On Thu, Apr 21, 2011 at 7:44 AM, ikuzar <razuk...@gmail.com> wrote: > Ok, > I see now what you mean. I 'll try to hash the shared value with SHA1, then > truncate it to obtain 128 bits ... In addition to Dave's comments, see NIST 800-135 and RFC 5869 for guidelines and recommendations on extract-and-expand key derivation.
Jeff > > 2011/4/20 Mike Mohr <akih...@gmail.com> >> >> Look, the typical way you'd use the DH shared secret would be to hash >> it using an appropriate hash function. I personally like using Tiger >> with AES-192, YMMV. >> >> On Tue, Apr 19, 2011 at 3:56 PM, ikuzar <razuk...@gmail.com> wrote: >> > So, have I to generate a prime with length = 3200 bits ?, ( the >> > corresponding exponent will belong to 3200-bit MODP group ) in order to >> > generate an AES 128 session key ? ( I use 2 as generator ). >> > Here http://tools.ietf.org/html/rfc3526, it is said : >> > "The new Advanced Encryption Standard (AES) cipher [AES], which has >> > more strength, needs stronger groups. For the 128-bit AES we need >> > about a 3200-bit group [Orman01]. ..;" >> > in this IETF, 6 MODP groups are exposed. 3200-bit is not among this >> > groups... >> > Concretly, what should I write to obtain AES 128 session key? i Wrote >> > something like this ( in command line ): >> > openssl dhparam -outform PEM -out dhParams.pem -2 3200 >> > Then I decode dhParams.pem into internal C struct: dh. Then I >> > call DH_generate_key(DH *dh); >> > , then DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); with >> > the >> > peer pub_key >> > and I finally want to store this session key at key >> > >> > >> > 2011/4/19 Michael Sierchio <ku...@tenebras.com> >> >> >> >> Addendum - depending on the use of DH (usually using the DH shared >> >> secret as a basis for key exchange), the choice of prime is more >> >> important than private exponent length. Safe primes or strong primes >> >> are warranted. Most systems use small generators (e.g., 2). >> >> >> >> - M >> >> >> >> On Mon, Apr 18, 2011 at 7:25 PM, Mike Mohr <akih...@gmail.com> wrote: >> >> > You might take a look at RFC 3526: >> >> > >> >> > http://tools.ietf.org/html/rfc3526 >> >> > >> >> > It is my understanding that the DH exponent can be significantly >> >> > shorter than the modulus without compromising security. RFC 3526 is >> >> > from 2003, but I haven't found anything published since then that >> >> > would make me think its assertions are invalid or outdated. The >> >> > paranoid tinfoil hat crowd can probably take twice the maximum bit >> >> > count from section 8 (620x2=1240) and be happy. >> >> > >> >> > Mike >> >> > >> >> > On Mon, Apr 18, 2011 at 8:01 AM, ikuzar <razuk...@gmail.com> wrote: >> >> >> Hello, >> >> >> I 'd like to know the length of DH session key generated by >> >> >> DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : >> >> >> http://www.openssl.org/docs/crypto/DH_generate_key.html >> >> >> It is said that key must point to DH_size(dh) bytes of memory. is >> >> >> 128 >> >> >> bits >> >> >> the default length ? how can I adjust this length according the >> >> >> symetric-key >> >> >> algorithm I use ( AES128/ICM) >> >> >> Thanks for your help. >> >> >> >> >> >> >> >> > >> >> > [SNIP] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
