]> More Modular Exponential (MODP) Diffie-Hellman Groups for SSH Juniper Networks, Inc.
1133 Innovation Way Sunnyvale CA 94089-1228 US +1 408 745 2952 mdb@juniper.net http://www.juniper.net/
Internet Engineering Task Force This document defines two added Modular Exponential (MODP) Groups for the Secure Shell (SSH) protocol. It also updates by specifying new RECOMMENDED and new OPTIONAL Diffie-Hellman key exchange algorithms using SHA-2 hashes.
Secure Shell (SSH) is a common protocol for secure communication on the Internet. In , SSH originally defined the Key Exchange Method Name diffie-hellman-group1-sha1 which used Oakley Group 1 (a MODP group with 768 bits) and SHA1 . Due to recent security concerns with SHA-1 and with MODP groups with less than 2048 bits implementors and users request support for larger MODP group sizes with data integrity verification using the SHA-2 family of secure hash algorithms as well as MODP groups providing more security. Please send comments on this draft to ietf-ssh@NetBSD.org.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .
This memo adopts the style and conventions of in specifying how the use of new data key exchange is indicated in SSH.
The following new key exchange algorithms are defined: Key Exchange Method Name Note diffie-hellman-group1-sha1 NOT RECOMMENDED diffie-hellman-group14-sha256 RECOMMENDED diffie-hellman-group15-sha256 RECOMMENDED diffie-hellman-group16-sha256 OPTIONAL
The SHA-2 family of secure hash algorithms are defined in . The method of key exchange used for the name "diffie-hellman-group14-sha256" is the same as that for "diffie-hellman-group14-sha1" escept that the SHA2-256 hash algorith is used. The group15 and group16 names are the same as those specified in as 3072-bit MODP Group 14 and 4096-bit MODP Group 15.
This document augments the Key Exchange Method Names in .
IANA is requested to update the SSH algorithm registry with the following entries: Key Exchange Method Name Reference Note diffie-hellman-group1-sha1 RFC4253 NOT RECOMMENDED diffie-hellman-group14-sha256 This draft RECOMMENDED diffie-hellman-group15-sha256 This draft RECOMMENDED diffie-hellman-group16-sha256 This draft OPTIONAL
The security considerations of apply to this document. The security considerations of suggest that these MODP groups have security strengths given in this table.
Group modulus security strength estimates +--------+----------+---------------------+---------------------+ | Group | Modulus | Strength Estimate 1 | Strength Estimate 2 | | | +----------+----------+----------+----------+ | | | | exponent | | exponent | | | | in bits | size | in bits | size | +--------+----------+----------+----------+----------+----------+ | 14 | 2048-bit | 110 | 220- | 160 | 320- | | 15 | 3072-bit | 130 | 260- | 210 | 420- | | 16 | 4096-bit | 150 | 300- | 240 | 480- | +--------+----------+---------------------+---------------------+
Many users seem to be interested in the perceived safety of using the SHA2-based algorithms for hashing.
&RFC2119; &RFC3526; &RFC4253; Secure Hash Standard (SHS) National Institute of Standards and Technology &RFC2409; &RFC3174; &RFC6194; Transitions: Recommendation for the Transitioning of the Use of Cryptographic Algorithms and Key Lengths