Re: Weak DH primes and openssh

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue 2015-05-26 12:57:05 -0400, Hubert Kario wrote:
> creating composites that will pass even 100000 rounds of Miller-Rabin is 
> relatively simple....
> (assuming the values for M-R tests are picked randomly)

Can you point me to the algorithms for doing that?  This would suggest
that we really do want primality proofs (and a good way to verify them).

Do those algorithms hold for creating composites that pass M-R tests for
both p and (p-1)/2 ?

> I'd be against shipping any primes that are not generated from known, expected 
> values, like hash of "OpenSSH 1024 bit DH prime, try #1"

This is trying to put some sort of NUMS-y ("Nothing Up My Sleeve")
constraint on prime generation -- presumably you'd count up from the
hash value until you find something that passes M-R for both p and
(p-1)/2, right?  I observe that the values in ./moduli all seem quite
similar in that respect (i.e. the values for any given length share most
of the same prefix, and differ only in the trailing bits).

Wouldn't primality proofs make this NUMS-y approach less relevant?

        --dkg
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux