Re: DH group exchange (Re: SSH key algorithm updates)

["Mark D. Baushke" <mdb%juniper.net@localhost>]

Hi Niels,

Niels Möller <nisse%lysator.liu.se@localhost> writes:

> "Mark D. Baushke" <mdb%juniper.net@localhost> writes:
> 
> > Given that OpenSSH is using group16 with sha2-256 preserves 128 bits of
> > security,
> 
> How do you reason about that halving, from 256 to 128? 

sha2-256 has 128 bits of security per NIST SP 800-107-rev1.

> For the key expansion, I'd expect that you can count very close to 256
> bits of entropy in the generated keys (assuming the secret dh values
> were generated randomly).

Attacks on the signature hash will only need to brute force about half
of the keyspace on average to recover the key.

> Now, you will start to get some repeated session keys, i.e., collisions,
> after about 2^128 sessions. But that has little to do with the hash
> function: if we had a crypto system which for each session generated a
> 256-bit session key from a truly random source, we'd also get collisions
> after about 2^128 sessions. But I think the conventional way to assign a
> security level to such a system is 2^256 (the difficuly of exhaustive
> key search), not 2^128.
> 
> Am I missing something?

I have always been told that one should choose a signature mechanism
which provides the same number of bits of security as the asymmetric or
symmetric encryption keys.

See also:

  http://csrc.nist.gov/publications/nistpubs/800-107-rev1/sp800-107-rev1.pdf
  Section 4.2 table 1.

Or look at the tables in these documents:

  http://www.keylength.com/en/4/
  https://wiki.mozilla.org/Security/Guidelines/Key_Management

I suppose I may have been over conservative in my numbers...

	-- Mark