Re: [Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, May 27, 2015 at 05:08:25PM -0400, Daniel Kahn Gillmor wrote:
> On Tue 2015-05-26 15:39:49 -0400, Mark D. Baushke wrote:
> > Hi Folks,
> >
> > The generator value of 5 does not lead to a q-ordered subgroup which
> > is needed to pass tests in
> >
> > http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf
> 
> I pulled revision 2 of this document from here:
> 
> https://dx.doi.org/10.6028/nist.sp.800-56ar2
> 
> The "FFC Domain Parameter Generation" section does say:
> 
>     g is a generator of the cyclic subgroup of GF(p)* of order q,
> 
> But i don't see a recommendation of why this matters.  Surely we don't
> want the subgroup of order 2, but what is wrong with using a subgroup
> of order 2q = p-1?
> 
> There's clearly no strong security advantage to the 2q subgroup --
> it's just one bit larger -- but is there an attack that works against
> the 2q subgroup that doesn't work against the q subgroup?  If this is
> a known concern, i'd be happy with just a pointer to a paper or web
> page explaining the risks of the larger group.
> 
> otoh, if the goal is just to ensure we have word-for-word compliance
> with SP800-56A, then it's clear that choosing a different generator is
> the way to go (and without much of a security cost).  but i'd like to
> know if there's a reason other than blind-spec-compliance.  Pointers?
> 
> Regards,
> 
>         --dkg

One reason the generator of the full (Z/pZ)* is avoided is because
knowledge of g^a and g^b (both known to Mallory) leaks information about
the shared secret g^(ab) via their legendre symbols.  This is
particularly troublesome in the context of El Gamal.  

I don't have a reference to recommend off-hand but you might want to
google for "decisional diffie hellman assumption".

--mancha

Attachment: pgpLE5hn0X0zk.pgp
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux