Re: [TLS] Short Ephermal Diffie-Hellman keys

[Bodo Moeller <bmoeller at acm.org>]

On Mon, May 14, 2007 at 11:46:58AM -0700, Nelson B Bolyard wrote:
> Yngve N. Pettersen (Developer Opera Software ASA) wrote:

>> I have recently started to see an increasing number of reports about  
>> SSL/TLS servers using short Ephermal Diffie-Hellman keys, in some cases  
>> very short ones.
>> 
>> Opera's SSL/TLS client will display warnings to users if the server is  
>> using RSA/DH/DSA keys shorter than (currently) 900 bits. 

> Do you mean the length of the public value?  or the length of the prime P?
> 
> Do you really wish to disallow public values that are low numeric values
> even when the prime P is adequately large?

While this really is about the prime P and not the public value, it
wouldn't be wrong to disallow small public values.  In practice the
public value won't be too much shorter than the public value unless
something weird (and presumably insecure) is going on.

It's only shorter secret values (DH exponents) that can be used in a
secure way.  But then the client coudn't easily reject these anyway.

Bodo


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls