Re: [Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

Daniel Kahn Gillmor <dkg@xxxxxxxxxxxxxxxxx> writes:

> > From: "Roginsky, Allen" <allen.roginsky@xxxxxxxx>
> > Subject: RE: Question on SP 800-56A rev2
> >
> > The reason the y^q=1 (mod p) tests exists is to verify that y is in the
> > required subgroup.
> 
> I think this answer "begs the question" -- yes, the mathematical test
> verifies that y generates a subgroup of size q.  But the question we
> were discussing is why does the subgroup need to be of size q instead of
> size p-1?  

I forwarded your post to Allen Raginsky with this note:

> > From: Mark Baushke [mailto:mdb@xxxxxxxxxxx]
> > Sent: Friday, June 12, 2015 10:23 PM
> > To: Roginsky, Allen
> > Subject: Fwd: [Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group
> > 
> > Hi Allen,
> > 
> > It seems that there is a followup question to your statements…
> > 
> > It really is sort of the root question, whey does anyone actually
> > care if we have a q-ordered subgroup or not? Is there an attack
> > which is not published on this kind of issue?
> > 
> > -- Mark

I have received this reply from Allen...

	-- Mark

 ------- forwarded message -------
From: "Roginsky, Allen" <allen.roginsky@xxxxxxxx>
To: Mark Baushke <mdb@xxxxxxxxxxx>
Subject: RE: [Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to
 unconfigured DH groups or at least document this behaviour and use a stronger
 group
Date: Mon, 15 Jun 2015 06:17:55 +0000

Hi Mark,

The private key x may be placed in the smaller subgroup – of size q – precisely because there are no known attacks against the DH method that could exploit the structure of this subgroup.  The public key must be in a larger group because there are attacks exploiting the structure of the DH public key (the attacks against the discreet logarithm problem in the multiplicative group of a finite field).

Regards,
Allen

 ------- end of forwarded message -------
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux