Re: [TLS] Short Ephermal Diffie-Hellman keys

Bodo Moeller <bmoeller@acm.org> Tue, 15 May 2007 13:08 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HnwlA-0004Zq-Cn; Tue, 15 May 2007 09:08:12 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hnwl9-0004Zl-0u for tls@lists.ietf.org; Tue, 15 May 2007 09:08:11 -0400
Received: from moutng.kundenserver.de ([212.227.126.187]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Hnwl7-0002nY-Kc for tls@lists.ietf.org; Tue, 15 May 2007 09:08:11 -0400
Received: from [134.147.40.246] (helo=tau.invalid) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1Hnwl31fIu-0000oK; Tue, 15 May 2007 15:08:05 +0200
Received: by tau.invalid (Postfix, from userid 1000) id CF8611C28F; Tue, 15 May 2007 15:08:04 +0200 (CEST)
Date: Tue, 15 May 2007 15:08:04 +0200
From: Bodo Moeller <bmoeller@acm.org>
To: Nelson B Bolyard <nelson@bolyard.com>
Subject: Re: [TLS] Short Ephermal Diffie-Hellman keys
Message-ID: <20070515130804.GA15682@tau.invalid>
References: <op.tsa3n9ttqrq7tp@nimisha.oslo.opera.com> <4648AEA2.3020506@bolyard.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4648AEA2.3020506@bolyard.com>
User-Agent: Mutt/1.5.9i
X-Provags-ID: V01U2FsdGVkX197qp+xF1wELem1tP2bzHTB5H51jkaptvFq2wB Fj5Nv4xptbTygsBK/UYuBowoNnQxJtaTUqy5IxvVYPbvXtafTA 8FJ7vw0J8p6sVYJ5JhpuQ==
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9182cfff02fae4f1b6e9349e01d62f32
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

On Mon, May 14, 2007 at 11:46:58AM -0700, Nelson B Bolyard wrote:
> Yngve N. Pettersen (Developer Opera Software ASA) wrote:

>> I have recently started to see an increasing number of reports about  
>> SSL/TLS servers using short Ephermal Diffie-Hellman keys, in some cases  
>> very short ones.
>> 
>> Opera's SSL/TLS client will display warnings to users if the server is  
>> using RSA/DH/DSA keys shorter than (currently) 900 bits. 

> Do you mean the length of the public value?  or the length of the prime P?
> 
> Do you really wish to disallow public values that are low numeric values
> even when the prime P is adequately large?

While this really is about the prime P and not the public value, it
wouldn't be wrong to disallow small public values.  In practice the
public value won't be too much shorter than the public value unless
something weird (and presumably insecure) is going on.

It's only shorter secret values (DH exponents) that can be used in a
secure way.  But then the client coudn't easily reject these anyway.

Bodo


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls