On Saturday 15 January 2005 05:13, William Allen Simpson wrote:
> Generally, the idea is that each system release have a new moduli file.
>
> The 1024-bit moduli (most commonly used) should be replaced regularly,
> probably on the order of every year, but could be needed more often.
> Perry Metzger claimed there was going to be an analysis paper on it,
> but I've not seen it.
>
> About 15 months ago, I submitted a replacement
>   http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=23076
>
> OpenSSH replaced theirs 12 months ago (currently 1.2).
>
> NetBSD has not updated from OpenSSH (still using one going on 5 years
> old), nor used those I specially generated for you.
>
> I'd be willing to guess that you've shipped 2.0 with moduli that have
> long since been cracked by most major governments, and possibly major
> corporations.  Why?

First of all, your claim is pure FUD.

Let us start with the basics.  We have two possibilities:

1) RSA and D-H are not secure.  If this is the case, you're screwed, and we 
have nothing more to talk about.

2) RSA and D-H are secure.  In this case, the only thing to "crack" is to 
discover that one of the moduli is not actually prime.

Now, I'd like to say that the method the OpenBSD people use to generate the 
moduli is safe.  However, while it is substantially stronger (it uses many 
more Miller-Rabin rounds) than the process used to generate your host keys 
and user keys, it is *not* actually a primality proof.

The only known primality proof with usable complexity is ECPP.  If you're 
going to worry about the possibility of keys being cracked, you should not be 
using primes verified with any other method.  This includes not just the D-H 
moduli, but also host and user keys.

Unless you're actually going to solve this problem, you have no pants.