Verification of primes in /etc/ssh/moduli file

Demi Marie Obenour demiobenour at
Thu Aug 26 20:23:24 AEST 2021

On 8/21/21 6:06 AM, Damien Miller wrote:
> On Wed, 18 Aug 2021, Hubert Kario wrote:
>> Hello everybody!
>> For the past few years we've used a tool to double-check the security of
>> the primes shipped in the OpenSSH moduli file:
>> In short, it uses primality certificates to mathematically prove that all 
>> the 
>> parameters use safe primes and a bit of simple maths to check if they're 
>> not
>> vulnerable to Special Number Field Sieve.
>> I wrote an article on why it's necessary, a high level overview how it
>> does it and how you can run it yourself:
> Excellent - one question: how do you generate/prove safe primes? I was
> never able to figure out how to prove that both N and (N-1)/2 are prime
> (though I thought it might be possible using Pocklington's criteria).

One can prove primality using the Miller-Ramin test, which will
detect composites with probability at least 3/4 per round.  After 64
rounds the likelihood of a composite not being detected is not more
than 2⁻¹²⁸, even for adversarial choices of moduli.  Note that
the primality testing APIs in cryptographic libraries are often not
designed for this, as they perform optimizations that are not valid for
adversarially chosen numbers.

That said, a much simpler approach is to simply regenerate the file;
this avoids all of the above complications.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB288B55FFF9C22C1.asc
Type: application/pgp-keys
Size: 4874 bytes
Desc: OpenPGP public key
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list