cc @FiloSottile @hanwen

const numMRTests = 64 seems excessive to me. Even if we want to use Miller-Rabin for the safety checks, 40 rounds seem more than enough. But we could also use ProbablyPrime(0), which skips Miller-Rabin and only does Baillie–PSW. There are no known composite numbers that pass the test.

How slow it is with 1) numMRTests = 40 2) numMRTests = 0 (only Baillie–PSW)?

Here are the timings for 40 rounds:
256 byte prime: 563 ms
512 byte prime: 27 seconds

And for 0 rounds (only Baillie–PSW):
256 byte prime: 47 ms
512 byte prime: 1.8 seconds

Based on these results, it seems that removing Miller-Rabin entirely is the way to go. Although, even with that optimization, the primality check still accounts for about 50% of the total time spent in ssh.Dial when using a 512 byte prime (1.8 seconds out of 3.6 seconds).

It does sounds like just running Baillie-PSW would be acceptable per https://eprint.iacr.org/2018/749.pdf.

How does OpenSSH handle this? Do they just let the peer pick a potentially composite number?

This is why this KEX is not enabled by default and why I was opposed to implementing it, FWIW. Negotiating parameteres requires uncomfortable performance/security tradeoffs.

I have stepped down as a maintainer for go ssh.

If you care about performance, I would suggest to not use the group exchange. Both ECDH and Ed25519 are much faster.

the group exchange was suggested as a mitigation of logjam attacks, which affect 1024-bit (ie. 128byte) pre-agreed primes, because it costs "only" hundreds of millions dollars to calculate the discrete log for 1024 bit primes.

What application both requires the advanced security that humongous 512 byte primes bring, but also cannot upgrade to a stronger set of algorithms?

I have stepped down as a maintainer for go ssh.

@hanwen Thanks for letting me know. FYI https://dev.golang.org/owners still lists you as the primary maintainer of crypto/ssh. We may want to amend the document.

What application both requires the advanced security that humongous 512 byte primes bring, but also cannot upgrade to a stronger set of algorithms?

We're trying to connect to a third-party server that only advertises this key exchange.

How does OpenSSH handle this? Do they just let the peer pick a potentially composite number?

It appears so, yes. There's no mention of primality testing in the OpenSSH key exchange logic, as far as I can tell. Here's the link, if anyone wants to verify: https://github.com/openssh/openssh-portable/blob/master/kexgexc.c

I suppose that any meaningful attack would have to be a MitM, and if the host key signature is over a decent transcript, it might not be possible to change parameters. I don't know enough about the protocol to say that for sure, so it would help if someone could hack an SSH server to send a composite "prime" and check that OpenSSH will connect to it.

Maybe these parameters https://go.googlesource.com/crypto/+/5c72a883971a4325f8c62bf07b6d38c20ea47a6a/ssh/kex.go#563 should be softcoded? Or the upper bound could be set at 2048 bits too? Or something more conservative, eg. 3072 bits?

I'll send a change for the owners file.

Per @FiloSottile's suggestion, I updated the /etc/ssh/moduli file used by OpenSSH to only contain a single "prime" that's the product of two random numbers, and is therefore guaranteed to be composite.

I ran Wireshark while opening a connection with the OpenSSH client from another machine, and was able to observe the fake prime I added being exchanged as part of the DH handshake. No errors or warnings were returned, which supports the idea that OpenSSH does not do any primality testing as part of DH handshakes.

If the primality check is changed to only use Baillie–PSW, then the handshake will be more secure than the OpenSSH implementation, while incurring only a minimal performance penalty.

My intuition is that the check is not necessary, and OpenSSH seems to agree, so we might as well bypass the trade-off discussion and the "Baillie-PSW pseudoprimes exist but have not been found" fragility and drop the check.

I think that makes sense as well. I'll submit that change.

Change https://golang.org/cl/252337 mentions this issue: x/crypto/ssh: improve Diffie-Hellman performance for large keys

Can I suggest keeping a couple rounds of Miller-Rabin?
Even just having 1 round would be a significant belt-and-suspenders for BPSW at minimal cost.

BPSW is a round of MR and a Lucas test. Do you mean extra rounds of MR?

Honestly I'm kind of convinced to just drop the whole check. If we can just not play the game of adversarial primalty testing, we shouldn't, and OpenSSH seems convinced we can.

If dropping the primality check entirely is OK for the protocol, then that's fine.

If the check is kept, I'd rather see ProbablyPrime(1) than ProbablyPrime(0).
The whole point of Miller-Rabin is the random base.
BPSW's check hard-codes base 2, making it not really Miller-Rabin at all.
For a random base instead of a fixed base, the chance of eluding detection
with even a single round is very low, much lower than the 1/4 used in the standard proof,
making the single round worth its cost as a backstop for BPSW alone.
But again, if the entire check can be dropped, that's fine.