[EC]DH KEx and how to restrict ssh/sshd to secure(er) DH parameters

[Christoph Anton Mitterer]

On Fri, 2014-10-24 at 11:40 +1100, Damien Miller wrote: 
> Checking for trivially non-prime is easy and maybe worthwhile to catch
> broken implementations, but IMO there's little point when "subtly
> non-prime" is still too expensive for the client to check - even a
> few Miller-Rabin checks are too slow at the prime sizes required for
> reasonable security in modp groups.
Perhaps a stupid idea, but most OpenSSH packages seem to simply use the
pregenerated moduli file from the sources.
Since many people never use anything else then OpenSSH, once could this
use as a whitelist for "trusted" moduli, which ssh wouldn't check
further.

And what do you think about allowing people to specify their min/max
acceptible DH group sizes at client/server level?



>  Moreover, there are many, many ways
> for an evil server to compromise the connection that are completely
> undetectable (e.g. leak an encrypted copy of the server's PRNG key in
> the KEXINIT cookie field).
Well as said just before,... it's quite clear, that this is not about
protecting against evil servers, which is impossible per se.


> I'd rather people use one of the EC DH modes
Sure,... but DH isn't broken either,... and I think it never harms to
have alternatives.
*And* there are still many old clients out in the wild which only
support DH.

>  - they are waaay faster
> for the same security level.
Shouldn't these have much higher security levels than e.g. DH with a
1024bit group?



Cheers,
Chris.

btw: I made some pull requests on github, largely for documentation
stuff, do you notice that there?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141024/6991fca6/attachment.bin>