mancha <mancha1@xxxxxxxx> writes: > On Mark's report, g=5 indeed generates the full (Z/pZ)* for the prime(*) > initially recommended in bug 2302's fix. But, that's no different > from generators in the full moduli file. My quick test shows all 274 > generate the associated full groups. Yes, I have observed that most RFC 4419 moduli entries generate full groups. It seems that most of the time the RFC 4419 method of selecting a generator g provides for a full (Z/pZ) for the generated prime p. So, if you are running with random g^x and g^y values, about half of the time you will get a q-ordered subgroup and half of the time you will get one that is in the full group and would need to be failed at runtime if one is trying to enforce the NIST SP 800-56A tests. If there is a need to sell products which use OpenSSH into the public sector (various Governements), then FIPS 140-2 compliance is needed. This means that NIST SP 800-56A validation is important. Generation of a moduli file that complies with RFC 4419 and NIST SP 800-56A is difficult... unless one ignores 'useful technique' provided in RFC 4419 section 6.1 for finding a generator for each moduli entry. So, an alternative 'useful technique' is to see if g=2 is a subgroup or full group generator and use g=2 only when it generates a q-ordered subgroup. It also means that interoperability with other implementations become 'interesting' if a client needs to reject roughly half of the g^y values provided by a non-800-56A compliant server. Of course, in theory the folks that need compliance would not field a box that offered up 'bad' values of g and p... > That's moot now because the fallback is a 4096-bit prime taken from RFC > 3526 [1]. According to my tests, that p is a safe prime(**) and the > recommended generator g=2 generates the subgroup order q. Yes, this is very useful. > --mancha > > [1] https://tools.ietf.org/html/rfc3526#page-5 > > (*) Certified with PRIMO: https://tinyurl.com/nrqrrcg > (**) Certified with PRIMO: https://tinyurl.com/nwvezog & https://tinyurl.com/o2cxju7 -- Mark _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev