RE: DH group exchange (Re: SSH key algorithm updates)

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

denis bider <ietf-ssh3%denisbider.com@localhost> writes:

>If this new draft could specify group generation such that:
>
>- Windows built-in crypto (CNG) running under FIPS mode
>
>- and possibly, but not as critically, the Crypto++ 5.3.0 FIPS-certified module
>
>could reliably use parameters sent by servers that implement the new spec -
>that would be quite awesome.

I don't know if you need to specify the exact generation method, only the
verification checks to perform, which are given in FIPS 186.  The intent is to
create verifiable DH parameters, so the important thing is the verification
mechanism, not the generation one (both safe primes and Lim-Lee primes, for
example, will produce verifiable values).  It would certainly make sense, if
you're using { p, q, g } primes, to require that they be verified as per the
FIPS 186 checks, since that's the point to using them.

The annoying thing about this change is that it's going to take me about 20x
as long to do the spec describing it as it will to make the code changes,
sigh.

One other thing that'd be good to have, based on the Logjam paper, is to
specify some means of distinguishing g from q, since Logjam mentions that
there are implementations that confuse the two.  Does anyone have problems
with requiring that g = <small integer>?  This both makes the DH op much more
efficient, and makes it easy to quickly distinguish g from q without requiring
complex bignum ops.

Peter.