Re-posting this is it got lost at the bottom of my last post and should be a new topic: ---------------- So this brings me to my concern/complaint: Something like tor is making thousands of connections and transmitting Terabytes of data all through these dh 1024 bit group -->AES-256 bit. That is a lot of data.
>From my review of the cryptographic recommendations for forward secrecy, the 1024 bit group is too small, and the SHA-1 hash, still used by tor, is also not recommended. However, the threat field is different: An attacker potentially has to decrypt gigabytes of data with many different connections (they might not know exactly which connection contains the info they want). So maybe for that purpose, the lower encryption might be sufficient. But OTR is for critical communication: chats...communication which ought to be the most secure you can have...in particular to brute-force attacks, as it is more likely that an IRC operator for instance may know exactly which OTR session he/she is interested in cracking. Hence, OTR should really look to having the strongest encryption available and reasonable. On my machine, OTR currently takes about a minute or so to generate the dsa key...on another machine it seems like two seconds(not sure if this is blocking on the prng?) Is it reasonable that I don't want anyone to be able to decrypt my otr connection for 30 years? Anyway, I would be willing to wait 5 minutes to meet the recommended strengths for key lengths: In this case: DH prime group: 2048-4096 bits Hash function: at least SHA-256 (It seems OTR is using this..) AES key length: 256 bits dsa signing key length: at least 2048 In OTR's favor, the amount of cipher text is small, reducing some crypt-analysis efforts. So not a crypto expert (but learning) but I can read www.keylength.com (some of it anyway!) and see that OTR does not meet recommendations for forward security. Someone mentioned using ec key exchange. I am not qualified to determine which would be better ec key exchange or dh...but from what I am reading they are both deemed secure you just need the right key lengths.... I would think people would want OTR to meet forward security recommendations. Thanks, Ileana _______________________________________ _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
