[Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu May 28 07:08:25 AEST 2015


On Tue 2015-05-26 15:39:49 -0400, Mark D. Baushke wrote:
> Hi Folks,
>
> The generator value of 5 does not lead to a q-ordered subgroup which is
> needed to pass tests in
>
> http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf

I pulled revision 2 of this document from here:

https://dx.doi.org/10.6028/nist.sp.800-56ar2

The "FFC Domain Parameter Generation" section does say:

    g is a generator of the cyclic subgroup of GF(p)* of order q,

But i don't see a recommendation of why this matters.  Surely we don't
want the subgroup of order 2, but what is wrong with using a subgroup of
order 2q = p-1?

There's clearly no strong security advantage to the 2q subgroup -- it's
just one bit larger -- but is there an attack that works against the 2q
subgroup that doesn't work against the q subgroup?  If this is a known
concern, i'd be happy with just a pointer to a paper or web page
explaining the risks of the larger group.

otoh, if the goal is just to ensure we have word-for-word compliance
with SP800-56A, then it's clear that choosing a different generator is
the way to go (and without much of a security cost).  but i'd like to
know if there's a reason other than blind-spec-compliance.  Pointers?

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150527/2f8f51cc/attachment.bin>


More information about the openssh-unix-dev mailing list