On Fri, 2014-10-24 at 11:40 +1100, Damien Miller wrote: > Checking for trivially non-prime is easy and maybe worthwhile to catch > broken implementations, but IMO there's little point when "subtly > non-prime" is still too expensive for the client to check - even a > few Miller-Rabin checks are too slow at the prime sizes required for > reasonable security in modp groups. Perhaps a stupid idea, but most OpenSSH packages seem to simply use the pregenerated moduli file from the sources. Since many people never use anything else then OpenSSH, once could this use as a whitelist for "trusted" moduli, which ssh wouldn't check further. And what do you think about allowing people to specify their min/max acceptible DH group sizes at client/server level? > Moreover, there are many, many ways > for an evil server to compromise the connection that are completely > undetectable (e.g. leak an encrypted copy of the server's PRNG key in > the KEXINIT cookie field). Well as said just before,... it's quite clear, that this is not about protecting against evil servers, which is impossible per se. > I'd rather people use one of the EC DH modes Sure,... but DH isn't broken either,... and I think it never harms to have alternatives. *And* there are still many old clients out in the wild which only support DH. > - they are waaay faster > for the same security level. Shouldn't these have much higher security levels than e.g. DH with a 1024bit group? Cheers, Chris. btw: I made some pull requests on github, largely for documentation stuff, do you notice that there?
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev