RE: [TLS] Short Ephermal Diffie-Hellman keys

[<Pasi.Eronen at nokia.com>]

Mike wrote:

> This is probably the result of an administrator not wanting to
> wait the extra 30 seconds to generate a strong key.  If the
> server is set up to generate a key on startup, it may not start
> listening for connections until it has completed the task.

Generating a 1024-bit DH key on a modern PC takes less 
than 30 _milli_seconds, so I doubt this is the real reason 
(unless the implementation is really, really stupid).

> I recall (hopefully correctly) that a 1536 bit D-H key provides
> the equivalent of about 90-120 bits of security.  I would guess
> that a 512-bit or 256-bit key is down in the EXPORT category of
> security.  This is a terrible trend.

RFC 3766 puts 1536 bit DH at around 90 bits. Factoring a 256-bit
number on a single PC takes only couple of hours, so if discrete
logs are approximately the same difficulty, 256-bit DH would
be even less secure than the old EXPORT ciphersuites.

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls