Verification of primes in /etc/ssh/moduli file
Damien Miller
djm at mindrot.org
Fri Sep 3 14:39:03 AEST 2021
On Thu, 2 Sep 2021, Hubert Kario wrote:
> I haven't looked into OpenSSH or libssh, but for TLS the clients generally
> _don't_ check if the p is a prime, let alone a safe prime, so it doesn't
> really matter if the isPrime() function is hardened or not as it's not used
> in the first place...
It doesn't matter in the context of a single connection, where the
endpoints have to trust each other not to divulge session contents or
keys.
But we use BN_is_prime() in the moduli verification tools we ship
for users to verify that we're not shipping out composite numbers.
This is an adversarial use case.
Of course, having actual primality certificates is better.
-d
More information about the openssh-unix-dev
mailing list