SSH Agent keys >4096 bit?

Hubert Kario hka at
Sun May 6 01:42:13 CEST 2012

On Saturday 05 of May 2012 20:03:04 Peter Lebbing wrote:
> On 05/05/12 15:49, Hubert Kario wrote:
> > As far as I know, OpenSSH uses DH parameters of the same size as the RSA
> > keys: for 8k DH you need 8k RSA or (which is unmaintainable) manually
> > force use of 8k DH.
> Okay, going out on a limb here, since all what I say is conjecture.
> Actually consulting the SSH RFC's seems like too much work, or seems too
> much like work :).
> I think it's rather the case that the size of the DH parameters is
> proportional to the keysize of the symmetric algorithm used to secure
> the SSH session, because the DH params are used to compute the session
> key. So you are right that the DH params are proportional in size to a
> key used, but you've confused the keys, asymmetric vs symmetric. That
> way it makes sense to me.

The secret being exchanged is, of course, the random session key. Its size is 
related to size of subgroup in DH. But it's the size of prime used that sets 
the security level, which just happens to share security evaluation with RSA 
as far as number of bits is concerned (IOW: n-bit DH is considered to be as 
hard to attack as n-bit RSA).

> If I look at the debug messages emitted by the OpenSSH client, I'm under
> the impression that key exchange is already completed before
> authentication with RSA starts.

DH without authentication is useless (trivial to MITM). You need to 
authenticate the DH params you recieve from the other party before you do 
anything with them.

Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24

More information about the Gnupg-users mailing list