----- Original Message ----- > From: "Markus Friedl" <mfriedl@xxxxxxxxx> > To: "Hubert Kario" <hkario@xxxxxxxxxx> > Cc: openssh-unix-dev@xxxxxxxxxxx > Sent: Tuesday, 18 February, 2014 10:26:58 AM > Subject: Re: 3des cipher and DH group size > > > Am 04.02.2014 um 16:58 schrieb Hubert Kario <hkario@xxxxxxxxxx>: > > > Continuing the discussion from > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032037.html > > > > I have looked at the changes made to implement automatic selection of DH > > groups and there are few changes confusing to me, to say the least. > > > > Especially 1.97~1.96 rev diff of kex.c: > > > >> + dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher)); > > > > Why "MAX("? Why security of chosen dh moduli should match the _most_ > > secure primitive? Since DH KEX is computationally expensive (think > > smartphones), > > shouldn't we try to use as small DH parameters as possible? > > I don’t understand your excitement. That wasn't excitement, that was surprise. Also, that were (are) genuine questions. > I chose MAX() here, because the old release did the same. > > The old release basically did > need = MAX(enckeylen, block size, ivlen, mackeylen) > and all I did was to replace enckeylen (192 bits for 3DES) with cipher_seclen > (112 bits). > > You might argue that the old code was wrong, but I chose a minimal change > to fall back to a conservative choice. OK. So, since now the DH group sizes themselves are conservative, perhaps we should revise it? I mean that even when we're using just the cipher key size as the selection criteria for DH key sizes, we still end up with much bigger DH sizes than old openssh proposed. Old openssh: 3des with sha1: 2048 bit DH aes128 with sha1: 2048 bit DH aes192 with sha1: 2048 bit DH aes256 with sha1: 4096 bit DH default (aes128 with md5): 1024 bit DH what I'm saying the code should do: 3des with sha1: 2048 bit DH aes128 with sha1: 3072 bit DH aes192 with sha1: 7680 bit DH aes192 with sha256: 7680 bit DH aes256 with sha1: 8192 bit DH default (aes-128 with md5): 3072 bit DH What the code actually does: 3des with sha1: 7680 bit DH aes128 with sha1: 7680 bit DH aes192 with sha1: 7680 bit DH aes192 with sha256: 8192 bit DH aes256 with sha1: 8192 bit DH default (aes-128 with md5): 3072 bit DH (I'm completely ignoring the fact that if you're connecting to any relatively new openssh you'll get ECDH, not DH by default) -- Regards, Hubert Kario BaseOS QE Security team Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev