On Tue 2014-10-21 23:15:43 +0200, Christian Weisgerber wrote: > On 2014-10-19, Christoph Anton Mitterer <calestyo@xxxxxxxxxxxx> wrote: >> And it basically also means, the client checks just for the group >> size,... and has no way to accept/reject certain moduli? >> Now for ECDH, we know that some curves may be insecure,... is the same >> known for DH? I.e. could a server accidentally propose the client an >> insecure moduli (which the client takes without any check except for the >> group size)? > > What is your attack scenario here? If the server can't be trusted, > your session isn't protected. That is trivial. > > Hey, the server might accidentally use a weak random number generator. > That isn't even hypothetical. Christoph is pointing out that the client might actually have a way to verify that the group is strong. The client doesn't have a way to know if the server is using a weak rng. For weaknesses that are detectable by the client, it does make sense that the client should be willing to detect and abort the session before compromising it. We already allow clients to constrain the set of choosable ciphers, for example, so clients who talk to a misconfigured/old/busted server that tries to select arcfour can reject the connection. It's not implausible that a client would also want to reject a server that offers an obviously non-prime DH modulus,, or a server's ephemeral DH public key if it is clearly bad (e.g. p-1 or 1). --dkg
Attachment:
pgpKKbOKTN3Qm.pgp
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
