Weak DH primes and openssh
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sat May 23 06:22:13 AEST 2015
On Fri 2015-05-22 00:06:29 -0400, Darren Tucker wrote:
> On Thu, May 21, 2015 at 11:26 PM, Matthew Vernon <matthew at debian.org> wrote:
>>
>> You will be aware of https://weakdh.org/ by now, I presume; the
>> take-home seems to be that 1024-bit DH primes might well be too weak.
>> I'm wondering what (if anything!) you propose to do about this issue,
>> and what Debian might do for our users?
>
> Would you (and any other vendors) consider generating your own moduli file
> for your distribution? If a few vendors did that it'd increase the
> diversity quite a lot and it'd stop us (well, specifically me) being the
> point of failure for not making updates.
(thanks for making the recent moduli update, Darren!)
This is an interesting proposal as a way to increase group diversity,
but it also creates a non-obvious fingerprinting channel. That is,
distro-specific groups would provide a way that someone scanning to find
out what distro is in use can make a more accurate guess based on the
primes offered.
I grant that debian's current patches that add the debian revision
themselves provide a fingerprinting mechanism, but those can be disabled
on Debian with "DebianBanner no" in sshd_config. We'd want to make sure
that distro-specific moduli don't re-introduce fingerprinting for
operators who want to hide their choice of distro.
--dkg
PS Darren, has there been any attempt at generating primality proofs for
the values in ./moduli, as opposed to 100 rounds of Miller-Rabin? It
would be a shame for a pseudoprime to slip in, however unlikely that
would be.
More information about the openssh-unix-dev
mailing list