IETF Logo Mail Archive

Re: DH group exchange (Re: SSH key algorithm updates)

nisse@lysator.liu.se (Niels Möller ) Tue, 10 November 2015 22:35 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57B951B4191 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 10 Nov 2015 14:35:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.61
X-Spam-Level:
X-Spam-Status: No, score=-1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87eJRMHUhPhF for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 10 Nov 2015 14:35:31 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F1501B4190 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Tue, 10 Nov 2015 14:35:31 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id D0B8E14A0A5; Tue, 10 Nov 2015 22:35:30 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 679D614A0A2; Tue, 10 Nov 2015 22:35:30 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id E00C014A1D2 for <ietf-ssh@NetBSD.org>; Tue, 10 Nov 2015 20:08:39 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id OwZCe62r9CdY for <ietf-ssh@NetBSD.org>; Tue, 10 Nov 2015 20:08:39 +0000 (UTC)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [130.236.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 0ECF014A1BA for <ietf-ssh@NetBSD.org>; Tue, 10 Nov 2015 20:08:37 +0000 (UTC)
Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 0B4AA4001F; Tue, 10 Nov 2015 21:08:35 +0100 (CET)
Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id 9CAD44001B; Tue, 10 Nov 2015 21:08:32 +0100 (CET)
Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Tue, 10 Nov 2015 21:08:32 +0100
From: nisse@lysator.liu.se
To: "Mark D. Baushke" <mdb@juniper.net>
Cc: Damien Miller <djm@mindrot.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, denis bider <ietf-ssh3@denisbider.com>, Jeffrey Hutzelman <jhutz@cmu.edu>, "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "jon@siliconcircus.com" <jon@siliconcircus.com>
Subject: Re: DH group exchange (Re: SSH key algorithm updates)
References: <9A043F3CF02CD34C8E74AC1594475C73F4B5993D@uxcn10-5.UoA.auckland.ac.nz> <2096379125-720@skroderider.denisbider.com> <9A043F3CF02CD34C8E74AC1594475C73F4B599ED@uxcn10-5.UoA.auckland.ac.nz> <55190.1447001241@eng-mail01.juniper.net> <9A043F3CF02CD34C8E74AC1594475C73F4B5A9BC@uxcn10-5.UoA.auckland.ac.nz> <nnziyn2ft7.fsf@armitage.lysator.liu.se> <65113.1447107876@eng-mail01.juniper.net> <nn37we320r.fsf@armitage.lysator.liu.se> <alpine.BSO.2.20.1511101829460.8324@natsu.mindrot.org> <90378.1447145301@eng-mail01.juniper.net>
Date: Tue, 10 Nov 2015 21:08:32 +0100
In-Reply-To: <90378.1447145301@eng-mail01.juniper.net> (Mark D. Baushke's message of "Tue, 10 Nov 2015 00:48:21 -0800")
Message-ID: <nnbnb11utb.fsf@armitage.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

"Mark D. Baushke" <mdb@juniper.net> writes:

> Given that OpenSSH is using group16 with sha2-256 preserves 128 bits of
> security,

How do you reason about that halving, from 256 to 128? For the key
expansion, I'd expect that you can count very close to 256 bits of
entropy in the generated keys (assuming the secret dh values were
generated randomly).

Now, you will start to get some repeated session keys, i.e., collisions,
after about 2^128 sessions. But that has little to do with the hash
function: if we had a crypto system which for each session generated a
256-bit session key from a truly random source, we'd also get collisions
after about 2^128 sessions. But I think the conventional way to assign a
security level to such a system is 2^256 (the difficuly of exhaustive
key search), not 2^128.

Am I missing something?

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

v2.23.0 | Report a Bug | By Email