Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

[Damien Miller <djm%mindrot.org@localhost>]

On Wed, 27 Jan 2016, Mark D. Baushke wrote:

> Hi Folks,
> 
> > URL: https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2
> 
> I just noticed that the Information Assurance Directorate at the NSA has
> a new article on 'CNSA Suite and Quantum Computing FAQ' ... their URL is
> 
> https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm
> 
> Reading the document, they are mandating that NSS no longer use
> Diffie-Hellman with 2048-bit keys instead they are suggesting
> IETF RFC 3526 (Groups 15-18).
> 
> They are also no longer interested in using SHA-256 wanting SHA-384.
> 
> For folks interested in compliance with the CNSA Suite, does it make
> sense for the baushke-ssh-dh-gorup-sha2 ID to be updated to specify
> either SHA-384 (or possibly SHA-512)?

I'd skip SHA-384 entirely in favour of SHA-512. Vendors who implement
Ed25519 will have a SHA512 implementation around anyway, whereas
~nobody uses SHA-384.

Also, I think it makes sense to reduce the number of groups offered.
OpenSSH is only offering 14 and 16 now, but might do 18 in the future.
We don't see any need for incremental steps between.

So my recommendation would be:

diffie-hellman-group1-sha1        NOT RECOMMENDED
diffie-hellman-group14-sha256     RECOMMENDED
diffie-hellman-group16-sha512     RECOMMENDED
diffie-hellman-group18-sha512     OPTIONAL

(but 16+256 & 18+512 would be fine too)

-d