Re: DH group exchange (Re: SSH key algorithm updates)

[denis bider <ietf-ssh3@denisbider.com>]

I agree, and would like to see algorithm names for these groups defined.

We have a bit of an inconsistency going on, in the way we refer to SHA-2 256. We standardized hmac-sha2-256, but on the other hand we have "sha256" elsewhere, including as discussed for DH here.

I suggest "sha2-256" for the same reason this was suggested in the hmac-sha2-256 case: to make it clear it isn't sha3-256.

I have previously argued that consistency for the sake of consistency is overvalued. Therefore, in order to be consistent, I should be fine either way. :) I think it's worthwhile to point out, however.


----- Original Message -----
From: Niels "Möller" 
Sent: Sunday, November 15, 2015 01:16
To: Mark D. Baushke 
Cc: Damien Miller ; Peter Gutmann ; denis bider ; Jeffrey Hutzelman ; ietf-ssh@NetBSD.org ; stephen.farrell@cs.tcd.ie ; jon@siliconcircus.com 
Subject: Re: DH group exchange (Re: SSH key algorithm updates)

"Mark D. Baushke" <mdb@juniper.net> writes:

> For now, does it seem reasonable to add RFC 3526 group15 & group16 to
> the protocol?
>
>   diffie-hellman-group15-sha256 (3072-bit MODP group ~130 bits of security)
>   diffie-hellman-group16-sha256 (4096-bit MODP group ~150 bits of security)

I think it makes sense. It's good to have some specified algorithms with
security a bit beyond what's currently used, to make it easy to move
if/when needed attacks on the current algorithms emerge. 

Next question is what status they should have. I think it makes sense to
have group15 as RECOMMENDED.

(By the same argument, I think it makes sense to specify some
alternative to sha256 too, which I guess would be either sha512 or
sha3-384 (sha384 makes litte sense to me, since it's essentially a
truncated sha512, with same performance and shorter output)).

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.