[Curdle] draft-ietf-curdle-ssh-modp-dh-sha2

["Mark D. Baushke" <mdb@juniper.net>]

Thank you Melinda for taking the minutes for the Curdle meeting 
on March 27, 2017.

https://datatracker.ietf.org/doc/minutes-98-curdle/ says:

> draft-ietf-curdle-ssh-modp-dh-sha2
> ============
> EKR: I'm surprised you're not using the ones we're
> standardizing in TLS.  Rich: we're reflecting what's in the
> deployed base.  DKG: Shouldn't use the same groups being
> specified for TLS, although we should use defined groups
> AGL: the draft is documenting reality, but why wouldn't you
> want to use the same groups?  DKG: the rules for generating
> strong groups are well-understood, but you might not want to
> use them cross-domain.  These are also same groups used by
> IKE.  Rich: will encourage discussion on the list, we'll
> pollute IKE and TLS, too.  Tero: these are the groups being
> used in IKE.  Might be premature for last call, needs
> discussion

draft-ietf-curdle-ssh-modp-dh-sha2 is using RFC 3526 MODP primes
based on "pi" instead of RFC7919 primes (TLS) based on "e".

Group modulus security strength estimates (RFC3526)
+--------+----------+---------------------+---------------------+
| Group  | Modulus  | Strength Estimate 1 | Strength Estimate 2 |
|        |          +----------+----------+----------+----------+
|        |          |          | exponent |          | exponent |
|        |          | in bits  | size     | in bits  | size     |
+--------+----------+----------+----------+----------+----------+
|  14    | 2048-bit |      110 |     220- |      160 |     320- |
|  15    | 3072-bit |      130 |     260- |      210 |     420- |
|  16    | 4096-bit |      150 |     300- |      240 |     480- |
|  17    | 6144-bit |      170 |     340- |      270 |     540- |
|  18    | 8192-bit |      190 |     380- |      310 |     620- |
+--------+----------+---------------------+---------------------+

as has been mentioned, the RFC3526 groups are all being used in IKE
and group14 has been used in SSH since RFC4253 was first approved.

RFC7919 seems to provide the following:
+-------+------------+----------+----------+
| Group | Name       | Modulus  | Strength |
|       |            |          | Estimate |
|       |            |          | in bits  |
+-------+------------+----------+----------+
|  256  | ffdhe2048  | 2048-bit |      103 |
|  257  | ffdhe3072  | 3072-bit |      125 |
|  258  | ffdhe4096  | 4096-bit |      150 |
|  259  | ffdhe6144  | 6144-bit |      175 |
|  260  | ffdhe8192  | 8192-bit |      192 |
+-------+------------+----------+-----------

All of thee groups given above are safe primes with a generator g = 2
and q = (p-1)/2.

I have no objections to adding the additional five groups to the draft
if that is desirable to the Curdle WG at large.

Would the following additions make everyone happy?

    diffie-hellman-group256-sha512
    diffie-hellman-group257-sha512
    diffie-hellman-group258-sha512
    diffie-hellman-group259-sha512
    diffie-hellman-group260-sha512

Or are there other issues to be discussed?

	Thank you,
	-- Mark