Re: DH group exchange (Re: SSH key algorithm updates)

["Mark D. Baushke" <mdb%juniper.net@localhost>]

Niels =?utf-8?Q?M=C3=B6ller?= <nisse%lysator.liu.se@localhost> writes:

> "Mark D. Baushke" <mdb%juniper.net@localhost> writes:
> 
> > For now, does it seem reasonable to add RFC 3526 group15 & group16 to
> > the protocol?
> >
> >   diffie-hellman-group15-sha256 (3072-bit MODP group ~130 bits of securit=
> y)
> >   diffie-hellman-group16-sha256 (4096-bit MODP group ~150 bits of securit=
> y)
> 
> I think it makes sense. It's good to have some specified algorithms
> with security a bit beyond what's currently used, to make it easy to
> move if/when needed attacks on the current algorithms emerge.

Agreed.

> Next question is what status they should have. I think it makes sense to
> have group15 as RECOMMENDED.

I agree with this suggestion.

> (By the same argument, I think it makes sense to specify some
> alternative to sha256 too, which I guess would be either sha512 or
> sha3-384 (sha384 makes litte sense to me, since it's essentially a
> truncated sha512, with same performance and shorter output)).

Given your point about sha2-384, I think there are three possibilities
that remain:

  sha2-512
  sha3-256
  sha3-512

There are aguments both in favor and against each of the alternatives.

fwiw: I have no idea if the SSH community is ready to consider the use
of sha3 (FIPS PUB 202 style) at this time, but it is more likely to
be a challenge to the attacks on diffie-hellman I heard of to date.

	-- Mark