Re: issues

[nisse%lysator.liu.se@localhost (Niels Möller)]

Mika Kojo <mkojo%ssh.com@localhost> writes:

> Niels Provos writes:
> > 2. the choice of private exponents for the diffie-hellman should depend
> >    on the size of key material for the negotiated ciphers, i.e.
> >    256-bit AES requires longer exponents than 128-bit AES.

I have seen reasoning like this before, and I don't think I understand
it. If you want a security level of 2^150, say (I'm not going to try
to define security level precisely, and this particular level is just
an example), then the important thing is that each component
(public-key operations, hashes, bulk ciphers, etc) is at least
2^150-secure.

Now, say you happen to choose a cipher with 2^256-security, because
that's the only thing you've got that's better than 2^128 (if we count
3des as 2^112). When choosing the other components, it's *still* the
2^150 level that matters. They don't have to *match* the cipher.

The important thing is that *each* components is strong enough, not
that they all have equal strength. One component being significantly
stronger than the others doesn't increase security beyond the weakest
part, of course, but it doesn't hurt either.

Is there anything I'm missing?

> (The usual 1024-bit Diffie-Hellman group gives security level similar
> to a 80-bit block cipher. Here exponent must be more than
> 160-bits---increasing it would not give any more security, but
> decreasing it would indeed decrease security.)

If these figures are right, then the conclusion must be that we should
offer some bigger groups. Either by adding some
diffie-hellam-group2-sha1 key exchange method, or making the
group-exchange mechanism mandatory.

/Niels