Re: DH session Key length
Ok, I see now what you mean. I 'll try to hash the shared value with SHA1, then truncate it to obtain 128 bits ... 2011/4/20 Mike Mohr akih...@gmail.com Look, the typical way you'd use the DH shared secret would be to hash it using an appropriate hash function. I personally like using Tiger with AES-192, YMMV. On Tue, Apr 19, 2011 at 3:56 PM, ikuzar razuk...@gmail.com wrote: So, have I to generate a prime with length = 3200 bits ?, ( the corresponding exponent will belong to 3200-bit MODP group ) in order to generate an AES 128 session key ? ( I use 2 as generator ). Here http://tools.ietf.org/html/rfc3526, it is said : The new Advanced Encryption Standard (AES) cipher [AES], which has more strength, needs stronger groups. For the 128-bit AES we need about a 3200-bit group [Orman01]. ..; in this IETF, 6 MODP groups are exposed. 3200-bit is not among this groups... Concretly, what should I write to obtain AES 128 session key? i Wrote something like this ( in command line ): openssl dhparam -outform PEM -out dhParams.pem -2 3200 Then I decode dhParams.pem into internal C struct: dh. Then I call DH_generate_key(DH *dh); , then DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); with the peer pub_key and I finally want to store this session key at key 2011/4/19 Michael Sierchio ku...@tenebras.com Addendum - depending on the use of DH (usually using the DH shared secret as a basis for key exchange), the choice of prime is more important than private exponent length. Safe primes or strong primes are warranted. Most systems use small generators (e.g., 2). - M On Mon, Apr 18, 2011 at 7:25 PM, Mike Mohr akih...@gmail.com wrote: You might take a look at RFC 3526: http://tools.ietf.org/html/rfc3526 It is my understanding that the DH exponent can be significantly shorter than the modulus without compromising security. RFC 3526 is from 2003, but I haven't found anything published since then that would make me think its assertions are invalid or outdated. The paranoid tinfoil hat crowd can probably take twice the maximum bit count from section 8 (620x2=1240) and be happy. Mike On Mon, Apr 18, 2011 at 8:01 AM, ikuzar razuk...@gmail.com wrote: Hello, I 'd like to know the length of DH session key generated by DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : http://www.openssl.org/docs/crypto/DH_generate_key.html It is said that key must point to DH_size(dh) bytes of memory. is 128 bits the default length ? how can I adjust this length according the symetric-key algorithm I use ( AES128/ICM) Thanks for your help. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: DH session Key length
From: owner-openssl-us...@openssl.org On Behalf Of ikuzar Sent: Tuesday, 19 April, 2011 18:57 So, have I to generate a prime with length = 3200 bits ?, ( the corresponding exponent will belong to 3200-bit MODP group ) in order to generate an AES 128 session key ? ( I use 2 as generator ). If you want the DH key agreement to provide security comparable to the AES-128 encryption, you need a DH group of roughly that size. You can either generate one yourself or use an existing one. Technically you don't *have* to provide comparable security; you could use DH-512 or even DH-128 to create an AES-128 key and it would encrypt and decrypt successfully, but it wouldn't be secure, which means it's a big waste of effort. Here http://tools.ietf.org/html/rfc3526, it is said : The new Advanced Encryption Standard (AES) cipher [AES], which has more strength, needs stronger groups. For the 128-bit AES we need about a 3200-bit group [Orman01]. ..; in this IETF, 6 MODP groups are exposed. 3200-bit is not among this groups... rfc3526 does have a 3072-bit group, which is about 3200, since these are (as I said before) very rough estimates. In fact, according to section 8, its 2048-bit group might well be sufficient for symmetric 128-bit. It's a common convention to use sizes that are powers of two, or mostly powers of two, like 1024, 2048, 2560, 3072, 4096, but any decent software should work for any size up to the supported limit. If you want to use 3200, or 3157, go right ahead. The reason to use a published group like those in rfc3526 is that you don't need to actually transmit the group parameters between peers (or from a generator to peers). This is important for IPsec, which needs to dynamically create many associations rapidly and cheaply. I don't know if it matters to you. Concretly, what should I write to obtain AES 128 session key? i Wrote something like this ( in command line ): openssl dhparam -outform PEM -out dhParams.pem -2 3200 Then I decode dhParams.pem into internal C struct: dh. Then I call DH_generate_key... then DH_compute_key ... and I finally want to store this session key at key The DH result g^x1^x2=g^x2^x1 should be indistinguishable from uniform random over the group (1..P-1); that means except for a few high-order bits (and any bits above the high-order bit, if your size is not a multiple of 8, see above) all the bits should be effectively random. You could just use them, but extending what Mike Mohr said, the usual practice when deriving symmetric keys from *any* secret input, including a DH result but also other things, is to hash it. This provides one more safety margin, and it provides an option to derive multiple keys from the same secret(s) without risking related-key attacks. (ObTopic: SSL normally uses this to derive from one master secret four different keys: encryption and MAC, for each client and server sides.) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH session Key length
On Thu, Apr 21, 2011 at 7:44 AM, ikuzar razuk...@gmail.com wrote: Ok, I see now what you mean. I 'll try to hash the shared value with SHA1, then truncate it to obtain 128 bits ... In addition to Dave's comments, see NIST 800-135 and RFC 5869 for guidelines and recommendations on extract-and-expand key derivation. Jeff 2011/4/20 Mike Mohr akih...@gmail.com Look, the typical way you'd use the DH shared secret would be to hash it using an appropriate hash function. I personally like using Tiger with AES-192, YMMV. On Tue, Apr 19, 2011 at 3:56 PM, ikuzar razuk...@gmail.com wrote: So, have I to generate a prime with length = 3200 bits ?, ( the corresponding exponent will belong to 3200-bit MODP group ) in order to generate an AES 128 session key ? ( I use 2 as generator ). Here http://tools.ietf.org/html/rfc3526, it is said : The new Advanced Encryption Standard (AES) cipher [AES], which has more strength, needs stronger groups. For the 128-bit AES we need about a 3200-bit group [Orman01]. ..; in this IETF, 6 MODP groups are exposed. 3200-bit is not among this groups... Concretly, what should I write to obtain AES 128 session key? i Wrote something like this ( in command line ): openssl dhparam -outform PEM -out dhParams.pem -2 3200 Then I decode dhParams.pem into internal C struct: dh. Then I call DH_generate_key(DH *dh); , then DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); with the peer pub_key and I finally want to store this session key at key 2011/4/19 Michael Sierchio ku...@tenebras.com Addendum - depending on the use of DH (usually using the DH shared secret as a basis for key exchange), the choice of prime is more important than private exponent length. Safe primes or strong primes are warranted. Most systems use small generators (e.g., 2). - M On Mon, Apr 18, 2011 at 7:25 PM, Mike Mohr akih...@gmail.com wrote: You might take a look at RFC 3526: http://tools.ietf.org/html/rfc3526 It is my understanding that the DH exponent can be significantly shorter than the modulus without compromising security. RFC 3526 is from 2003, but I haven't found anything published since then that would make me think its assertions are invalid or outdated. The paranoid tinfoil hat crowd can probably take twice the maximum bit count from section 8 (620x2=1240) and be happy. Mike On Mon, Apr 18, 2011 at 8:01 AM, ikuzar razuk...@gmail.com wrote: Hello, I 'd like to know the length of DH session key generated by DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : http://www.openssl.org/docs/crypto/DH_generate_key.html It is said that key must point to DH_size(dh) bytes of memory. is 128 bits the default length ? how can I adjust this length according the symetric-key algorithm I use ( AES128/ICM) Thanks for your help. [SNIP] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH session Key length
Look, the typical way you'd use the DH shared secret would be to hash it using an appropriate hash function. I personally like using Tiger with AES-192, YMMV. On Tue, Apr 19, 2011 at 3:56 PM, ikuzar razuk...@gmail.com wrote: So, have I to generate a prime with length = 3200 bits ?, ( the corresponding exponent will belong to 3200-bit MODP group ) in order to generate an AES 128 session key ? ( I use 2 as generator ). Here http://tools.ietf.org/html/rfc3526, it is said : The new Advanced Encryption Standard (AES) cipher [AES], which has more strength, needs stronger groups. For the 128-bit AES we need about a 3200-bit group [Orman01]. ..; in this IETF, 6 MODP groups are exposed. 3200-bit is not among this groups... Concretly, what should I write to obtain AES 128 session key? i Wrote something like this ( in command line ): openssl dhparam -outform PEM -out dhParams.pem -2 3200 Then I decode dhParams.pem into internal C struct: dh. Then I call DH_generate_key(DH *dh); , then DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); with the peer pub_key and I finally want to store this session key at key 2011/4/19 Michael Sierchio ku...@tenebras.com Addendum - depending on the use of DH (usually using the DH shared secret as a basis for key exchange), the choice of prime is more important than private exponent length. Safe primes or strong primes are warranted. Most systems use small generators (e.g., 2). - M On Mon, Apr 18, 2011 at 7:25 PM, Mike Mohr akih...@gmail.com wrote: You might take a look at RFC 3526: http://tools.ietf.org/html/rfc3526 It is my understanding that the DH exponent can be significantly shorter than the modulus without compromising security. RFC 3526 is from 2003, but I haven't found anything published since then that would make me think its assertions are invalid or outdated. The paranoid tinfoil hat crowd can probably take twice the maximum bit count from section 8 (620x2=1240) and be happy. Mike On Mon, Apr 18, 2011 at 8:01 AM, ikuzar razuk...@gmail.com wrote: Hello, I 'd like to know the length of DH session key generated by DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : http://www.openssl.org/docs/crypto/DH_generate_key.html It is said that key must point to DH_size(dh) bytes of memory. is 128 bits the default length ? how can I adjust this length according the symetric-key algorithm I use ( AES128/ICM) Thanks for your help. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH session Key length
Sorry I do not see the link between my previous post and your answer. 2011/4/20 Mike Mohr akih...@gmail.com Look, the typical way you'd use the DH shared secret would be to hash it using an appropriate hash function. I personally like using Tiger with AES-192, YMMV. On Tue, Apr 19, 2011 at 3:56 PM, ikuzar razuk...@gmail.com wrote: So, have I to generate a prime with length = 3200 bits ?, ( the corresponding exponent will belong to 3200-bit MODP group ) in order to generate an AES 128 session key ? ( I use 2 as generator ). Here http://tools.ietf.org/html/rfc3526, it is said : The new Advanced Encryption Standard (AES) cipher [AES], which has more strength, needs stronger groups. For the 128-bit AES we need about a 3200-bit group [Orman01]. ..; in this IETF, 6 MODP groups are exposed. 3200-bit is not among this groups... Concretly, what should I write to obtain AES 128 session key? i Wrote something like this ( in command line ): openssl dhparam -outform PEM -out dhParams.pem -2 3200 Then I decode dhParams.pem into internal C struct: dh. Then I call DH_generate_key(DH *dh); , then DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); with the peer pub_key and I finally want to store this session key at key 2011/4/19 Michael Sierchio ku...@tenebras.com Addendum - depending on the use of DH (usually using the DH shared secret as a basis for key exchange), the choice of prime is more important than private exponent length. Safe primes or strong primes are warranted. Most systems use small generators (e.g., 2). - M On Mon, Apr 18, 2011 at 7:25 PM, Mike Mohr akih...@gmail.com wrote: You might take a look at RFC 3526: http://tools.ietf.org/html/rfc3526 It is my understanding that the DH exponent can be significantly shorter than the modulus without compromising security. RFC 3526 is from 2003, but I haven't found anything published since then that would make me think its assertions are invalid or outdated. The paranoid tinfoil hat crowd can probably take twice the maximum bit count from section 8 (620x2=1240) and be happy. Mike On Mon, Apr 18, 2011 at 8:01 AM, ikuzar razuk...@gmail.com wrote: Hello, I 'd like to know the length of DH session key generated by DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : http://www.openssl.org/docs/crypto/DH_generate_key.html It is said that key must point to DH_size(dh) bytes of memory. is 128 bits the default length ? how can I adjust this length according the symetric-key algorithm I use ( AES128/ICM) Thanks for your help. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH session Key length
2011/4/19 Dave Thompson dthomp...@prinpay.com From: owner-openssl-us...@openssl.org On Behalf Of ikuzar Sent: Monday, 18 April, 2011 11:01 I 'd like to know the length of DH session key generated by DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : http://www.openssl.org/docs/crypto/DH_generate_key.html It is said that key must point to DH_size(dh) bytes of memory. is 128 bits the default length ? how can I adjust this length according the symetric-key algorithm I use ( AES128/ICM) The size of both private (x) and public (y) values in DH is the same as the size of the prime P or very nearly. If the parameters were generated with openssl commandline 'dhparam' the default size of P was 512 bits, which is probably not secure. If P = 512 bits is not secure so shared key ( 512 bits ) generated with this P is not secured. Necessarily, shared key with 128 bits is not secured, and then AES 128 is not secured ? I am confused... Is there any way to understand in 2, 3 words how to generate a shared key with 128 bits length from Dh params ? For example g = 2, P = 128 = shared key length = 128 Thanks, Ikuzar (I know factoring thus RSA up to 700-something is broken; I haven't heard of results for discrete-log thus DH and DSA, but on my limited knowledge of number theory I think it should be about the same.) (Good) asymmetric algorithms need more bits for comparable security than (good) symmetric ones. Experts do not agree on an exact correspondence, but in (very) rough terms elliptic-curve algs are about 2x symmetric, and traditional asymmetric (RSA, DH, DSA, etc) are in the vicinity of 20x. NIST Special Publication 800-57 available under csrc.nist.gov seems to be a good reflection of reasonably current thinking. There is or at least was a few years ago an independent site with the consensus of leading academic crypto researchers, but I can't find it now. (If you don't know it, NIST = National Institute for Science and Technology is a part of the US government Department of Commerce; it was formerly NBS National Bureau of Standards.) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH session Key length
Ikuzar, I'm not sure what software you're writing. Please understand that I'm not trying to be mean spirited when I say this, but if you don't already know the difference between symmetric vs public-key crypto then you should not be writing this type of code. Stop doing it until you have a firm grasp on the basic concepts. Any code you write now is nearly guaranteed to be incorrect. You should take a few months to read the book I linked you to earlier and really understand the basic concepts. You will get much better support from this mailing list once you do. Mike On Wed, Apr 20, 2011 at 3:06 PM, ikuzar razuk...@gmail.com wrote: 2011/4/19 Dave Thompson dthomp...@prinpay.com From: owner-openssl-us...@openssl.org On Behalf Of ikuzar Sent: Monday, 18 April, 2011 11:01 I 'd like to know the length of DH session key generated by DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : http://www.openssl.org/docs/crypto/DH_generate_key.html It is said that key must point to DH_size(dh) bytes of memory. is 128 bits the default length ? how can I adjust this length according the symetric-key algorithm I use ( AES128/ICM) The size of both private (x) and public (y) values in DH is the same as the size of the prime P or very nearly. If the parameters were generated with openssl commandline 'dhparam' the default size of P was 512 bits, which is probably not secure. If P = 512 bits is not secure so shared key ( 512 bits ) generated with this P is not secured. Necessarily, shared key with 128 bits is not secured, and then AES 128 is not secured ? I am confused... Is there any way to understand in 2, 3 words how to generate a shared key with 128 bits length from Dh params ? For example g = 2, P = 128 = shared key length = 128 Thanks, Ikuzar (I know factoring thus RSA up to 700-something is broken; I haven't heard of results for discrete-log thus DH and DSA, but on my limited knowledge of number theory I think it should be about the same.) (Good) asymmetric algorithms need more bits for comparable security than (good) symmetric ones. Experts do not agree on an exact correspondence, but in (very) rough terms elliptic-curve algs are about 2x symmetric, and traditional asymmetric (RSA, DH, DSA, etc) are in the vicinity of 20x. NIST Special Publication 800-57 available under csrc.nist.gov seems to be a good reflection of reasonably current thinking. There is or at least was a few years ago an independent site with the consensus of leading academic crypto researchers, but I can't find it now. (If you don't know it, NIST = National Institute for Science and Technology is a part of the US government Department of Commerce; it was formerly NBS National Bureau of Standards.) __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH session Key length
The private exponent length need only be sufficient to make a brute force search (using the public exponent as a target) computationally infeasible, since the discrete log problem is still in the hard category. Cogent DH Private Exponent recommendations are always stated in terms of P, e.g., x : 1 x (p-1)/2. - M On Mon, Apr 18, 2011 at 7:25 PM, Mike Mohr akih...@gmail.com wrote: You might take a look at RFC 3526: http://tools.ietf.org/html/rfc3526 It is my understanding that the DH exponent can be significantly shorter than the modulus without compromising security. RFC 3526 is from 2003, but I haven't found anything published since then that would make me think its assertions are invalid or outdated. The paranoid tinfoil hat crowd can probably take twice the maximum bit count from section 8 (620x2=1240) and be happy. Mike On Mon, Apr 18, 2011 at 8:01 AM, ikuzar razuk...@gmail.com wrote: Hello, I 'd like to know the length of DH session key generated by DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : http://www.openssl.org/docs/crypto/DH_generate_key.html It is said that key must point to DH_size(dh) bytes of memory. is 128 bits the default length ? how can I adjust this length according the symetric-key algorithm I use ( AES128/ICM) Thanks for your help. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH session Key length
Addendum - depending on the use of DH (usually using the DH shared secret as a basis for key exchange), the choice of prime is more important than private exponent length. Safe primes or strong primes are warranted. Most systems use small generators (e.g., 2). - M On Mon, Apr 18, 2011 at 7:25 PM, Mike Mohr akih...@gmail.com wrote: You might take a look at RFC 3526: http://tools.ietf.org/html/rfc3526 It is my understanding that the DH exponent can be significantly shorter than the modulus without compromising security. RFC 3526 is from 2003, but I haven't found anything published since then that would make me think its assertions are invalid or outdated. The paranoid tinfoil hat crowd can probably take twice the maximum bit count from section 8 (620x2=1240) and be happy. Mike On Mon, Apr 18, 2011 at 8:01 AM, ikuzar razuk...@gmail.com wrote: Hello, I 'd like to know the length of DH session key generated by DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : http://www.openssl.org/docs/crypto/DH_generate_key.html It is said that key must point to DH_size(dh) bytes of memory. is 128 bits the default length ? how can I adjust this length according the symetric-key algorithm I use ( AES128/ICM) Thanks for your help. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH session Key length
So, have I to generate a prime with length = 3200 bits ?, ( the corresponding exponent will belong to 3200-bit MODP group ) in order to generate an AES 128 session key ? ( I use 2 as generator ). Here http://tools.ietf.org/html/rfc3526, it is said : The new Advanced Encryption Standard (AES) cipher [AES], which has more strength, needs stronger groups. For the 128-bit AES we need about a 3200-bit group [Orman01]. ..; in this IETF, 6 MODP groups are exposed. 3200-bit is not among this groups... Concretly, what should I write to obtain AES 128 session key? i Wrote something like this ( in command line ): *openssl dhparam -outform PEM -out dhParams.pem -2 3200* **Then I decode dhParams.pem into internal C struct: dh. Then I call DH_generate_key(DH *dh); , then DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); with the peer pub_key and I finally want to store this session key at key 2011/4/19 Michael Sierchio ku...@tenebras.com Addendum - depending on the use of DH (usually using the DH shared secret as a basis for key exchange), the choice of prime is more important than private exponent length. Safe primes or strong primes are warranted. Most systems use small generators (e.g., 2). - M On Mon, Apr 18, 2011 at 7:25 PM, Mike Mohr akih...@gmail.com wrote: You might take a look at RFC 3526: http://tools.ietf.org/html/rfc3526 It is my understanding that the DH exponent can be significantly shorter than the modulus without compromising security. RFC 3526 is from 2003, but I haven't found anything published since then that would make me think its assertions are invalid or outdated. The paranoid tinfoil hat crowd can probably take twice the maximum bit count from section 8 (620x2=1240) and be happy. Mike On Mon, Apr 18, 2011 at 8:01 AM, ikuzar razuk...@gmail.com wrote: Hello, I 'd like to know the length of DH session key generated by DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : http://www.openssl.org/docs/crypto/DH_generate_key.html It is said that key must point to DH_size(dh) bytes of memory. is 128 bits the default length ? how can I adjust this length according the symetric-key algorithm I use ( AES128/ICM) Thanks for your help. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: DH session Key length
From: owner-openssl-us...@openssl.org On Behalf Of ikuzar Sent: Monday, 18 April, 2011 11:01 I 'd like to know the length of DH session key generated by DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : http://www.openssl.org/docs/crypto/DH_generate_key.html It is said that key must point to DH_size(dh) bytes of memory. is 128 bits the default length ? how can I adjust this length according the symetric-key algorithm I use ( AES128/ICM) The size of both private (x) and public (y) values in DH is the same as the size of the prime P or very nearly. If the parameters were generated with openssl commandline 'dhparam' the default size of P was 512 bits, which is probably not secure. (I know factoring thus RSA up to 700-something is broken; I haven't heard of results for discrete-log thus DH and DSA, but on my limited knowledge of number theory I think it should be about the same.) (Good) asymmetric algorithms need more bits for comparable security than (good) symmetric ones. Experts do not agree on an exact correspondence, but in (very) rough terms elliptic-curve algs are about 2x symmetric, and traditional asymmetric (RSA, DH, DSA, etc) are in the vicinity of 20x. NIST Special Publication 800-57 available under csrc.nist.gov seems to be a good reflection of reasonably current thinking. There is or at least was a few years ago an independent site with the consensus of leading academic crypto researchers, but I can't find it now. (If you don't know it, NIST = National Institute for Science and Technology is a part of the US government Department of Commerce; it was formerly NBS National Bureau of Standards.) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH session Key length
You might take a look at RFC 3526: http://tools.ietf.org/html/rfc3526 It is my understanding that the DH exponent can be significantly shorter than the modulus without compromising security. RFC 3526 is from 2003, but I haven't found anything published since then that would make me think its assertions are invalid or outdated. The paranoid tinfoil hat crowd can probably take twice the maximum bit count from section 8 (620x2=1240) and be happy. Mike On Mon, Apr 18, 2011 at 8:01 AM, ikuzar razuk...@gmail.com wrote: Hello, I 'd like to know the length of DH session key generated by DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : http://www.openssl.org/docs/crypto/DH_generate_key.html It is said that key must point to DH_size(dh) bytes of memory. is 128 bits the default length ? how can I adjust this length according the symetric-key algorithm I use ( AES128/ICM) Thanks for your help. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org