IETF RFC writes-out weak Diffie-Hellman
A recent Request for Comment at the Internet Engineering Task Force calls for SSH developers to deprecate 1,024-bit moduli.
RFC 8270 was authored by Mark Baushke (at Juniper Networks but working as an individual *) and Loganaden Velvindron (of Mauritian group Hackers.mu) in response to demand for a response to the 2015 Logjam bug.
Logjam, discovered by Johns Hopkins cryptoboffin Matthew Green, would let a state-level actor attack Diffie-Hellman cryptosystems using 1,024-bit primes.
The Logjam discovery was followed up by other researchers including NCC Group’s David Wong, who in 2016 published this paper at IACR [PDF] demonstrating a practical way to put a backdoor in weak Diffie-Hellman systems.
Since then, the biggest risk vector for most of us, Web browsers, have dropped 1,024-bit support, but SSH clients and servers still exist that accept 1,024-bit groups in their negotiations.
The Velvindron and Baushke RFC also formalises what’s taken place in the market, by updating RFC 4419 (which set down the old 1,024-bit minimum).
Getting there isn’t so hard: clients and servers need to set a minimum 2,048 bits in SSH_MSG_KEY_DH_GEX_REQUEST, and should be able to set 3,072 as their “preferred acceptable group” size. ®
*Correction: Mark Baushke got in touch to let the author know that « Juniper Networks fully funds all my work with the IETF including my work on the IETF Curdle Working Group where this particular RFC was chartered. » ®
Sponsored: Minds Mastering Machines – Call for papers now open
