Weak DH primes and openssh

Eldon Koyle esk-openssh at esk.cs.usu.edu
Wed May 27 10:02:00 AEST 2015


On  May 26 15:10-0400, Daniel Kahn Gillmor wrote:
> On Tue 2015-05-26 14:02:07 -0400, Hubert Kario wrote:
> > On Tuesday 26 May 2015 13:43:13 Daniel Kahn Gillmor wrote:
<snip>
> I've been talking with several cryptographers for the last year about
> finite-field DH (FFDH) and i haven't heard any suggestion that any of
> them think there is likely to be such a class of backdoored moduli.
> 
> > yes, it would basically exclude the chance that the primes are backdoored, 
> > there's still the chance for the values to be composites
> >
> > for values to be used on this many machines, I'd say we should have primality 
> > proofs, not just M-R "guess"
> 
> Does anyone have a pointer to any decent free software for generating
> and verifying primality proofs?
> 
>           --dkg

I am currently running Debian's /etc/ssh/moduli (not sure if it is the
same as distributed with openssh) through ecpp-dj .  I found the code at
http://www.mersenneforum.org/showthread.php?t=18283 (there is a 1.04
version in the download directory), I think he just split it out from
his perl module at https://github.com/danaj/Math-Prime-Util-GMP .

It is single-threaded, and I'm not sure how well it does with larger
primes (at 1000 decimal digits (~3325 bits, if my math skills haven't
failed me), his benchmarks show it took 10x as long as primo on the
prime he chose).

So far, it is running at 15-60 seconds ea for 1535-bit primes on my old
i7 950 @ 3.07GHz, not sure how it will do with the larger ones.  I'll
probably need to move this to a cluster to have it complete in a
reasonable amount of time.

-- 
Eldon Koyle
-- 
A fail-safe circuit will destroy others.
		-- Klipstein



More information about the openssh-unix-dev mailing list