]>
Increase minimum recommended modulus size to 2048 bits
Hackers.mu
88, Avenue De Plevitz
Roches Brunes

MU
+230 59762817
logan@hackers.mu
Juniper Networks, Inc.
mdb@juniper.net
General
Internet Engineering Task Force
The Diffie-Hellman (DH) Group Exchange for the Secure Shell (SSH)
Transport layer Protocol specifies that servers and clients
should support groups with a modulus length of k bits, where the
recommended minumum value is 1024 bits. Recent security research
has shown that a minimum value of 1024 bits is insufficient
against state-sponsored actors. As such, this document formally
updates the specification such that the minimum recommended value
for k is 2048 bits and the group size is 2048 bits at minimum.
This RFC updates RFC4419 which allowed for DH moduli less than
2048 bits.
specifies a recommended minimum size
of 1024 bits for k, which is the modulus length of the DH
Group. It also suggests that in all cases, the size of the
group needs be at least 1024 bits. This document updates
so that the minimum recommended size be
2048 bits.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as
described in RFC 2119.
Recent research strongly suggests
that DH groups that are 1024 bits can be broken by state
actors, and possibly an organization with enough computing
resources. The authors show how they are able to break 768
bits DH group and extrapolate the attack to 1024 bits DH
groups. In their analysis, they show that breaking 1024
bits can be done with enough computing resources. This
document updates section 3 Paragraph 9 : Servers and
clients SHOULD support groups with a modulus length of k
bits where 2048 <= k <= 8192. The recommended
minimum values for min and max are 2048 and 8192,
respectively. This document also updates Section 3
Paragraph 11: In all cases, ths size of the group SHOULD be
at least 2048 bits.
This document discusses security issues of DH groups that are
1024 bits in size, and formally updates the minimum size of DH
groups to be 2048 bits.
This document contains no considerations for IANA.
&RFC2119;
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
Univeristy of Michigan
INRIA Paris-Rocquencourt
Univeristy of Michigan
INRIA Nancy-Grand Est, CNRS, and UniversitÃ© de Lorraine
Johns Hopkins
Univeristy of Michigan
University of Pennsylvania
Univeristy of Michigan
INRIA Nancy-Grand Est, CNRS, and UniversitÃ© de Lorraine
University of Pennsylvania
Univeristy of Michigan
Univeristy of Michigan
Microsoft Research
Univeristy of Michigan
&RFC4419;