DH Group Exchange Fallback

Darren Tucker dtucker at zip.com.au
Wed Sep 27 03:10:14 AEST 2017


On 25 September 2017 at 15:54, Mark D. Baushke <mdb at juniper.net> wrote:
[...]
> For my effort, I would find it 'better' to consider moving to provable
> primes. Of course, that would mean sending all three of g,p,q to the
> client for them to validate that the primes are safe using something
> like Pocklington's Theorem. This should be fairly quick as such things
> go. It does mandate a change to the protocol to send q over the wire
> too.

I'm not a cryptographer so I defer to others on the cryptography and
number theory.

As an maintainer I guess the counter argument to that is that if you
need something stronger that the current dh-gex and you have to
implement something new anyway then you'd be much better off
implementing ecdh or ssh-curves and get something much faster for the
equivalent strength.  What is the intersection of people wanting >192
bits of security and wanting to (or being required to) stick with
dh-gex?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list