Re: DH group exchange (Re: SSH key algorithm updates)

To: Damien Miller <djm%mindrot.org@localhost>
Subject: Re: DH group exchange (Re: SSH key algorithm updates)
From: "Mark D. Baushke" <mdb%juniper.net@localhost>
Date: Tue, 10 Nov 2015 00:48:21 -0800

Hi Damien,

Damien Miller <djm%mindrot.org@localhost> writes:

> On Tue, 10 Nov 2015, Niels Möller wrote:
> 
> > > It may also be desirable to setup a way that RFC 3526 groups:
> > >
> > >   diffie-hellman-group14-sha256 (2048-bit MODP group - 112 bits of security)
> > >   diffie-hellman-group15-sha256 (3072-bit MODP group - 128 bits of security)
> > >
> > >   diffie-hellman-group16-sha384 (4096-bit MODP group - ~150 bits of security)
> 
> FWIW OpenSSH has been using RFC3526 group 16 as the fallback group for
> group-exchange when it can't find a local pre-computed group list.

Yes, I am aware that OpenSSH will fall back on group16 with either sha1
or sha2-256 depending on what key exchange method is being used.

Given that OpenSSH is using group16 with sha2-256 preserves 128 bits of
security, should there be a group16 using either sha2-384 or sha2-512 so
that the maximum number of security bits is retained (security bits
estimate for RFC 3526 is in this table:

   +--------+----------+---------------------+---------------------+
   | Group  | Modulus  | Strength Estimate 1 | Strength Estimate 2 |
   |        |          +----------+----------+----------+----------+
   |        |          |          | exponent |          | exponent |
   |        |          | in bits  | size     | in bits  | size     |
   +--------+----------+----------+----------+----------+----------+
   |   5    | 1536-bit |       90 |     180- |      120 |     240- |
   |  14    | 2048-bit |      110 |     220- |      160 |     320- |
   |  15    | 3072-bit |      130 |     260- |      210 |     420- |
   |  16    | 4096-bit |      150 |     300- |      240 |     480- |
   |  17    | 6144-bit |      170 |     340- |      270 |     540- |
   |  18    | 8192-bit |      190 |     380- |      310 |     620- |
   +--------+----------+---------------------+---------------------+

so, group16 is nominally somewhere between 150-240 bits of security
sha2-384 preserves 192 bits of security and sha2-512 preserves 256 bits
of security.

For that matter, I wonder if we want to take the time to specify
"diffie-hellman-group-exchange-sha512" for the larger group sizes
while we have RFC4419bis in discussion?

	Curious,
	-- Mark

Follow-Ups:
- Re: DH group exchange (Re: SSH key algorithm updates)
  - From: Niels Möller

References:
- RE: DH group exchange (Re: SSH key algorithm updates)
  - From: Peter Gutmann
- Re: DH group exchange (Re: SSH key algorithm updates)
  - From: denis bider
- RE: DH group exchange (Re: SSH key algorithm updates)
  - From: Peter Gutmann
- Re: DH group exchange (Re: SSH key algorithm updates)
  - From: Mark D. Baushke
- RE: DH group exchange (Re: SSH key algorithm updates)
  - From: Peter Gutmann
- Re: DH group exchange (Re: SSH key algorithm updates)
  - From: Niels Möller
- Re: DH group exchange (Re: SSH key algorithm updates)
  - From: Mark D. Baushke
- Re: DH group exchange (Re: SSH key algorithm updates)
  - From: Niels Möller
- Re: DH group exchange (Re: SSH key algorithm updates)
  - From: Damien Miller

Prev by Date: Re: Updated RSA SHA-2 draft / New draft: SSH Extension Negotiation
Next by Date: Re: Curve25519/448 key agreement for SSH
Previous by Thread: Re: DH group exchange (Re: SSH key algorithm updates)
Next by Thread: Re: DH group exchange (Re: SSH key algorithm updates)
Indexes:

Home | Main Index | Thread Index | Old Index