[Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group

mancha mancha1 at zoho.com
Thu May 28 08:02:40 AEST 2015

On Wed, May 27, 2015 at 05:08:25PM -0400, Daniel Kahn Gillmor wrote:
> On Tue 2015-05-26 15:39:49 -0400, Mark D. Baushke wrote:
> > Hi Folks,
> >
> > The generator value of 5 does not lead to a q-ordered subgroup which
> > is needed to pass tests in
> >
> > http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf
> I pulled revision 2 of this document from here:
> https://dx.doi.org/10.6028/nist.sp.800-56ar2
> The "FFC Domain Parameter Generation" section does say:
>     g is a generator of the cyclic subgroup of GF(p)* of order q,
> But i don't see a recommendation of why this matters.  Surely we don't
> want the subgroup of order 2, but what is wrong with using a subgroup
> of order 2q = p-1?
> There's clearly no strong security advantage to the 2q subgroup --
> it's just one bit larger -- but is there an attack that works against
> the 2q subgroup that doesn't work against the q subgroup?  If this is
> a known concern, i'd be happy with just a pointer to a paper or web
> page explaining the risks of the larger group.
> otoh, if the goal is just to ensure we have word-for-word compliance
> with SP800-56A, then it's clear that choosing a different generator is
> the way to go (and without much of a security cost).  but i'd like to
> know if there's a reason other than blind-spec-compliance.  Pointers?
> Regards,
>         --dkg

One reason the generator of the full (Z/pZ)* is avoided is because
knowledge of g^a and g^b (both known to Mallory) leaks information about
the shared secret g^(ab) via their legendre symbols.  This is
particularly troublesome in the context of El Gamal.  

I don't have a reference to recommend off-hand but you might want to
google for "decisional diffie hellman assumption".

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150527/eab16e75/attachment.bin>

More information about the openssh-unix-dev mailing list