[Help-gnutls] Re: Diffie Hellman size?
Simon Josefsson
simon at josefsson.org
Tue Apr 15 09:54:14 CEST 2008
Simon Josefsson <simon at josefsson.org> writes:
>> Is it ok to reduce the the required length, or does this have security
>> implications?
>
> I can't seem to find a good reference for this. RFC 4419 seems to
> suggest 1024 bits for SSH, but it is not clear if the same
> considerations apply to TLS. RFC 3766 is rather vague, but suggests
> that 2*K should be ok, where K is the needed symmetric key size. From
> that 512 bits would be ok, but that makes me confused why RFC 4419
> requires more. It would be nice to have a better answer for your
> question.
I found a table in RFC 3526:
This document describes new stronger groups to be used in IKE. The
strengths of the groups defined here are always estimates and there
are as many methods to estimate them as there are cryptographers.
For the strength estimates below we took the both ends of the scale
so the actual strength estimate is likely between the two numbers
given here.
+--------+----------+---------------------+---------------------+
| Group | Modulus | Strength Estimate 1 | Strength Estimate 2 |
| | +----------+----------+----------+----------+
| | | | exponent | | exponent |
| | | in bits | size | in bits | size |
+--------+----------+----------+----------+----------+----------+
| 5 | 1536-bit | 90 | 180- | 120 | 240- |
| 14 | 2048-bit | 110 | 220- | 160 | 320- |
| 15 | 3072-bit | 130 | 260- | 210 | 420- |
| 16 | 4096-bit | 150 | 300- | 240 | 480- |
| 17 | 6144-bit | 170 | 340- | 270 | 540- |
| 18 | 8192-bit | 190 | 380- | 310 | 620- |
+--------+----------+---------------------+---------------------+
Which would suggest a DH prime modulus of size 512 would definitely be
sub-standard today. Again, my reservation of how much of these non-TLS
discussions applies to TLS remain.
Do you know a live server that use this small parameters? I'm curious
what kind of software is involved.
/Simon
More information about the Gnutls-help
mailing list