Weak DH primes and openssh
Damien Miller
djm at mindrot.org
Fri May 29 09:23:59 AEST 2015
On Thu, 28 May 2015, Hubert Kario wrote:
> > If this is the only attack you're trying to address, and you've
> > already limited yourself to safe primes, then NUMS properties don't
> > really add anything. The NUMS approach is there are to try to avoid
> > the possibility of other, unknown cryptanalytic attacks against some
> > infrequent type of group, so that the entity who defines the group
> > can't force you into this secret corner case if they have special
> > knowledge.
>
> that being said, how using NUMS seeds to generate safe prime would
> hurt?
If you're concerned about precomputation, then it effectively gives the
attackers a list of what you're going to use in the future.
> also, doesn't that require us to provide primality certificates for q
> rather than p?
IMO you'd want both to prove a safe prime
-d
More information about the openssh-unix-dev
mailing list