Also see: http://www.openbsd.org/58.html
Search that page for 1024 (two occurrences). On 17 October 2015 at 14:03, Stuart Henderson <s...@spacehopper.org> wrote: > On 2015-10-17, <22xtrv+f800c4addk...@guerrillamail.com> < > 22xtrv+f800c4addk...@guerrillamail.com> wrote: > > According to > > > https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-m > > uch-crypto/ > > > > "Since a handful of primes are so widely reused, the payoff, in > > terms of connections they could decrypt, would be enormous. Breaking a > single, > > common 1024-bit prime would allow NSA to passively decrypt connections to > > two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a > > second 1024-bit prime would allow passive eavesdropping on connections to > > nearly 20% of the top million HTTPS websites. In other words, a one-time > > investment in massive computation would make it possible to eavesdrop on > > trillions of encrypted connections." > > > > How is the prime set up for DH in > > OpenSSH and is that something a user can change? > > See moduli(5), 'MODULI GENERATION' in ssh-keygen(1) and the script/Makefile > in /usr/src/usr.bin/ssh/moduli-gen. You can build your own. > > The distributed file is updated from time to time (recently it's been at > least > once per release, sometimes more often). It's included in baseXX.tgz so > local > changes get overwritten when you update. > > These are used for 'diffie-hellman-group-exchange-sha1' and ...-sha256 > (RFC4419), there are also options with fixed moduli > (diffie-hellman-group1-sha1 > and ...-group14-sha1). In recent code, the -group1 one is now disabled by > default both client- and server-side. Also the fixed-group ones are > blacklisted on the server for clients known to support RFC4419. And the > shorter moduli have been removed from the distributed file. > > See also > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-May/thread.html#33892 > - but that's 5 months old, the code has moved on.
