Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

To: "Mark D. Baushke" <mdb%juniper.net@localhost>
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: Mon, 15 Feb 2016 19:51:55 +0100

"Mark D. Baushke" <mdb%juniper.net@localhost> writes:

> That said, is it desirable to also make one of the MODP Diffie-Hellman
> groups also be a MUST? 

Not sure. But *if* we decide on two REQUIRED curves, I think it makes
sense to let one of them be a modp curve.

>> 2. Make it possible for a conforming implementation to support only one
>>    of sha256 and sha512.

> I am not sure I follow this line of reasoning. I have seen most
> libraries that implement one of the SHA2 family of functions tends to
> have an implementation for all members of the family.

The concern is more about binary size than source code. If you want a
compliant ssh implementation inside your toaster or sensor node, with
only a poor microcontroller inside. Then everything you can cut away
helps. If we don't care about formal compliance for such devices, this
argument becomes weaker.

> The key here is the phrase 'foreseeable future' and for that I want to
> be a bit more forward-looking and would very much like to see SHA2-512
> if there is a negative bias in other publications for SHA2-256 still
> being used as a cryptographic primitive.

My understanding is that a secure hash algorithm with 256 bits output
is a very strong primitive. If there's a problem with sha256, it isn't the
too short digest size (might be in other applications, where the
attacker can win by finding arbitrary collisions, with "only" 128 bit
difficulty), but structural problems which allows the attacker to take
short cuts. And the likelyhood of that is hard to put a number on.

I'm not strongly opposed to sha512. If we go for it, I think it's
preferable to not have any sha256 with status MUST. And as someone else
mentioned, if we believe eddsa25519 is going to be widely used, then
it's an advantage to use sha512 in the key exchange too, to be able to
cut away sha256 in the constrained implementation.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

References:
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
  - From: denis bider
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
  - From: Mark D. Baushke
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
  - From: Niels Möller
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
  - From: Mark D. Baushke

Prev by Date: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Date: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Previous by Thread: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Thread: RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Indexes:

Home | Main Index | Thread Index | Old Index