Re: [PATCH] Add support for diffie-hellman-group16-sha512

[Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx>]

On Mon, 2018-09-10 at 17:26 +0200, Aris Adamantiadis wrote:
> Hi Anderson,
> 
> Thanks for your contribution. I am not particularly fond of hardcoded
> DH
> groups such as group14 or group16, especially since we have
> dh-group-exchange now. Is it needed to connect to some device that
> has group16 but doesn't have dh-gex

(replying also to the next mail from Andreas)
I think that supporting the dh-gex key exchange is not a good thing
today. Few years ago it may have looked like a good idea, but today the
general security directions are toward safe hard-coded groups which
require no verification from either party. The problem with arbitrary
parameters is that they are often delegated to be set by administrators
who have no idea about crypto or how to select a secure parameter.
Selecting good DH parameters is a problem that even people who know
crypto have a hard-time to answer. Even worse the protocols that
transmit parameters, transmit no information to the recipient in order
to verify their security (I know of TLS but I guess SSH is the same). 
As such I think supporting only hard-coded groups is a better strategy
for the future crypto-wise.

I'm not sure where the SSH protocol stands in that aspect, but IPSec
was always in the train of hard-coded params, and now also TLS (1.3 and
1.2 via RFC7919) have moved to hard-coded groups.

regards,
Nikos