Weak DH primes and openssh

Hubert Kario hkario at redhat.com
Wed May 27 02:57:05 AEST 2015

On Friday 22 May 2015 16:22:13 Daniel Kahn Gillmor wrote:
> On Fri 2015-05-22 00:06:29 -0400, Darren Tucker wrote:
> > On Thu, May 21, 2015 at 11:26 PM, Matthew Vernon <matthew at debian.org> 
> >> You will be aware of https://weakdh.org/ by now, I presume; the
> >> take-home seems to be that 1024-bit DH primes might well be too weak.
> >> I'm wondering what (if anything!) you propose to do about this issue,
> >> and what Debian might do for our users?
> > 
> > Would you (and any other vendors) consider generating your own moduli file
> > for your distribution?  If a few vendors did that it'd increase the
> > diversity quite a lot and it'd stop us (well, specifically me) being the
> > point of failure for not making updates.
> (thanks for making the recent moduli update, Darren!)
> This is an interesting proposal as a way to increase group diversity,
> but it also creates a non-obvious fingerprinting channel.  That is,
> distro-specific groups would provide a way that someone scanning to find
> out what distro is in use can make a more accurate guess based on the
> primes offered.
> I grant that debian's current patches that add the debian revision
> themselves provide a fingerprinting mechanism, but those can be disabled
> on Debian with "DebianBanner no" in sshd_config.  We'd want to make sure
> that distro-specific moduli don't re-introduce fingerprinting for
> operators who want to hide their choice of distro.
>           --dkg
> PS Darren, has there been any attempt at generating primality proofs for
>    the values in ./moduli, as opposed to 100 rounds of Miller-Rabin?  It
>    would be a shame for a pseudoprime to slip in, however unlikely that
>    would be.

creating composites that will pass even 100000 rounds of Miller-Rabin is 
relatively simple....
(assuming the values for M-R tests are picked randomly)

I'd be against shipping any primes that are not generated from known, expected 
values, like hash of "OpenSSH 1024 bit DH prime, try #1"
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150526/3f9030d4/attachment.bin>

More information about the openssh-unix-dev mailing list