IETF Logo Mail Archive

Re: DH group exchange (Re: SSH key algorithm updates)

Damien Miller <djm@mindrot.org> Tue, 10 November 2015 07:31 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAF921A0405 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 9 Nov 2015 23:31:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.61
X-Spam-Level:
X-Spam-Status: No, score=-1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YYJKdp4iVLHo for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 9 Nov 2015 23:31:07 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 465071A03C7 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Mon, 9 Nov 2015 23:31:07 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 9027314A2C1; Tue, 10 Nov 2015 07:31:06 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id CA28614A2A4 for <ietf-ssh@NetBSD.org>; Tue, 10 Nov 2015 07:31:03 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 2svGGOD7GKDY for <ietf-ssh@NetBSD.org>; Tue, 10 Nov 2015 07:31:03 +0000 (UTC)
Received: from newmailhub.uq.edu.au (mailhub1.soe.uq.edu.au [130.102.132.208]) by mail.netbsd.org (Postfix) with ESMTP id D75CF14A18A for <ietf-ssh@NetBSD.org>; Tue, 10 Nov 2015 07:31:02 +0000 (UTC)
Received: from smtp2.soe.uq.edu.au (smtp2.soe.uq.edu.au [10.138.113.41]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id tAA7UfOr010226; Tue, 10 Nov 2015 17:30:41 +1000
Received: from mailhub.eait.uq.edu.au (hazel.eait.uq.edu.au [130.102.60.17]) by smtp2.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id tAA7Uff0003528 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 10 Nov 2015 17:30:41 +1000
Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTP id tAA7UebE031386; Tue, 10 Nov 2015 17:30:40 +1000 (AEST)
Received: by natsu.mindrot.org (Postfix, from userid 1000) id 97CDFA4F32; Tue, 10 Nov 2015 18:30:40 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id 96DBCA4F31; Tue, 10 Nov 2015 18:30:40 +1100 (AEDT)
Date: Tue, 10 Nov 2015 18:30:40 +1100
From: Damien Miller <djm@mindrot.org>
To: Niels Möller <nisse@lysator.liu.se>
cc: "Mark D. Baushke" <mdb@juniper.net>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, denis bider <ietf-ssh3@denisbider.com>, Jeffrey Hutzelman <jhutz@cmu.edu>, "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "jon@siliconcircus.com" <jon@siliconcircus.com>
Subject: Re: DH group exchange (Re: SSH key algorithm updates)
In-Reply-To: <nn37we320r.fsf@armitage.lysator.liu.se>
Message-ID: <alpine.BSO.2.20.1511101829460.8324@natsu.mindrot.org>
References: <9A043F3CF02CD34C8E74AC1594475C73F4B5993D@uxcn10-5.UoA.auckland.ac.nz> <2096379125-720@skroderider.denisbider.com> <9A043F3CF02CD34C8E74AC1594475C73F4B599ED@uxcn10-5.UoA.auckland.ac.nz> <55190.1447001241@eng-mail01.juniper.net> <9A043F3CF02CD34C8E74AC1594475C73F4B5A9BC@uxcn10-5.UoA.auckland.ac.nz> <nnziyn2ft7.fsf@armitage.lysator.liu.se> <65113.1447107876@eng-mail01.juniper.net> <nn37we320r.fsf@armitage.lysator.liu.se>
User-Agent: Alpine 2.20 (BSO 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="0-1695002146-1447140640=:8324"
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Scanned-By: MIMEDefang 2.75 on 130.102.60.17
X-UQ-FilterTime: 1447140641
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

On Tue, 10 Nov 2015, Niels Möller wrote:

> > It may also be desirable to setup a way that RFC 3526 groups:
> >
> >   diffie-hellman-group14-sha256 (2048-bit MODP group - 112 bits of security)
> >   diffie-hellman-group15-sha256 (3072-bit MODP group - 128 bits of security)
> >
> >   diffie-hellman-group16-sha384 (4096-bit MODP group - ~150 bits of security)

FWIW OpenSSH has been using RFC3526 group 16 as the fallback group for
group-exchange when it can't find a local pre-computed group list.

-d

v2.23.0 | Report a Bug | By Email