IETF Logo Mail Archive

Re: DH Group Exchange in SSH (RFC 4419) - Avoiding Backsdoors

"Mark D. Baushke" <mdb@juniper.net> Thu, 29 September 2016 19:23 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D50612B1BD for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 29 Sep 2016 12:23:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.516
X-Spam-Level:
X-Spam-Status: No, score=-6.516 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H3MPm0AoYthb for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 29 Sep 2016 12:23:07 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 096AF12B19C for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 29 Sep 2016 12:23:07 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 2F3FB85F3D; Thu, 29 Sep 2016 19:23:06 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 825A185F37 for <ietf-ssh@NetBSD.org>; Thu, 29 Sep 2016 19:23:02 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id OB6sPQTlF7m0 for <ietf-ssh@netbsd.org>; Thu, 29 Sep 2016 19:23:01 +0000 (UTC)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on072a.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe44::72a]) by mail.netbsd.org (Postfix) with ESMTP id A876A85F2E for <ietf-ssh@NetBSD.org>; Thu, 29 Sep 2016 19:23:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Ja41gNhXoNAaWEICmyx9IKz3b8zf26kogqecoUBAmCc=; b=BEkW5+AqKwoNhodZ8lJ6kou3azUapf/J0Csp8CRN/Ooy6U7M/2/sI4pWbOqdO0GPO7qusAPz4NSsnTFidDSlLSIGJ122w4JQcj3tJ1nXg5jWi0k4c5QTQ9LFqxr/gY7r2Dw5Gtn34dbdwqlh2KGQ1kvnLois34NglI5lp5bfdGU=
Received: from BY1PR0501CA0042.namprd05.prod.outlook.com (10.162.139.52) by BN3PR05MB2723.namprd05.prod.outlook.com (10.167.2.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.659.8; Thu, 29 Sep 2016 19:22:58 +0000
Received: from BN1AFFO11OLC003.protection.gbl (2a01:111:f400:7c10::155) by BY1PR0501CA0042.outlook.office365.com (2a01:111:e400:4821::52) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.649.6 via Frontend Transport; Thu, 29 Sep 2016 19:22:58 +0000
Authentication-Results: spf=softfail (sender IP is 66.129.239.18) smtp.mailfrom=juniper.net; irtf.org; dkim=none (message not signed) header.d=none;irtf.org; dmarc=none action=none header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.18 as permitted sender)
Received: from p-emfe01a-sac.jnpr.net (66.129.239.18) by BN1AFFO11OLC003.mail.protection.outlook.com (10.58.53.74) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.629.5 via Frontend Transport; Thu, 29 Sep 2016 19:22:57 +0000
Received: from p-mailhub01.juniper.net (10.160.2.17) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Thu, 29 Sep 2016 12:22:56 -0700
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id u8TJMsr9025343; Thu, 29 Sep 2016 12:22:54 -0700 (envelope-from mdb@juniper.net)
Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 32A5311446; Thu, 29 Sep 2016 12:22:54 -0700 (PDT)
To: Damien Miller <djm@mindrot.org>
CC: ietf-ssh@NetBSD.org, curdle@ietf.org, frg@irtf.org
Subject: Re: DH Group Exchange in SSH (RFC 4419) - Avoiding Backsdoors
In-Reply-To: <alpine.BSO.2.20.1609300328040.29933@natsu.mindrot.org>
References: <35937.1475160447@eng-mail01.juniper.net> <alpine.BSO.2.20.1609300328040.29933@natsu.mindrot.org>
Comments: In-reply-to: Damien Miller <djm@mindrot.org> message dated "Fri, 30 Sep 2016 03:28:54 +1000."
From: "Mark D. Baushke" <mdb@juniper.net>
Date: Thu, 29 Sep 2016 12:22:54 -0700
Message-ID: <91352.1475176974@eng-mail01.juniper.net>
MIME-Version: 1.0
Content-Type: text/plain
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.18; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(7916002)(2980300002)(189002)(199003)(24454002)(87936001)(2810700001)(19580395003)(19580405001)(68736007)(106466001)(50986999)(76506005)(54356999)(76176999)(105596002)(53416004)(117636001)(2906002)(8936002)(4326007)(5660300001)(7126002)(626004)(92566002)(81156014)(8676002)(81166006)(305945005)(356003)(47776003)(6916009)(7696004)(110136003)(97736004)(586003)(189998001)(5003940100001)(69596002)(2950100002)(77096005)(15975445007)(11100500001)(86362001)(48376002)(50466002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR05MB2723; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11OLC003; 1:Pg2vQ3OI5PIDhRZcnhtuqIsPajgnexZmJIZZ0aOoLGKN0ooGEJOl4gqWFmx7Sv3orMXOgGRP4AQsgqdnq7714XYW2+WKkSRhfLF0v9v/zt+b7tfrrdrgTMiuV5kVt1Yw8YAMNCWGMYY2Ui4mg7d9gbNTxyrFAiRjt5OJrnToe3doDviW7GdsYhd7toayLVJpDXowD0ZgaWfWdKO+7CN/b/UkK57QOtmEblZwjU5FwfbzNKG5Btd/8//l6MkiDgZkwx+TZVO35wxl6geC1Tp0nXh4xlu1tPDbz1uwnktCPbQOp9slCJ+CyJx5Lk1k3nKcU3AYb6wiXyZIxRGyKsyQs/MHZD4HiIhBbrGo/psNmqlWPLW0EI+XdMOw+rDfmcz5y6v5nJRDQaJNBfiYZblWcOovO4Fk/soJdLb2Ro78QvRmMjHsuw1epO/QQFaZgAJiN6OAfOjMb07+g3RS3oq++89wvj3+y3qgVQMTMXvPJCYUAcYC3LLqv2FplDjKAgLDcpllKuaFS6hBmfHB4X89DJ/FExrLqDPoSFcJB7245ZWO6P/AxctKusLTrs7v+555
X-MS-Office365-Filtering-Correlation-Id: c1bff9bc-74ba-4669-c69b-08d3e89e0537
X-Microsoft-Exchange-Diagnostics: 1; BN3PR05MB2723; 2:NMNwq4EHhpLAU77QCS6pDjrC2gbqI5RJHs/NLR1knkCy/WLIiuoiaocxxRynbOWk5g/HGS9ivAhdxAVdxhUWinphLeFX4h3DCqj6t7MGhmZR+/WbPUDunpqsomizO3HM8ga0vrUKwuEy9XCe1jppou9/DbIyQ4CoLe4YIqwu4+s9AKwsABJ0lpM+hpkuKKsNNJ5BioIjplqnQ6f3yA8fYQ==; 3:pv7DTYTHqOrNLNh3M/f1NI+ble2T/Oz8Dmjv5QFnyAaqmp0MSuut3VCkyEXdkw/yug7ZHLks3H2f9GRkFpXTmTOFYwVLxs741TXJkZS2/IMOUVYfSOLaoXD+Ew8A54hq21GQPDo1Jgz0IpjKnUtsz6FV+pkn5C0xn/PnnOf5ylixLwh1UMvEr4O1IQB71tR7htnA9AH7LCMVX9j/uTpBJm79TAW0sfw/aS/BxeNpn7DsbbxkfZ6oXPEXKcUrDcyD
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR05MB2723;
X-Microsoft-Exchange-Diagnostics: 1; BN3PR05MB2723; 25:HmyYpQex0ZjSBaUPLJkxeeiFjMrAH2etBxfZt+5tn0/Lwb4g9FbxPzkxXyG8aEQk4Mro3zVBTUDsjheTkE9D+goRplqHgUEIGZyL9TtrEvLvKE9T0A8p61bpAKu6jJMXCD23R3TdWgYsc1J2eRmvuyrnthfzS/O9qZlstAFUqA0/I1h5OdwX3Wf8ABJBNmb2nltslJmMCXe8dDOcQgKceQEKw8yDbC6VKKSWzL7wPc/q++KR/4PBnLAIrKh2hnfwEp/LR6SpoChXP2VJle+STOJOw1U66ioKF00qoPAEOTWna6VnsCkGl4LJ63Fl07OF4WevTrHvfMG+KNSJoifFkYzbkcsUP1duTYFFfQEsHIvtAlnGQTQ5qQTd/SEEG5s27CoxSFUpdql2LS5wA1/IoGrQsKcbUE0+kxwuSTZxSWpyst40gmZx4nAqnopL0ORlCV84fx2NI+82/jNVaov6XMFUx6AamNXdXkXjh6G1YGLN5AVHZvAHGlXi3cxzwqPGfvvsCPP/jExKtmPv1KSHY2+6F2seLtIPzszO7fJjz8irYp0iCIZ86BWszevM3bcJ81tjZoBgrZCvIrNpvMR6K4YZenwGfvliHHgSAQHpcpQB1YWWNWk6EqSmrKgxl33BB/0U2UCi1y+ncD2g3VU9jfLeGoHM09QJaEn4bamdOsTj0onPA+JX+zeZ0rlsXx8NFlfEmtlusPMPKUUWG/OeRyIYNDPOBqedjOZDGB69hCjBsoBnCJUTOMeoJO564cfKFNd/sCpEDlPss5YY4ppIfoBCbUkxED4Zzvb2GXg3b8gsH391L9uF0aTezKZhnV8bfh+DyDY9m86V6GLFI3mgryZ5T88BE8VICcVQdfZznZTh2s9KHXVle7WltWOYAy+d
X-Microsoft-Exchange-Diagnostics: 1; BN3PR05MB2723; 31:1efW02NzKsfNQ1EJm+jMnW8fMwR75VBfCXyCC/w/+s9kl7hZNy0v8ApP0hpxq4LHg2Cl/GPJS3+Dtg7fgCEoLU01wqMQuMtNcInf6sPHeIapGfcUUOKWM05oSG1Ux9YlLGgAFNPMNOCfDI8vlzwbTYxBcU9z04BzHBdIOcUqxTSy+SjWCCUJz8tKsiplupRaVM58qcNFRFIC+iAt0LLpsQuH7KRgnzF9Rj5bW6vqcdDi5KGqlJTLHOmIsuGIL9V5; 20:TbDwPceDttGbrbU7JRB3swQUQJFM9UzmmJmSssCpo5zbKAu2SKdd07iE68J/h0a+xJcpXtmpAtryKwPuYXfROP15iNJd7GuvmeHZl7+lQH3UeksJRTfivpTduoYcjNgVoVXkuPJI8Lh8NH5c8EVoLqWXLkvUqY6OCfzEp7t8mYQWObKHXNSL1mT6mFf8FR+oOPZJvs+tQCKyAYNErlSpsxQmEx5aY23a0sl5kXkNqeK+XPuFvwWK4yJwfTPjU7ZSg8Y4dmKSp/R1pM5dVMj8HqsAlZwuzdNzOiMvutYb85k05tgkpZwtqxn89X7FaPnkXjGdS+WYT+o63wP+KikJpDG9RWa4FHEnfTssGfwZ2BF91jxmSIQ8sSs5FEXP55UWvZ3THPbEXToa1EJrnyIs9XRYE7e8FhVwSdK+clLX+mlB3eXki/IUJLKautCMpttxhpQWWAovvIu/xOA+yGY8KtjXvsQnBiij+g+Kee+taQzZo7S+U+xXYRt5HEl5E/E0
X-Microsoft-Antispam-PRVS: <BN3PR05MB2723A2707F91AB263BD64412BFCE0@BN3PR05MB2723.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(13023025)(8121501046)(5005006)(13015025)(13024025)(13018025)(13017025)(10201501046)(3002001)(6055026); SRVR:BN3PR05MB2723; BCL:0; PCL:0; RULEID:; SRVR:BN3PR05MB2723;
X-Microsoft-Exchange-Diagnostics: 1; BN3PR05MB2723; 4:Nx/zHw8fStRaUmZPLt40pLpN8PT0+RbvJ8RwvviQRkppzl3F6+V/lwRJDqIPpe04ot+dL+hx4odr2SycfixpDI7BDh9EMn2MBpaEeAuoLuJhbnHV8eTZXUwmGjJmOXS8Z/Y+FE4WhWuTLUJ+5OtAABjLEb+anBc0WO0zlTu4s/I9rv2Bg2hFwCxrayaiGXp1bKPolSKkTBccbHWKWxuYeKphxrXJ9HOcoZCO+PNo/F7DMTmqsgoRf6qz6fM4OGoebeQDXpI1lsmVPPeaAE6kmULO9LeHPFjJaY3miwoMqGHe+ME7OP7WWT02MqUO4Zxngy+bkw1UyiaIbK04Ngzux3mV/Csrehqd0rpw2cj42zY+Xenq+7DtrRs5E5K797efb5LNusQH47JvY2FQIFYtawZy2KJQ34829ZmmC7P3htgNwn+N9wFWBohCdYqAVgEOStD2Y8+bFLXQR8Bq2E+EhdeG0GL8Fr0XKEBPWJpC81bcJR0xgEocwwlEIs5lLHOxLumNuRyjCqwPCtH+PV7pdZl4p7ha+cNdq2qhbXU4ammRqseIpzGNpR7gfm/GWGfN
X-Forefront-PRVS: 00808B16F3
X-Microsoft-Exchange-Diagnostics: 1; BN3PR05MB2723; 23:3ZwXLOyHVpOxrPUT7CfkAm7cCfWDIa5xQ+ELSgL/NL+kmZCEQGfppyQu79rVBU+joVq0Nkc8hCu9OiSvYlOp3wmjSZ02G+wd4D9f9iwcZeSzcFwKC8tEgzRPhWPFru7EYfL07f+g6/ESBgdlyYucg6JpwrUzQS82ach5O35Jm75e6RBxXQ+kYpHXdpzzt/6eRzCdSl6RGSo4odvjsZ7CGxKBIK1VJN/ARseUGXZao1CyEuhyfPtQ6GdNL9jjjxof5WDgcL3WjoqOmITDUt/uImui82tKkNApE1fsFWL6nLSuGAmJjiuK6V8fvSTzKv9g8cy2pCPyrWA96w9Xr8WRgopCn5zNsdJlxphfbgwoRtqcSfwe3Kw1PVcdHP7WNNgQvUACyEpAE4LRm70zXhx85C1XuSW1m/9zyWP83Y7vcjE4N8f6K0YMMhKbLdBwrVthBxol1ZstcHZKXOVvbaLvOc5JG1BRBrFhHabiGa67XLWOZixzz6jm57smP0Wht00EVmmTIUjpFsEpOuLxS+b9ORrxAAnJgtPlhT2QU/WA35YrFURrdavVg7bktWIPR3jiwzDnsYEnf+F6NWjxi9Nxm/gGPwquaUu5PfYAJiTXvVx+6yc/JtKWdTXzAoCOCR3DrLt/KU7mwiWsZ3pW8QsZ+NOttXx/FQzM2pODmcqtG8ky69oFe9806tvBFqkxlziKY+EzIKRjJqBiEPjOWRbgeLjba30RUACRKhcDOHy5GcofZqxvlJqNbe2KmFi5v1nIlgC/UfUO1hs7GFoqNQHUYU4aTmFDpO3w+1rUhmGuApWpB18pcnzk0bAaLRiog2KshvDFtu2FVt0bKrNaUjydNwF1gGQiRcnzqksPPFjMbpkpzR9OmHTfRflm46tBbwhLE5SQK1ZTQwYKXAeBRt0grV7E6dmNwulDVV2rbiqRVgUpcRp0ROOpBaStjtgw7ysp1bc7KXEHmbvVSiZIXKq4f28umU1xLuey54TOFyfQcP+VMPQ0w22UmOdQB9m4llcisRlsyLiak2wvP9vx0AifrwGWiDLcf8H+bJRNcwUOft1EXy8wB32ybdrgQBmaNl+kRBdWgGd5BCfhtyAqLQjgD4r86Sb3oldxDZNUUmo1MONtlmsWW8E3Ipcstc8XymL7KG/yOfPMDIfiFtRwM94DzQ==
X-Microsoft-Exchange-Diagnostics: 1; BN3PR05MB2723; 6:Y5Y2xlW9z5H4OmcnsbwByXZ8sMi35CJi1h054GTs8zLJmWhtc62pKOxV+/MvaoO9GJwtwGyvfbbGjiWX3lddDOv+povSATob8m7s4ylDUZd2c/SRGekJSSmpNys2lyKmLtbpRjV+kGI1MoQmz/5W7Y8hXYWfjkb/OPCWdivOcTgX+TuIM4Ggw7ovST9wY+VcMZJIMRzoxloSt09jiJnsA/AdyprZrK8qxm++nNh2tnsgeJSTzwZKs4AiJIOXpwYDv8ZTKSwj0Xj3g1RbLyyKhKjR+VjkIMchHw/mkF0QKFifJhFynJIGyNravIqHuhlqUaiMtaksUvGaiR15G2gKPibZJuLWSQ0Iit8BoYfaow4=; 5:SNT8Z9A1qyoV+Tbepz+VDInvu+RwhPV1ru0EKgBEoXKJENf4lPY/dq+oyq3grMTMlTOdQF24JUGVNmtYsvSXZRjzq7NClxCamxaIHItr2QtC/O9MNwnQ9SYeTyXFzazHqsVlimnYc7v0i5hWDZT8+Q==; 24:50vBFlt0RAscpsb7FbFKFGSZUE3B8YM/Iygrfixq1o74GL0y1+sy41MYk9kKi5d37XkNL2cpTxWm4moKD0tISCwNNsINh+Rl4O3IPHTNkcI=; 7:VHsIUWm0hkS8wCnZ8JwZSkJJL9+yaxp+MtOFTJJElz/BisRikz/7k3FCZqmoMMV0KjQS0MJ/zcy2F07mDCLlaMcLb9pCb7ULWMW0MjDqLXfy9j8wPe2AW/1EfpxKB6hFYGg4yeXJMxmrC4xyNEDvswfgmDr/63SPK2S1AW0lur6l1eTLBY4vkFvaq1yhkAd2afqgZ2SNpTn3vs8ubyXesT3i3vezEr7+4RSkQYg2q+xALJaBKcirGAolhkPsoDobCaTVjkTyTdfN4FUN7aN/fUdC5lACqY6u8AThALgUBY1gGyyf48+btgBzF+utrVfl
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Sep 2016 19:22:57.5958 (UTC)
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.18]; Helo=[p-emfe01a-sac.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR05MB2723
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Hi Damien,

Damien Miller <djm@mindrot.org> writes:

> On Thu, 29 Sep 2016, Mark D. Baushke wrote:

> > Question:
> > 
> > Should RFC 4419 - "Diffie-Hellman Group Exchange for the Secure Shell
> > (SSH) Transport Layer Protocol" be deprecated?
> > 
> > Background:
> > 
> > The paper "How to Backdoor Diffie-Hellman" by David Wong
> > https://eprint.iacr.org/2016/644.pdf describes two ways
> > of creating a Nobody-But-Us (NOBUS) Diffie-Hellman backdoor:
> 
> NOBUS backdoors aren't the only concern; another motivation was
> logjam-style precomputation attacks.

Yes, the creation of a new set of DH parameters allows us to avoid
logjam precomputation attacks against a well known set of DH groups.

That said, with NOBUS, how is an SSH client able to identify improper
ephemeral DH parameters that have been intesionally weakened?

Had RFC4419 sent all three of p,q,g to the client, then the client would
may have been able to do more validity checks.

However, RFC 4419 does NOT send q AND the methods to select g as given
in the RFC is not always going to generate a q-orded subgroup of p. 

If g is not able to generate a proper q-ordered subgroup value, then
concerns of NOBUS arise and in turn means that an attacker may be able
to learn the parity of the secret (thus losing only) one bit of
security. However, a misconfigured g could also be an indication that
there is a NOBUS DH backdoor in the server connection.

Moving to the MODP group16 for DH key exchange reduces the ability for a
full precomputation logjam type attack.

So, I am asking if it is time to deprecate the RFC 4419 kex methods.

Failing that, what may be done to enhance a RFC4419bis to handle both
logjam and NOBUS attack vectors?

	Thanks,
	-- Mark

v2.23.0 | Report a Bug | By Email