[Help-gnutls] Re: Diffie Hellman size?
Simon Josefsson
simon at josefsson.org
Tue Apr 15 11:23:46 CEST 2008
FYI,
I asked Peter Gutmann about this, who recently posted some mathematical
limits he used in:
http://permalink.gmane.org/gmane.ietf.smime/6175
His response is below. So there seems to be good reasons why we
shouldn't allow too small DH prime modulus. Although I'd prefer if this
were a bit better documented.
/Simon
From: pgut001 at cs.auckland.ac.nz (Peter Gutmann)
Subject: Re: On D-H prime modulus sizes in TLS
To: simon at josefsson.org
Date: Tue, 15 Apr 2008 20:11:37 +1200
Hi,
>Thanks for providing those limits.
You're welcome, and if you have any more please let me know - it costs almost
nothing at key load since it's done only once, but can save a lot of headaches
later.
>Do you also have limits on the size of DH parameters in TLS?
>
>In GNUTLS we currently check if the prime modulus size is smaller than 712
>bits, and apparently there are some servers that trigger this check:
>
>http://thread.gmane.org/gmane.network.gnutls.general/1158
>
>I have not found any useful references that discuss D-H prime modulus sizes
>in TLS. I'm not sure if the table in section 8 of RFC 3526 applies. If it
>does, and if <= 712 bit sizes are used widely, it seems somewhat bad.
I use the same limits for DH as I do for RSA and DSA. While the strength of
RSA and DH (or in general DLP-based PKCs) isn't really comparable, it is for
DSA and DH, so requiring DSA to be >= 1024 bits but allowing DH down to 700
bits doesn't seem wise. Standards for DLP-based keys like FIPS 186 now
require at least 1024-bit keys, so there's a good case for not allowing such
short keys: it's a hard limit, you can't even get a product accepted for FIPS
testing if you have keys shorter than 1024 bits.
Peter.
More information about the Gnutls-help
mailing list