[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Diffie Hellman size?
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: Diffie Hellman size? |
Date: |
Tue, 15 Apr 2008 11:23:46 +0200 |
User-agent: |
Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) |
FYI,
I asked Peter Gutmann about this, who recently posted some mathematical
limits he used in:
http://permalink.gmane.org/gmane.ietf.smime/6175
His response is below. So there seems to be good reasons why we
shouldn't allow too small DH prime modulus. Although I'd prefer if this
were a bit better documented.
/Simon
From: address@hidden (Peter Gutmann)
Subject: Re: On D-H prime modulus sizes in TLS
To: address@hidden
Date: Tue, 15 Apr 2008 20:11:37 +1200
Hi,
>Thanks for providing those limits.
You're welcome, and if you have any more please let me know - it costs almost
nothing at key load since it's done only once, but can save a lot of headaches
later.
>Do you also have limits on the size of DH parameters in TLS?
>
>In GNUTLS we currently check if the prime modulus size is smaller than 712
>bits, and apparently there are some servers that trigger this check:
>
>http://thread.gmane.org/gmane.network.gnutls.general/1158
>
>I have not found any useful references that discuss D-H prime modulus sizes
>in TLS. I'm not sure if the table in section 8 of RFC 3526 applies. If it
>does, and if <= 712 bit sizes are used widely, it seems somewhat bad.
I use the same limits for DH as I do for RSA and DSA. While the strength of
RSA and DH (or in general DLP-based PKCs) isn't really comparable, it is for
DSA and DH, so requiring DSA to be >= 1024 bits but allowing DH down to 700
bits doesn't seem wise. Standards for DLP-based keys like FIPS 186 now
require at least 1024-bit keys, so there's a good case for not allowing such
short keys: it's a hard limit, you can't even get a product accepted for FIPS
testing if you have keys shorter than 1024 bits.
Peter.