Liberating SSH from Logjam leftovers
IETF RFC writes-out weak Diffie-Hellman
A recent Request for Comment at the Internet Engineering Task Force calls for SSH developers to deprecate 1,024-bit moduli.
RFC 8270 was authored by Mark Baushke (at Juniper Networks but working as an individual*) and Loganaden Velvindron (of Mauritian group Hackers.mu) in response to demand for a response to the 2015 Logjam bug.
Logjam, discovered by Johns Hopkins cryptoboffin Matthew Green, would let a state-level actor attack Diffie-Hellman cryptosystems using 1,024-bit primes.
The Logjam discovery was followed up by other researchers including NCC Group's David Wong, who in 2016 published this paper at IACR [PDF] demonstrating a practical way to put a backdoor in weak Diffie-Hellman systems.
Since then, the biggest risk vector for most of us, Web browsers, have dropped 1,024-bit support, but SSH clients and servers still exist that accept 1,024-bit groups in their negotiations.
The Velvindron and Baushke RFC also formalises what's taken place in the market, by updating RFC 4419 (which set down the old 1,024-bit minimum).
Getting there isn't so hard: clients and servers need to set a minimum 2,048 bits in
SSH_MSG_KEY_DH_GEX_REQUEST, and should be able to set 3,072 as their “preferred acceptable group” size. ®
*Correction: Mark Baushke got in touch to let the author know that "Juniper Networks fully funds all my work with the IETF including my work on the IETF Curdle Working Group where this particular RFC was chartered." ®