Diffie-Hellman 128 bit
Derek Atkins
derek at ihtfp.com
Fri Mar 14 13:53:15 EST 2003
Hi,
I'm sorry to inform you, but a brute-force attack on a 128-bit prime
is simple to mount. I don't think I can estimate the length of time
to attack a prime of this length, but it wouldn't be very long.
Consider that 425 bits is only about 4KMY (Kilo-MIP-Years) -- with
todays 2KM+ processors you're probably talking about a week or less to
crack it. Also, there aren't THAT many "strong" 128-bit primes.
If you're using these numbers for real data (even if ephemeral), I
would suggest using at least 512-bit ephemeral DH Primes.. But then
you need some way to securely AGREE upon the ephemeral prime.
How do you intend to prevent an attacker from forcing you to agree to
a prime that it's already solved?
-derek
NOP <nop at trapped-under-ice.com> writes:
> I am looking at attacks on Diffie-Hellman.
>
> The protocol implementation I'm looking at designed their diffie-hellman
> using 128 bit primes (generated each time, yet P-1/2 will be a prime, so no
> go on pohlig-hellman attack), so what attacks are there that I can look at
> to come up with either the logarithm x from (a=g^x mod p) or the session key
> that is
> calculated. A brute force wouldn't work, unless I know the starting range.
> Are there any realistic
> attacks on DH parameters of this size, or is theoretically based on
> financial computation attacks?
>
>
> Thanks for your time.
>
> Lance James
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
--
Derek Atkins
Computer and Internet Security Consultant
derek at ihtfp.com www.ihtfp.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list