3des cipher and DH group size

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi all!

Continuing the discussion from https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032037.html

I have looked at the changes made to implement automatic selection of DH
groups and there are few changes confusing to me, to say the least.

Especially 1.97~1.96 rev diff of kex.c:

> +		 dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher));

Why "MAX("? Why security of chosen dh moduli should match the _most_
secure primitive? Since DH KEX is computationally expensive (think smartphones),
shouldn't we try to use as small DH parameters as possible?

> + 		dh_need = MAX(dh_need, newkeys->enc.block_size);

This is plain confusing. Which cipher's security level is influenced by its
block size?

+		dh_need = MAX(dh_need, newkeys->enc.iv_len);

I'd also say that the relationship between IV size and and security estimate
is a bit more complex. I.e. IV of size 96 bits won't lower the security level
of whole system to 96 bits.

+		dh_need = MAX(dh_need, newkeys->mac.key_len);

Shouldn't this use mac.mac_len? I mean MACs like hmac-md5-96 provide 96 bits of
security, not the 128 bits from key size.

-- 
Regards,
Hubert Kario
BaseOS QE Security team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev





[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux