Re: [TLS] draft-sheffer-tls-bcp: DH recommendations

"Blumenthal, Uri - 0558 - MITLL" <> Wed, 18 September 2013 19:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B709111E8108 for <>; Wed, 18 Sep 2013 12:24:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.872
X-Spam-Status: No, score=-4.872 tagged_above=-999 required=5 tests=[AWL=-0.422, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, SARE_OBFU_ALL=0.751, UNPARSEABLE_RELAY=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Jt7CXitGFDKV for <>; Wed, 18 Sep 2013 12:24:36 -0700 (PDT)
Received: from (MX2.LL.MIT.EDU []) by (Postfix) with ESMTP id 539DE11E8119 for <>; Wed, 18 Sep 2013 12:24:33 -0700 (PDT)
Received: from ( by (unknown) with ESMTP id r8IJNS2n015120; Wed, 18 Sep 2013 15:24:26 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <>
To: james hughes <>
Date: Wed, 18 Sep 2013 15:24:18 -0400
Thread-Topic: [TLS] draft-sheffer-tls-bcp: DH recommendations
Thread-Index: Ac60pK0TJ8+ukqRvTbef8uY9L0Iwaw==
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3462362658_41927692"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794, 1.0.431, 0.0.0000 definitions=2013-09-18_08:2013-09-18, 2013-09-18, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1309180098
Cc: "" <>
Subject: Re: [TLS] draft-sheffer-tls-bcp: DH recommendations
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Sep 2013 19:24:41 -0000

From:  james hughes <>
> On Sep 18, 2013, at 10:34 AM, "Blumenthal, Uri - 0558 - MITLL"
> <> wrote:
>> If you think that in 5 years 1024-bit DH will be trivially crackable - I'd
>> like to see some evidence to support it.
> There is a different between "trivially crackable" and routinely exploitable.
> In 5 years this will be routinely exploitable.

If you mean "exploitable in bulk", then I'd buy your argument.  (Though
we've no idea what may happen in 5 years.)

> It seems to me that the standards process does not need NSA to subvert the
> process, the standards people seem to be doing this fine by themselves.
> Anyway, speaking as someone working in this field (more factoring than
> discreet log) the professional recommendation is 2048.

Recommendation noted. I almost remember myself many years ago trying to
convince SNMP WG that HMAC is a better choice than just keyed hash, and
SHA-1 should replace MD5 as "MUST". The arguments against it were "it would
hurt performance too badly".

> I am not baiting here, but the argument that 2048 is "too much" given that a
> PC can do a complete authenticated PFS key exchange in 3ms of CPU time seems
> "interesting". 

As I said, if the exchange takes 3 seconds on my PC (or on my smartphone :)
I'm OK with it. The complaints are likely to come from the server folks. You
can guess why.