Re: Weak DH primes and openssh

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sun, 31 May 2015, Daniel Kahn Gillmor wrote:

> The other alternative if you wanted fixed seeds would be to use some
> high-entropy value from the real world that would be unpredictable,
> hard to control, but not too hard to verify (e.g. a digest of the
> concatenated UTF-8 representations of the top headline from each of
> the 10 highest-circulation newspapers on the day of re-generation, or
> something similar).

IMO it's still pointless - NUMS-style generation might be useful in
cases where there exists suspicion (but no proof) that some parameter
choices might be trapdoor-able. There's not even the faintest hint
that this might be the case for the DLP in arbitrary strong prime modp
groups.

If vendors are concerned about the moduli that OpenSSH ships, I'd
recommend either generating your own (using ssh-keygen or some
independent means) or auditing what we do using primo or some similar
ECPP tool.

Getting a good, open-source primality prover would be nice too...

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux