Thanks for your thoughts on this Hal. Quite educational. > Jeff Hodges wrote: > > It turns out the supplied default for p is 1024 bit -- I'd previously > > goofed > > when using wc on it.. > > > > DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057 > > F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA7 > > 4B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F0 > > 5BDFF16F2FB22C583AB > > This p is a "strong" prime, one where (p-1)/2 is also a prime, a good > property for a DH modulus.
Ok, so what tools did you use to ascertain that? I'm curious. > The generator g=2 generates the entire group, > which is an OK choice. Same here. > But that shouldn't matter, > the shared secret should be hashed and/or used as the seed of a PRNG to > generate further keys. It is hashed, but isn't used to gen further keys. I'm crafting a review of the full DH exchange in the target spec that I'll post to the list today. > The main problem as I said is that 1024 bit moduli are no longer > considered sufficiently safe for more than casual purposes. That's what I thought. > Particularly > with discrete logs that use a widely-shared modulus like the one above, > it would not be surprising to see it publicly broken in the next 5-10 > years, or perhaps even sooner. And if a public effort can accomplish it > in a few years, conservatively we should assume that well funded secret > efforts could already succeed today. Yep. thanks again, =JeffH --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]