Re: SSH key algorithm updates

[nisse%lysator.liu.se@localhost (Niels Möller)]

Jeffrey Hutzelman <jhutz%cmu.edu@localhost> writes:

> Group exchange doesn't have to mean live, dynamic group generation.  It
> can work fine with a set of fixed groups, either manually configured or
> compiled in.

I've been thinking a bit more about this, and I think that way of using
group exchange has to be *highly discoraged*.

First, it totally defeats the original purpose of group exchange, which
was to avoid wide use of any particular group, in order to reduce the
attacker's gain from massive precomputation.

Second, if fixed groups are used, then those groups ought to be subject
to both standardization review and negotiation at runtime.

E.g., suppose one server implementation with signiifcant deployment uses
group exchange with a single fixed group, say p = 2^3072 - 47. (And it also
supports group14, for interop reasons).

Then, it is discovered that there are relevant attacks on this group and
it should be avoided. But how can a client make sure the 2^3072 - 47
group is avoided, and still interoperate with the above server? It has
to give group14 higher preference than group exchange (with the effect
of practically never negotiating use of group exchange), or resort to
hacks using the server version string and an extra roundtrip delay.

Best regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.