|
Hello everyone,
this comment is with respect to the following draft specifying new
Diffie-Hellman groups for SSH key exchange:
The current version of the draft specifies the following:
diffie-hellman-group14-sha256
MAY/OPTIONAL
diffie-hellman-group16-sha512
SHOULD/RECOMMENDED
diffie-hellman-group18-sha512
MAY/OPTIONAL
A previous version of this draft specified the following methods:
diffie-hellman-group14-sha256
MAY/OPTIONAL
diffie-hellman-group15-sha512
MUST/REQUIRED/SHALL
diffie-hellman-group16-sha512
SHOULD/RECOMMENDED
diffie-hellman-group17-sha512
MAY/OPTIONAL
diffie-hellman-group18-sha512
MAY/OPTIONAL
Note the presence of additional groups 15 and 17 which were removed in
version 4 of the original Baushke draft.
Groups 15 and 17 were removed based on feedback from one implementer.
Basically, this feedback was one line:
> +1 to dropping the odd-numbered groups and onlist listing
group14/16/18
I would like to counter this, and move to restore the previous table
including groups 15 and 17 - or failing that, at least group 15 - with the same
parameters as above, in version 3 of the original Baushke draft.
My reasons for proposing this are as follows:
- According to NSA recommendations, the 3072-bit strength would be the
current sweet spot between performance and acceptable security. Group 15 is
3072-bit, whereas groups 14 and 16 are 2048- and 4096-bit.
- The additional security of group 16 in comparison to group 15 is
estimated to be small. Symmetric security estimates I've seen are 80 bits for
group 1 (1024-bit), 112 bits for group 14 (2048-bit), and 128 bits for group 15
(3072-bit). Based on this, I expect the security of group 16 (4096-bit) to be
between 136 - 144 symmetric bits.
- Based on practical measurements, it appears that group 16 is about a
factor of 2 slower than group 15. With group 15, I'm getting about 20 full DH
key exchanges per second; with group 16, I am getting around 10. I think this
difference is significant, and can affect real world usage scenarios on heavily
loaded servers.
At this time, I do not have a particular need for group 17 (or 18), but I
find it peculiar that this draft would not specify a group that matches the
exact recommended DH group size suggested by the NSA. It is weird that we have
to choose either between group 14, which does not meet the requirements; or
group 16, which is significantly slower.
For our next Bitvise SSH Server and Client versions, I have implemented
support for groups 15 as well as 16, where group 15 is implemented with SHA-512,
as specified above. When using DH key exchange, our SSH Server will favor group
15, whereas group 16 will be disabled by default for performance (but it will be
enabled and preferred in the SSH Client).
denis
|