Recent research demonstrates that at least for 1024-bit DH groups, it is
possible to create specially crafted primes having a backdoor. From the
prime itself this is not detectable, creating a perfect NOBUS attack.
http://eprint.iacr.org/2016/961
For the primes defined in RFC 5114 no information is provided on how these
have been selected. In the default proposal we included one of the 2048-bit
primes only, where it is questionable if constructing a backdoored prime is
feasible. Nevertheless, this patch removes the group from the set of default
proposals as well.
case MODP_768_BIT:
/* weak */
break;
+ case MODP_1024_160:
case MODP_2048_224:
+ case MODP_2048_256:
+ /* RFC 5114 primes are of questionable source */
+ break;
case MODP_1536_BIT:
- case MODP_1024_160:
case ECP_224_BIT:
case ECP_224_BP:
case ECP_192_BIT:
/* rarely used */
break;
case MODP_2048_BIT:
- case MODP_2048_256:
case MODP_1024_BIT:
add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
break;