "Roginsky, Allen" <allen.roginsky at nist.gov>
> > Subject: RE: Question on SP 800-56A rev2
> >
> > The reason the y^q=1 (mod p) tests exists is to verify that y is in the
> > required subgroup.
>
> I think this answer "begs the question" -- yes, the mathematical test
> verifies that y generates a subgroup of size q. But the question we
> were discussing is why does the subgroup need to be of size q instead of
> size p-1?
I forwarded your post to Allen Raginsky with this note:
> > From: Mark Baushke [mailto:mdb at juniper.net]
> > Sent: Friday, June 12, 2015 10:23 PM
> > To: Roginsky, Allen
> > Subject: Fwd: [Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group
> >
> > Hi Allen,
> >
> > It seems that there is a followup question to your statements…
> >
> > It really is sort of the root question, whey does anyone actually
> > care if we have a q-ordered subgroup or not? Is there an attack
> > which is not published on this kind of issue?
> >
> > -- Mark
I have received this reply from Allen...
-- Mark
------- forwarded message -------
From: "Roginsky, Allen" <allen.roginsky at nist.gov>
To: Mark Baushke <mdb at juniper.net>
Subject: RE: [Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to
unconfigured DH groups or at least document this behaviour and use a stronger
group
Date: Mon, 15 Jun 2015 06:17:55 +0000
Hi Mark,
The private key x may be placed in the smaller subgroup – of size q – precisely because there are no known attacks against the DH method that could exploit the structure of this subgroup. The public key must be in a larger group because there are attacks exploiting the structure of the DH public key (the attacks against the discreet logarithm problem in the multiplicative group of a finite field).
Regards,
Allen
------- end of forwarded message -------
More information about the openssh-unix-dev
mailing list