[Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu May 28 09:28:09 AEST 2015
On Wed 2015-05-27 18:02:40 -0400, mancha wrote:
> One reason the generator of the full (Z/pZ)* is avoided is because
> knowledge of g^a and g^b (both known to Mallory) leaks information about
> the shared secret g^(ab) via their legendre symbols.
Their Legendre symbol of g^(ab) is 1 bit; but the full |2q| group is 1
bit larger than the |q| subgroup. Either way, we're not talking about a
radical change in cryptographic strength, right? Or is there some way
to parlay knowledge of the Legendre symbol of g^(ab) into a larger attack?
--dkg
More information about the openssh-unix-dev
mailing list