DH Group Exchange Fallback

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Sep 23 05:22:33 AEST 2017

On Thu 2017-09-21 18:12:44 -0400, Joseph S Testa II wrote:
>     I gotta say... having a fallback mechanism here seems pretty 
> strange.  The entire point of the group exchange is to use a dynamic 
> group and not a static one.

fwiw, i think dynamic groups for DHE key exchange is intrinsically
problematic when there is any computational expense in validating the
quality of the group parameters.

The party receiving the group is basically at the mercy of the party
proposing the group -- they hope that they've done something sensible,
because no client is going to try to do things like an expensive
primality test on a large integer that they just received.

Sticking to the standard groups -- large size, well-vetted, with
publicly-published primality proofs for finite-field moduli, and
generated with a minimal amount of wiggle-room for malicious creation
(aka "nothing up my sleeve", "NUMS", or "safecurves") values are the way
to go.  they're (marginally) easier on the bandwidth too, because you
can just pick one from a table that's already well-known, and you don't
have to transmit the large group in addition to the public share.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170922/80506efe/attachment.asc>

More information about the openssh-unix-dev mailing list