Diffie-Hellman 128 bit

NOP nop at trapped-under-ice.com
Fri Mar 14 21:32:20 EST 2003 

Well, I'm attacking a protocol, I know the rules of DH parameters, and the
issue here is I'm trying to solve x, brute forcing that in the 128 bit range
can be difficult, and x doesn't have to be a prime. (a = g^x mod P). Their
primes are 128 bit primes, as well as their pubkeys, I've done some tests on
their prime, and all perform under this method of (p-1)/2 = prime. This
eliminates the pohlig-hellman discrete logarithm attack, but I'm trying to
learn the Gaussian integer method.

Lance James
----- Original Message -----
From: "Derek Atkins" <derek at ihtfp.com>
To: "NOP" <nop at trapped-under-ice.com>
Cc: <cryptography at wasabisystems.com>
Sent: Friday, March 14, 2003 10:53 AM
Subject: Re: Diffie-Hellman 128 bit


> Hi,
>
> I'm sorry to inform you, but a brute-force attack on a 128-bit prime
> is simple to mount.  I don't think I can estimate the length of time
> to attack a prime of this length, but it wouldn't be very long.
> Consider that 425 bits is only about 4KMY (Kilo-MIP-Years) -- with
> todays 2KM+ processors you're probably talking about a week or less to
> crack it.  Also, there aren't THAT many "strong" 128-bit primes.
>
> If you're using these numbers for real data (even if ephemeral), I
> would suggest using at least 512-bit ephemeral DH Primes..  But then
> you need some way to securely AGREE upon the ephemeral prime.
>
> How do you intend to prevent an attacker from forcing you to agree to
> a prime that it's already solved?
>
> -derek
>
> NOP <nop at trapped-under-ice.com> writes:
>
> > I am looking at attacks on Diffie-Hellman.
> >
> > The protocol implementation I'm looking at designed their diffie-hellman
> > using 128 bit primes (generated each time, yet P-1/2 will be a prime, so
no
> > go on pohlig-hellman attack), so what attacks are there that I can look
at
> > to come up with either the logarithm x from (a=g^x mod p) or the session
key
> > that is
> > calculated. A brute force wouldn't work, unless I know the starting
range.
> > Are there any realistic
> > attacks on DH parameters of this size, or is theoretically based on
> > financial computation attacks?
> >
> >
> > Thanks for your time.
> >
> > Lance James
> >
> >
> > ---------------------------------------------------------------------
> > The Cryptography Mailing List
> > Unsubscribe by sending "unsubscribe cryptography" to
majordomo at wasabisystems.com
>
> --
>        Derek Atkins
>        Computer and Internet Security Consultant
>        derek at ihtfp.com             www.ihtfp.com
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
majordomo at wasabisystems.com
>


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list