Hi all! Continuing the discussion from https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032037.html I have looked at the changes made to implement automatic selection of DH groups and there are few changes confusing to me, to say the least. Especially 1.97~1.96 rev diff of kex.c: > + dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher)); Why "MAX("? Why security of chosen dh moduli should match the _most_ secure primitive? Since DH KEX is computationally expensive (think smartphones), shouldn't we try to use as small DH parameters as possible? > + dh_need = MAX(dh_need, newkeys->enc.block_size); This is plain confusing. Which cipher's security level is influenced by its block size? + dh_need = MAX(dh_need, newkeys->enc.iv_len); I'd also say that the relationship between IV size and and security estimate is a bit more complex. I.e. IV of size 96 bits won't lower the security level of whole system to 96 bits. + dh_need = MAX(dh_need, newkeys->mac.key_len); Shouldn't this use mac.mac_len? I mean MACs like hmac-md5-96 provide 96 bits of security, not the 128 bits from key size. -- Regards, Hubert Kario BaseOS QE Security team Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev