Weak DH primes and openssh

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed May 27 03:43:13 AEST 2015

On Tue 2015-05-26 12:57:05 -0400, Hubert Kario wrote:
> creating composites that will pass even 100000 rounds of Miller-Rabin is 
> relatively simple....
> (assuming the values for M-R tests are picked randomly)

Can you point me to the algorithms for doing that?  This would suggest
that we really do want primality proofs (and a good way to verify them).

Do those algorithms hold for creating composites that pass M-R tests for
both p and (p-1)/2 ?

> I'd be against shipping any primes that are not generated from known, expected 
> values, like hash of "OpenSSH 1024 bit DH prime, try #1"

This is trying to put some sort of NUMS-y ("Nothing Up My Sleeve")
constraint on prime generation -- presumably you'd count up from the
hash value until you find something that passes M-R for both p and
(p-1)/2, right?  I observe that the values in ./moduli all seem quite
similar in that respect (i.e. the values for any given length share most
of the same prefix, and differ only in the trailing bits).

Wouldn't primality proofs make this NUMS-y approach less relevant?


More information about the openssh-unix-dev mailing list