Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

> The issue is that many folks are paranoid that someone will create a
> DH Backdoor

Fair enough.  Though how you backdoor a prime....

>     How to Backdoor Diffie-Hellman
>     https://eprint.iacr.org/2016/644
>     See also URL:
>     https://github.com/mimoo/Diffie-Hellman_Backdoor

I'll have to see if I can find a work machine to look at those on.
Thanks for the pointers.

> Someone could also generate a new set of safe primes based on some
> other transcendental number (square root of "2" or some other
> number).

The square root of 2 is not transcendental; it's irrational, yes, but
it's algebraeic.

> My question is if we should literally require all SSH implementations
> to have a Mandatory To Implement (MTI) DH parameter set now which may
> need to be deprecated in a 'short' (for some value of the word short)
> period of time.

The only reason I see to have any MUSTs (rather than SHOULDs) is
interoperability.

>>> diffie-hellman-group16-sha512   MUST
>> I find this too computationally expensive to justify "MUST" for
>> servers.  Last time I checked, this costs about 100 ms in server CPU
>> time, more on weaker CPUs, and makes it trivial to DoS a
>> resource-constrained server - no DDoS needed.

That is unavoidable in a world that includes great disparity in speeds.
The difficulty of problem that will provide effective security on
high-end machines is going to be enough that even a single operation
will DoS low-end machines.  I implemented connection-sharing in moussh
for the pragmatic reason that key sizes large enough to provide
effective security in the presence of high-end machines took very long
times (many seconds) on my low-end machines.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B