[Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu May 28 09:28:09 AEST 2015

On Wed 2015-05-27 18:02:40 -0400, mancha wrote:
> One reason the generator of the full (Z/pZ)* is avoided is because
> knowledge of g^a and g^b (both known to Mallory) leaks information about
> the shared secret g^(ab) via their legendre symbols.

Their Legendre symbol of g^(ab) is 1 bit; but the full |2q| group is 1
bit larger than the |q| subgroup.  Either way, we're not talking about a
radical change in cryptographic strength, right?  Or is there some way
to parlay knowledge of the Legendre symbol of g^(ab) into a larger attack?


More information about the openssh-unix-dev mailing list