Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2

["Mark D. Baushke" <mdb@juniper.net>]

Hi Peter,

Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:

> Salz, Rich <rsalz@akamai.com> writes:
> 
> There is one obvious counter-argument and that's diversification. The
> problem with the DH1024 group that was pointed out in the Logjam paper
> is that absolutely everything ended up using it, making it an
> incredibly attractive target because if you break that you break
> everything that uses it. Having everything use the 3526 groups, or
> similar, just moves the problem to a slightly larger key size. So
> using known-good parameter sets that differ from what everyone else is
> using, and in particular IKE and SSL, which are much large targets
> than SSH, wouldn't be a bad idea.

This is probably the argument which led to the creation of RFC4419.

Of course, there is also the possibility of a dishonest or subverted
server which is using a backdoor DH:

   How to Backdoor Diffie-Hellman
   David Wong, NCC Group, June 2016
   URL: https://eprint.iacr.org/2016/644.pdf

> In -LTS, one of the suggestions I make is:
> 
>   If this isn't possible, an alternative option is to pre-generate a
>   selection of DH parameters and choose one set at random for each new
>   handshake, or again roll them over from time to time from the
>   pre-generated selection, so that an attacker has to attack multiple
>   sets of parameters rather than just one.
> 
> So one possibility would be to generate, say, 16 NUMS DH parameters
> for each size and publish those, and have the server select one at
> random. This adds security both in terms of diversifying from the
> IKE/SSL values that everyone else uses, and forcing an attacker to
> break all 16 parameter sets instead of just the one.

Another possibility would be pre-generate a number of provable primes
that are NOT safe primes and pass {FSeed,vPseed, Qseed, Pgen_counter,
Qgen_counter, g, Q, P} from the server to the client to prove to the
client that P and Q are primes and then commence the key exchange.

The benefit of safe primes is that q (a Sophie Germain Prime) has a very
large cyclic subgroup. The downside is that there are not as many safe
primes in the number space as there are primes. While I do not know of a
method to attack this weakness, it is something about the structure of
safe primes that makes me wonder sometimes.

Using a q prime with an order that is roughly half of p is still plenty
large enough for slowing down a sieve and would also still be a bit
harder to break in a Post-Quantum Computer universe even if it does not
have as large an order as a sophie germain prime.

Given the provable prime parameters, the client could verify the
primality of q and p and that g is a proper generator for the q-ordered
subgroup. Especially if g is chosen to be 2... :-)

In this way the client will be able to avoid using a backdoor DH.

Would a Draft RFC dealing with the creation of such provable primes be
something that is useful to the Curdle WG? Is it likely that something
like this would be adopted by more than just SSH?

	-- Mark