Re: DH group exchange (Re: SSH key algorithm updates)

["Mark D. Baushke" <mdb%juniper.net@localhost>]

Niels Möller <nisse%lysator.liu.se@localhost> writes:

> "Mark D. Baushke" <mdb%juniper.net@localhost> writes:
> 
> > See also:
> >
> >   http://csrc.nist.gov/publications/nistpubs/800-107-rev1/sp800-107-rev1.pdf
> >   Section 4.2 table 1.
> 
> It's not clear to me why the "collision resistance strength" rather
> than "preimage resistance strength" or "second preimage strength" apply
> when using sha2 for generating session keys and the exchange hash.

Looking more carefully at what is being hashed in the exchange, I agree
with you that collision resistance strength is not involved here.

So, that only leaves open if choosing to use sha256 as a hash for larger
diffie-hellman MODP groups...

For now, does it seem reasonable to add RFC 3526 group15 & group16 to
the protocol?

  diffie-hellman-group15-sha256 (3072-bit MODP group ~130 bits of security)
  diffie-hellman-group16-sha256 (4096-bit MODP group ~150 bits of security)

I do not see a need at present for using:

 * group17 (6144-bit MODP group ~170 bits of security)
 * group18 (8192-bit MODP group ~190 bits of security)

IMO, it just takes too long to do calculations with them.

	-- Mark