Re: DH group exchange (Re: SSH key algorithm updates)

[nisse%lysator.liu.se@localhost (Niels Möller)]

"Mark D. Baushke" <mdb%juniper.net@localhost> writes:

> Okay. Well, what do other folks on the list think? Is it time to add
> SHA3 to the SSH standard for DH Group15 and DH Group16? If so, what
> values make the most sense?

I think it is important to keep these two upgrades separately. As far as
I'm aware, there's no reason to try to avoid sha256, so I'd prefer that
we go with what you suggested a few weeks back:

>   diffie-hellman-group15-sha256 (3072-bit MODP group ~130 bits of security)
>   diffie-hellman-group16-sha256 (4096-bit MODP group ~150 bits of security)

I think it would make sense with at least the first one as RECOMMENDED.

As for sha3, what would we want to use it for? 

As an alternative for key exchange and key derivation? Makes sense to me
as alternatives with group14, 15 and 16. Not that I think this is
urgent, but it makes me feel a little better if we are prepared with an
alternative to sha256.

As a mac? It's possible to to hmac-sha3-nnn, but I hope we'll see some
standards for a keyed sha3 mac and/or a keccak-based aead, without doing
the hmac construction. So maybe that's premature.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.