Re: DH Group Exchange Fallback

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu 2017-09-21 18:12:44 -0400, Joseph S Testa II wrote:
>     I gotta say... having a fallback mechanism here seems pretty 
> strange.  The entire point of the group exchange is to use a dynamic 
> group and not a static one.

fwiw, i think dynamic groups for DHE key exchange is intrinsically
problematic when there is any computational expense in validating the
quality of the group parameters.

The party receiving the group is basically at the mercy of the party
proposing the group -- they hope that they've done something sensible,
because no client is going to try to do things like an expensive
primality test on a large integer that they just received.

Sticking to the standard groups -- large size, well-vetted, with
publicly-published primality proofs for finite-field moduli, and
generated with a minimal amount of wiggle-room for malicious creation
(aka "nothing up my sleeve", "NUMS", or "safecurves") values are the way
to go.  they're (marginally) easier on the bandwidth too, because you
can just pick one from a table that's already well-known, and you don't
have to transmit the large group in addition to the public share.

     --dkg

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux