Can we disable diffie-hellman-group-exchange-sha1 by default?

Yegor Ievlev koops1997 at gmail.com
Fri Feb 15 19:43:24 AEDT 2019 

> You may wish to visit https://safecurves.cr.yp.to/.
I read this page MANY times, and generally I am also against using
P-256/384/521. However I believe that risk of using non-EC DH under
2048 bits (Logjam) and SHA-1 is higher, and also take speed into
consideration.

> However, you need to assume that you can trust that the standard curves have not been
heavily pre-computed too.
They may not only be pre-computed, but also chosen to be easy to
pre-compute. See https://bada55.cr.yp.to/vr.html.

>I am given to understand that NIST is going to be considering EdDSA and things like Curve25519 and Curve448 in the coming year for release.
Are you confusing IETF and NIST? IETF is heavily using these two
curves, but I did not hear about NIST working at including them into
their standards.

>The other thing happening is the consideration of using paired curves. Right now that is not a part of the SSHv2 protocol, but the field continues to get new research.
If by paired curves you mean converting the key between Curve25519 and
Ed25519 form, that's generally not considered to be as secure as using
separate keys.

On Fri, Feb 15, 2019 at 11:34 AM Mark D. Baushke <mdb at juniper.net> wrote:
>
> Yegor Ievlev <koops1997 at gmail.com> writes:
>
> > I referred to the fact that there is no value for 4096-bit groups at
> > all. For higher strengths than 128 bits one should probably not use
> > non-EC crypto at all, as the document suggests.
>
> For Diffie-Hellman 4096-bits, running one of the mathematical methods
> gives you on the order of 150 bits of security. See RFC 3526 section 8.
>
> For a 190-bits of security, you need a Diffie-Hellman of 8k-bits in
> size.
>
> Of course, using a larger Q-ordered subgroup such as we get with
> safe-primes helps to increase the computation time needed even beyond
> the standard sieve techniques.
>
> The speed of an ECC computation is indeed faster than FFC. However, you
> need to assume that you can trust that the standard curves have not been
> heavily pre-computed too.
>
> You may wish to visit
>
>     https://safecurves.cr.yp.to/
>
> for an interesting view on ECDH and ECDSA technology.
>
> I am given to understand that NIST is going to be considering EdDSA and
> things like Curve25519 and Curve448 in the coming year for release.
>
> The other thing happening is the consideration of using paired curves.
> Right now that is not a part of the SSHv2 protocol, but the field
> continues to get new research.
>
>         -- Mark

More information about the openssh-unix-dev mailing list