issues

To: Niels Provos <provos%citi.umich.edu@localhost>
Subject: issues
From: Mika Kojo <mkojo%ssh.com@localhost>
Date: Mon, 19 Mar 2001 21:17:22 +0200

Niels Provos writes:
> 2. the choice of private exponents for the diffie-hellman should depend
>    on the size of key material for the negotiated ciphers, i.e.
>    256-bit AES requires longer exponents than 128-bit AES.
> 
>    this applies to both the transport and the diffie-hellman group
>    exchange draft.

If you let the 256-bit AES to mandate the used Diffie-Hellman group
then you will end up with a group with p > 2^13547 (say). This is
something that seems quite unreasonable from the performance
viewpoint. Changing the exponent size is not enough.

(The usual 1024-bit Diffie-Hellman group gives security level similar
to a 80-bit block cipher. Here exponent must be more than
160-bits---increasing it would not give any more security, but
decreasing it would indeed decrease security.)

Perhaps a better solution is to give the user some indication of the
security level achieved in a particular session. Of course, it is
difficult to measure security exactly, but this is only required to be
a rough approximation (say, `very secure` > 2^128, `secure' > 2^80,
`broken' <= 2^80, when measured in elementary operations).

Best regards, 
Mika Kojo
SSH Communications Security Corp

Follow-Ups:
- Re: issues
  - From: Niels Möller
- Re: issues
  - From: Darren J Moffat

References:
- issues
  - From: Niels Provos

Prev by Date: issues
Next by Date: Re: issues
Previous by Thread: issues
Next by Thread: Re: issues
Indexes:

Home | Main Index | Thread Index | Old Index