Re: DH group exchange (Re: SSH key algorithm updates)

To: Niels Möller <nisse%lysator.liu.se@localhost>, "Mark D. Baushke" <mdb%juniper.net@localhost>
Subject: Re: DH group exchange (Re: SSH key algorithm updates)
From: denis bider <ietf-ssh3%denisbider.com@localhost>
Date: Sun, 15 Nov 2015 19:09:34 +0000

I agree, and would like to see algorithm names for these groups defined.

We have a bit of an inconsistency going on, in the way we refer to SHA-2 256. We standardized hmac-sha2-256, but on the other hand we have "sha256" elsewhere, including as discussed for DH here.

I suggest "sha2-256" for the same reason this was suggested in the hmac-sha2-256 case: to make it clear it isn't sha3-256.

I have previously argued that consistency for the sake of consistency is overvalued. Therefore, in order to be consistent, I should be fine either way. :) I think it's worthwhile to point out, however.

----- Original Message -----
From: Niels "Möller"
Sent: Sunday, November 15, 2015 01:16
To: Mark D. Baushke
Cc: Damien Miller ; Peter Gutmann ; denis bider ; Jeffrey Hutzelman ; ietf-ssh%NetBSD.org@localhost ; stephen.farrell%cs.tcd.ie@localhost ; jon%siliconcircus.com@localhost
Subject: Re: DH group exchange (Re: SSH key algorithm updates)

"Mark D. Baushke" <mdb%juniper.net@localhost> writes:

> For now, does it seem reasonable to add RFC 3526 group15 & group16 to
> the protocol?
>
> diffie-hellman-group15-sha256 (3072-bit MODP group ~130 bits of security)
> diffie-hellman-group16-sha256 (4096-bit MODP group ~150 bits of security)

I think it makes sense. It's good to have some specified algorithms with
security a bit beyond what's currently used, to make it easy to move
if/when needed attacks on the current algorithms emerge.

Next question is what status they should have. I think it makes sense to
have group15 as RECOMMENDED.

(By the same argument, I think it makes sense to specify some
alternative to sha256 too, which I guess would be either sha512 or
sha3-384 (sha384 makes litte sense to me, since it's essentially a
truncated sha512, with same performance and shorter output)).

Regards,
/Niels

--
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

Follow-Ups:
- Re: DH group exchange (Re: SSH key algorithm updates)
  - From: Niels Möller

Prev by Date: RE: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
Next by Date: Re: DH group exchange (Re: SSH key algorithm updates)
Previous by Thread: Re: DH group exchange (Re: SSH key algorithm updates)
Next by Thread: Re: DH group exchange (Re: SSH key algorithm updates)
Indexes:

Home | Main Index | Thread Index | Old Index