On Thu 2017-09-21 18:12:44 -0400, Joseph S Testa II wrote: > I gotta say... having a fallback mechanism here seems pretty > strange. The entire point of the group exchange is to use a dynamic > group and not a static one. fwiw, i think dynamic groups for DHE key exchange is intrinsically problematic when there is any computational expense in validating the quality of the group parameters. The party receiving the group is basically at the mercy of the party proposing the group -- they hope that they've done something sensible, because no client is going to try to do things like an expensive primality test on a large integer that they just received. Sticking to the standard groups -- large size, well-vetted, with publicly-published primality proofs for finite-field moduli, and generated with a minimal amount of wiggle-room for malicious creation (aka "nothing up my sleeve", "NUMS", or "safecurves") values are the way to go. they're (marginally) easier on the bandwidth too, because you can just pick one from a table that's already well-known, and you don't have to transmit the large group in addition to the public share. --dkg
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev