[Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group

Mark D. Baushke mdb at juniper.net
Fri May 29 11:22:03 AEST 2015 

mancha <mancha1 at zoho.com> writes:

> On Mark's report, g=5 indeed generates the full (Z/pZ)* for the prime(*)
> initially recommended in bug 2302's fix. But, that's no different
> from generators in the full moduli file. My quick test shows all 274
> generate the associated full groups.  

Yes, I have observed that most RFC 4419 moduli entries generate full
groups.

It seems that most of the time the RFC 4419 method of selecting a
generator g provides for a full (Z/pZ) for the generated prime p. So, if
you are running with random g^x and g^y values, about half of the time
you will get a q-ordered subgroup and half of the time you will get one
that is in the full group and would need to be failed at runtime if one
is trying to enforce the NIST SP 800-56A tests.

If there is a need to sell products which use OpenSSH into the public
sector (various Governements), then FIPS 140-2 compliance is needed.
This means that NIST SP 800-56A validation is important.

Generation of a moduli file that complies with RFC 4419 and NIST SP
800-56A is difficult... unless one ignores 'useful technique' provided
in RFC 4419 section 6.1 for finding a generator for each moduli entry.
So, an alternative 'useful technique' is to see if g=2 is a subgroup or
full group generator and use g=2 only when it generates a q-ordered
subgroup.

It also means that interoperability with other implementations become
'interesting' if a client needs to reject roughly half of the g^y values
provided by a non-800-56A compliant server. Of course, in theory the
folks that need compliance would not field a box that offered up 'bad'
values of g and p...

> That's moot now because the fallback is a 4096-bit prime taken from RFC
> 3526 [1]. According to my tests, that p is a safe prime(**) and the
> recommended generator g=2 generates the subgroup order q.

Yes, this is very useful.

> --mancha
> 
> [1] https://tools.ietf.org/html/rfc3526#page-5
> 
> (*)  Certified with PRIMO: https://tinyurl.com/nrqrrcg
> (**) Certified with PRIMO: https://tinyurl.com/nwvezog & https://tinyurl.com/o2cxju7

	--  Mark

More information about the openssh-unix-dev mailing list