[Cryptography] DH non-prime kills "socat" command security
William Allen Simpson
william.allen.simpson at gmail.com
Wed Feb 10 04:20:58 EST 2016
On 2/8/16 10:03 PM, Benjamin Kreuter wrote:
> On Thu, 2016-02-04 at 18:30 -0800, Henry Baker wrote:
>> There is an outstanding problem: if we all use the same primes, large
>> nation-states can build log (rainbow-like) tables for these primes;
>> if we use different primes, we then have to prove to our
>> correspondent that the "prime" we propose is really
>> prime. Generating such primes and generating such easily-checkable
>> proofs appears to take too much time for normal HTTPS ecommerce.
>
> Also note that allowing people to generate their own parameters adds
> complexity to protocols that are already notoriously difficult to get
> right, and to their implementations which are also notoriously
> difficult to get right. IMO it is better to choose common parameters
> large enough to resist nation-state attacks, and for everyone to use
> those parameters.
>
Which is why all responsible OS vendors ship /etc/moduli -- and
better OS vendors generate and validate their own for every release,
so that we aren't stuck with stale parameters.
More information about the cryptography
mailing list