RE: SSH key algorithm updates

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Niels Möller <nisse%lysator.liu.se@localhost> writes:

>First, it totally defeats the original purpose of group exchange, which was
>to avoid wide use of any particular group, in order to reduce the attacker's
>gain from massive precomputation.

Something even scarier, first pointed out in the Logjam paper, is that (at
least for TLS) some server implementations precompute g^x mod p and reuse it
over a period of time, so every client that connects gets the same DH phase 1
value sent to them.  It's a nice efficiency "optimisation", but it turns DH
into something that works more like RSA (or, since it's DLP, maybe Elgamal)
than DH.

I wouldn't even have considered that someone would do that until I saw it in
the Logjam paper.

>Second, if fixed groups are used, then those groups ought to be subject to
>both standardization review and negotiation at runtime.

The benefit of fixed groups is that, as you mention, they can be reviewed, and
also that they're a lot more efficient than on-the-fly keygen, particularly if
you have to use full-size safe primes rather than the Lim-Lee swarm-of-small-
primes trick.

I'm worried about this short, quick draft turning into a tutorial on how not
to do DH...

Peter.