[Cryptography] freedom-to-tinker.com: How is NSA breaking so much crypto?
John-Mark Gurney
jmg at funkthat.com
Fri Oct 16 20:47:09 EDT 2015
Louis Kowolowski wrote this message on Fri, Oct 16, 2015 at 17:24 -0700:
> On Oct 16, 2015, at 3:35 PM, John-Mark Gurney <jmg at funkthat.com> wrote:
> >
> > Ray Dillinger wrote this message on Fri, Oct 16, 2015 at 13:39 -0700:
> >> Isn't the appropriate fix making sure that different numbers get used
> >> each time DH is performed? And won't that be the appropriate thing to
> >> do regardless of the key length being used?
> >
> > Please go run openssl dhparam 1024 (or for more fun, 2048), and tell
> > me if doing that on every connection, https session, etc, is doable?
> >
> > For everyone else, it's about a second, but can take >5 seconds to
> > generate a 1024 bit dh parameter... 2048 can take >47 second and this
> > is on a 2.5GHz Core i7???
> >
> It could be done on bootup, and the web server could have a dependency on it (sprinkle in other services as appropriate). It would (potentially) delay things slightly, but the benefits would far outweigh the loss of a few seconds.
I was replying to the comment that it should be done on every connection.
I did think about doing something like that before, but you have to
realize that changing generated DH params can leak information. If
an OS vendor changes it per release, it's easy to figure out what
release they are running.. If you change it per boot, then you'll
figure out when they patch/upgrade...
Changing it on a regular basis, like every night/week/month would be
best, though most applications don't know how to refresh the dh params
while running which means you'll suffer an interruption when restarting
the service...
IMO, just going to 2048 bit DH params makes the most sense.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography
mailing list