On Thu 2017-09-21 18:12:44 -0400, Joseph S Testa II wrote:
> I gotta say... having a fallback mechanism here seems pretty
> strange. The entire point of the group exchange is to use a dynamic
> group and not a static one.
fwiw, i think dynamic groups for DHE key exchange is intrinsically
problematic when there is any computational expense in validating the
quality of the group parameters.
The party receiving the group is basically at the mercy of the party
proposing the group -- they hope that they've done something sensible,
because no client is going to try to do things like an expensive
primality test on a large integer that they just received.
Sticking to the standard groups -- large size, well-vetted, with
publicly-published primality proofs for finite-field moduli, and
generated with a minimal amount of wiggle-room for malicious creation
(aka "nothing up my sleeve", "NUMS", or "safecurves") values are the way
to go. they're (marginally) easier on the bandwidth too, because you
can just pick one from a table that's already well-known, and you don't
have to transmit the large group in addition to the public share.
--dkg
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
