[gnutls-devel] Bug#750094: Misleading warning

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jun 4 17:50:15 CEST 2014


On 06/04/2014 03:30 AM, Nikos Mavrogiannopoulos wrote:
> I agree with your points. In fact the current warning was setup to
> cover (0). There could be another warning for (1), but gnutls-cli
> prints the size of the prime anyway if DHE is negotiated so I'm not
> sure how much another warning would help.

I was thinking it'd be useful in that a warning is distinct from a
routine printout.  people with their own sense of what a threshhold
should be can work from the routine information; but if we're providing
a distinct warning, it would be for people who aren't making those kinds
of decisions explicitly.

> I've put that warning once I saw people arguing in various fora to set
> dh-bits less than 256 bits in order to improve compatibility. Indeed
> 513 is not much more secure, and the warning could be changed to less
> than 700 or so.

yeah, choosing a threshhold is hard, and probably would need to change
over time, but at the moment, we have some concrete recommendations we
can use.

For example, ECRYPT II's 2011-2012 report suggests on page 30 that
defense against just small/medium organizations to preserve
confidentiality for a few months should be around 70 bits
(symmetric-equivalent), which means a DLOG group a bit below 1024 bits.
 We could even use the ECRYPT language in the warning.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140604/cca92dc1/attachment.sig>


More information about the Gnutls-devel mailing list