Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

[Damien Miller <djm%mindrot.org@localhost>]

On Sat, 13 Feb 2016, Mark D. Baushke wrote:

> Hi denis & Niels,
> 
> You have both made good points. I have adopted the updated text from
> denis and tried provide a meaning for the Note column. I have also added
> a pointer to the Simon's ssh-curves draft and included both of the
> currently published curve names in the table in this draft.
> 
> https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2/
> 
> Please let me know of additional comments.

IMO curve25519-sha256 should be a MUST, if not immediately then soon.
It's already supported under the curve25519-sha256%libssh.org@localhost alias by
a few implementations.

This paragraph:

>  The group15, group16, group17, and group18 names are the same as
>  those specified in [RFC3526] as 3072-bit MODP Group 14, 4096-bit MODP
>  Group 15, 6144-bit MODP Group 17, and 8192-bit MODP Group 18.

is incorrect: group 14 is 2048 bits, not 3072. Group 15 is 3072 bits,
not 4096. Group 16's length is not described (4096 bits). 17 and 18 are
correct.

I think the table of "Group modulus security strength estimates" should
have a reference - are these from NIST SP800-57?

-d