[Cryptography] RSA equivalent key length/strength

Viktor Dukhovni cryptography at dukhovni.org
Sun Sep 22 16:13:22 EDT 2013

On Sat, Sep 21, 2013 at 05:07:02PM -0700, Patrick Pelletier wrote:

> and there was a similar discussion on the OpenSSL list recently,
> with GnuTLS getting "blamed" for using the ECRYPT recommendations
> rather than 1024:
> http://www.mail-archive.com/openssl-users@openssl.org/msg71899.html

GnuTLS is reasonably sound engineering in electing 2048-bit groups
by default on the TLS server.  This inter-operates with the majority
of clients, all the client has to do is to NOT artificially limit
its implementation to 1024 bit EDH.

GnuTLS fails basic engineering principles when it sets a lower
bound of 2048-bit EDH in its TLS client code.  TLS clients do not
negotiate the DH parameters, only the use of EDH, and most server
implementations deployed today will offer 1024-bit EDH groups even
when the symmetric cipher key length is substantially stronger.

Having GnuTLS clients fail to connect to most servers, (and e.g.
with opportunistic TLS SMTP failing over to plain-text as a result)
is not helping anyone!

To migrate the world to stronger EDH, the GnuTLS authors should
work with the other toolkit implementors in parallel with and
through the IETF to get all servers to move to stronger groups.
Once that's done, and the updated implementations are widely deployed
raise the client minimum EDH group sizes.

Unilaterally raising the client lower-bound is just, to put it
bluntly, pissing into the wind.


More information about the cryptography mailing list