Weak DH primes and openssh

Damien Miller djm at mindrot.org
Fri May 29 09:23:59 AEST 2015

On Thu, 28 May 2015, Hubert Kario wrote:

> > If this is the only attack you're trying to address, and you've
> > already limited yourself to safe primes, then NUMS properties don't
> > really add anything. The NUMS approach is there are to try to avoid
> > the possibility of other, unknown cryptanalytic attacks against some
> > infrequent type of group, so that the entity who defines the group
> > can't force you into this secret corner case if they have special
> > knowledge.
> that being said, how using NUMS seeds to generate safe prime would
> hurt?

If you're concerned about precomputation, then it effectively gives the
attackers a list of what you're going to use in the future.

> also, doesn't that require us to provide primality certificates for q
> rather than p?

IMO you'd want both to prove a safe prime


More information about the openssh-unix-dev mailing list