]>
Increase SSH minimum recommended DH modulus size to 2048 bits
Hackers.mu
88, Avenue De Plevitz
Roches Brunes

MU
+230 59762817
logan@hackers.mu
Juniper Networks, Inc.
mdb@juniper.net
General
Internet Engineering Task Force
The Diffie-Hellman (DH) Group Exchange for the Secure Shell (SSH)
Transport layer Protocol specifies that servers and clients
should support groups with a modulus length of k bits, where the
recommended minimum value is 1024 bits. Recent security research
has shown that a minimum value of 1024 bits is insufficient
against state-sponsored actors, and possibly an organization with enough computing
resources. As such, this document formally
updates the specification such that the minimum recommended value
for k is 2048 bits and the group size is 2048 bits at minimum.
This RFC updates RFC4419 which allowed for DH moduli less than
2048 bits.
specifies a recommended minimum size
of 1024 bits for k, which is the modulus length of the DH
Group. It also suggests that in all cases, the size of the
group needs be at least 1024 bits. This document updates
so that the minimum recommended size be
2048 bits. This recommendation is based on recent research on
DH Group weaknesses.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as
described in RFC 2119.
Recent research strongly suggests
that DH groups that are 1024 bits can be broken by state
actors, and possibly an organization with enough computing
resources. The authors show how they are able to break 768
bits DH group and extrapolate the attack to 1024 bits DH
groups. In their analysis, they show that breaking 1024
bits can be done with enough computing resources.
This document provides the following recommendation: SSH
Servers and SSH clients SHOULD support groups with a modulus length
of k bits where 2048 <= k <= 8192.
[RFC4419] specifies
a recommended minimum size of 1024 bits for k,
which is the modulus length of the DH Group. It also suggests that
in all cases, the size of the group needs be at least 1024 bits.This
document updates as described below:
section 3 Paragraph 9: Servers and
clients SHOULD support groups with a modulus length of k
bits where 2048 <= k <= 8192. The recommended
minimum values for min and max are 2048 and 8192,
respectively.
Section 3
Paragraph 11: In all cases, the size of the group SHOULD be
at least 2048 bits.

This document keeps the requirement "The server should
return the smallest group it knows that is larger than the size the
client requested. If the server does not know a group that is larger
than the client request, then it SHOULD return the largest group it
knows." and updates the sentence that follows to read: "In all cases,
the size of the returned group SHOULD be at least 2048 bits."
This document discusses security issues of DH groups that are
1024 bits in size, and formally updates the minimum size of DH
groups to be 2048 bits. A hostile or "owned" Secure Shell server implementation could
potentially use Backdoored Diffie-Hellman primes using the methods
described in to provide the g,p values
to be used. Or, they could just send the calculated secret through a
covert channel of some sort to a passive listener.
This document contains no considerations for IANA.
&RFC2119;
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
Univeristy of Michigan
INRIA Paris-Rocquencourt
Univeristy of Michigan
INRIA Nancy-Grand Est, CNRS, and Université de Lorraine
Johns Hopkins
Univeristy of Michigan
University of Pennsylvania
Univeristy of Michigan
INRIA Nancy-Grand Est, CNRS, and Université de Lorraine
University of Pennsylvania
Univeristy of Michigan
Univeristy of Michigan
Microsoft Research
Univeristy of Michigan
How to Backdoor Diffie-Hellman
&RFC4419;