Re: DH group exchange (Re: SSH key algorithm updates)

[nisse%lysator.liu.se@localhost (Niels Möller)]

"Mark D. Baushke" <mdb%juniper.net@localhost> writes:

> For now, does it seem reasonable to add RFC 3526 group15 & group16 to
> the protocol?
>
>   diffie-hellman-group15-sha256 (3072-bit MODP group ~130 bits of security)
>   diffie-hellman-group16-sha256 (4096-bit MODP group ~150 bits of security)

I think it makes sense. It's good to have some specified algorithms with
security a bit beyond what's currently used, to make it easy to move
if/when needed attacks on the current algorithms emerge. 

Next question is what status they should have. I think it makes sense to
have group15 as RECOMMENDED.

(By the same argument, I think it makes sense to specify some
alternative to sha256 too, which I guess would be either sha512 or
sha3-384 (sha384 makes litte sense to me, since it's essentially a
truncated sha512, with same performance and shorter output)).

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.