Am 04.02.2014 um 16:58 schrieb Hubert Kario <hkario@xxxxxxxxxx>: > Continuing the discussion from https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032037.html > > I have looked at the changes made to implement automatic selection of DH > groups and there are few changes confusing to me, to say the least. > > Especially 1.97~1.96 rev diff of kex.c: > >> + dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher)); > > Why "MAX("? Why security of chosen dh moduli should match the _most_ > secure primitive? Since DH KEX is computationally expensive (think smartphones), > shouldn't we try to use as small DH parameters as possible? I don’t understand your excitement. I chose MAX() here, because the old release did the same. The old release basically did need = MAX(enckeylen, block size, ivlen, mackeylen) and all I did was to replace enckeylen (192 bits for 3DES) with cipher_seclen (112 bits). You might argue that the old code was wrong, but I chose a minimal change to fall back to a conservative choice. -m _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
