questions on RFC2631 and DH key agreement
' =JeffH '
Jeff.Hodges at KingsMountain.com
Thu Feb 7 15:08:18 EST 2008
Thanks for your thoughts on this Hal. Quite educational.
> Jeff Hodges wrote:
> > It turns out the supplied default for p is 1024 bit -- I'd previously goofed
> > when using wc on it..
> >
> > DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057
> > F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA7
> > 4B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F0
> > 5BDFF16F2FB22C583AB
>
> This p is a "strong" prime, one where (p-1)/2 is also a prime, a good
> property for a DH modulus.
Ok, so what tools did you use to ascertain that? I'm curious.
> The generator g=2 generates the entire group,
> which is an OK choice.
Same here.
> But that shouldn't matter,
> the shared secret should be hashed and/or used as the seed of a PRNG to
> generate further keys.
It is hashed, but isn't used to gen further keys. I'm crafting a review of the
full DH exchange in the target spec that I'll post to the list today.
> The main problem as I said is that 1024 bit moduli are no longer
> considered sufficiently safe for more than casual purposes.
That's what I thought.
> Particularly
> with discrete logs that use a widely-shared modulus like the one above,
> it would not be surprising to see it publicly broken in the next 5-10
> years, or perhaps even sooner. And if a public effort can accomplish it
> in a few years, conservatively we should assume that well funded secret
> efforts could already succeed today.
Yep.
thanks again,
=JeffH
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list