Verification of primes in /etc/ssh/moduli file

Hubert Kario hkario at
Fri Sep 3 04:52:42 AEST 2021

On Monday, 30 August 2021 06:42:52 CEST, Damien Miller wrote:
> On Thu, 26 Aug 2021, Demi Marie Obenour wrote:
>> One can prove primality using the Miller-Ramin test, which will
>> detect composites with probability at least 3/4 per round.  After 64
>> rounds the likelihood of a composite not being detected is not more
>> than 2⁻¹²⁸, even for adversarial choices of moduli.  Note that
>> the primality testing APIs in cryptographic libraries are often not
>> designed for this, as they perform optimizations that are not valid for
>> adversarially chosen numbers.
> I assumed the safety of most libraries in the adversarial model was
> fixed a while ago, after pointed
> out a bunch of flaws. Shame on me for not checking thoroughly...

I haven't looked into OpenSSH or libssh, but for TLS the clients generally 
_don't_ check if the p is a prime, let alone a safe prime, so it doesn't 
really matter if the isPrime() function is hardened or not as it's not used 
the first place...

(Unless you run in FIPS mode with a recently certified module, then you
can use only few hardcoded primes from rfc3526 or rfc7919)
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

More information about the openssh-unix-dev mailing list