Re: RFC7919 Diffie-Hellman parameters in Fedora

On 23.08.20 04:26, Kevin Kofler wrote: Good point, that's a thorny issue in general. I have, of course, not way to disprove that, but those parameters are not just some random magic numbers, they're derived from a public, defined & simple [1] formula, using as far as possible common constants with no known relation to the DHE problem. This is no different than the process that gives us Ed25519 [2], although admittedly that one is more extensively explained in the relevant RFC. There are mathematical ways of looking for trapdoors, and having the method that created the number known makes such analysis feasable. In the ideal case, (1) server operator A generates & validates & uses safe parameters, and (2) user B knows & trusts A to have done so. However, in general while (1) might well be true, but (2) usually isn't. So the tradeoff is 'unvetted but secret' vs. 'highly vetted but known to the NSA'. There's probably no good answer here (other than not using FFDHE, of course), but I think given that Fedora by default also uses the potentially-NSA-tainted NIST curves & TLSv3 with FFDHE, encouraging use of RFC7919 generally removes some potential security issues while not introducing attack vectors that we already deem not significant (in default configurations - what anyone deems significant for their own system is of course entirely their business). Christopher [1] for a given definition of simple - RFC7919 primes are defined as p = 2^b - 2^{b-64} + (floor(2^{b-130}*e)+X) * 2^64 - 1 where b is the bitsize and X is the smallest integer that creates a safe prime. [2] https://tools.ietf.org/html/rfc7748#appendix-A There's some discussion of the general problem of validating DHE parameters here: [3] https://eprint.iacr.org/2019/032.pdf