This article is more than 1 year old

Liberating SSH from Logjam leftovers

IETF RFC writes-out weak Diffie-Hellman

A recent Request for Comment at the Internet Engineering Task Force calls for SSH developers to deprecate 1,024-bit moduli.

RFC 8270 was authored by Mark Baushke (at Juniper Networks but working as an individual*) and Loganaden Velvindron (of Mauritian group in response to demand for a response to the 2015 Logjam bug.

Logjam, discovered by Johns Hopkins cryptoboffin Matthew Green, would let a state-level actor attack Diffie-Hellman cryptosystems using 1,024-bit primes.

The Logjam discovery was followed up by other researchers including NCC Group's David Wong, who in 2016 published this paper at IACR [PDF] demonstrating a practical way to put a backdoor in weak Diffie-Hellman systems.

Since then, the biggest risk vector for most of us, Web browsers, have dropped 1,024-bit support, but SSH clients and servers still exist that accept 1,024-bit groups in their negotiations.

The Velvindron and Baushke RFC also formalises what's taken place in the market, by updating RFC 4419 (which set down the old 1,024-bit minimum).

Getting there isn't so hard: clients and servers need to set a minimum 2,048 bits in SSH_MSG_KEY_DH_GEX_REQUEST, and should be able to set 3,072 as their “preferred acceptable group” size. ®

*Correction: Mark Baushke got in touch to let the author know that "Juniper Networks fully funds all my work with the IETF including my work on the IETF Curdle Working Group where this particular RFC was chartered." ®

More about

More about

More about


Send us news

Other stories you might like