Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

To: <ietf-ssh%NetBSD.org@localhost>, Niels Möller <nisse%lysator.liu.se@localhost>, Damien Miller <djm%mindrot.org@localhost>, Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>, denis bider <ietf-ssh3%denisbider.com@localhost>, "Jeffrey Hutzelman" <jhutz%cmu.edu@localhost>, Stephen Farrell <stephen.farrell%cs.tcd.ie@localhost>, "Jon Bright" <jon%siliconcircus.com@localhost>, Simon Tatham <anakin%pobox.com@localhost>
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
From: "Mark D. Baushke" <mdb%juniper.net@localhost>
Date: Wed, 27 Jan 2016 09:19:24 -0800

Hi Folks,

> URL: https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2

I just noticed that the Information Assurance Directorate at the NSA has
a new article on 'CNSA Suite and Quantum Computing FAQ' ... their URL is

https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm

Reading the document, they are mandating that NSS no longer use
Diffie-Hellman with 2048-bit keys instead they are suggesting
IETF RFC 3526 (Groups 15-18).

They are also no longer interested in using SHA-256 wanting SHA-384.

For folks interested in compliance with the CNSA Suite, does it make
sense for the baushke-ssh-dh-gorup-sha2 ID to be updated to specify
either SHA-384 (or possibly SHA-512)?

That is change from this:

   Key Exchange Method Name          Note
   diffie-hellman-group1-sha1        NOT RECOMMENDED
   diffie-hellman-group14-sha256     RECOMMENDED
   diffie-hellman-group15-sha256     RECOMMENDED
   diffie-hellman-group16-sha256     OPTIONAL

to this:

   Key Exchange Method Name          Note
   diffie-hellman-group1-sha1        NOT RECOMMENDED
   diffie-hellman-group14-sha256     RECOMMENDED
   diffie-hellman-group15-sha384     RECOMMENDED
   diffie-hellman-group16-sha384     OPTIONAL
   diffie-hellman-group17-sha512     OPTIONAL
   diffie-hellman-group18-sha512     OPTIONAL

I am suggesting sha512 for group17 and group18 as a minor bit of
future-proffing and/or performance trade-off for sha512 hardware
acceleration that may exist.

Comments please?

	-- Mark

Follow-Ups:
- RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
  - From: Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
  - From: Damien Miller

References:
- draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
  - From: Mark D. Baushke

Prev by Date: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Date: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Previous by Thread: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Thread: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Indexes:

Home | Main Index | Thread Index | Old Index