Re: [exim] REPOST: Possible TLS weakness in Exim? (to be not…

Top Page
Delete this message
Reply to this message
Author: Ralf G. R. Bergs
Date:  
To: Florian Weimer
CC: exim-users
Subject: Re: [exim] REPOST: Possible TLS weakness in Exim? (to be noticed with Opera and Exim 4.50 from Debian stable)
Florian Weimer schrieb:
> * Ralf G. R. Bergs:
>
>> I posted about this problem into the Opera forum (see
>> http://my.opera.com/community/forums/topic.dml?id=167205), and received
>> the following reply from one of the Opera developers:
>>
>> <quote>
> [...]
>> IMO the length of that key should match the keylength of the
>> certificate, but to get level 3 encryption it must be at least 1024 bits
>> long.
>> </quote>
>
> You cannot directly compare the RSA and DH bit counts, the underlying
> mathematical problems are not the same (discrete logarithms are
> harder). There is one prominent study that treats them as equivalent,
> but their model is more or less pulled out of thin air. We simply do
> not know enough about cryptography to give definite advice on key
> lengths.
>
> But perhaps we should change src/tls-gnu.c and increase this constant:
>
> #define DH_BITS      768

>
> NIST recommends to use 1024 bits. BSI (the German one, not the
> British) recommends 1280 bits. Both do not really differentiate
> between ephemeral session keys and long-term keys. But bumping the


But it makes quite a difference how you use them... :-)

> value is easy and probably the right thing to do from a PR angle.


I doubt that it's a good idea to just change something to look good from
a PR point of view. :-)

What I *do* consider important, tho, is that we get the Opera guys and
Exim to agree upon what is safe and what is unsafe. What do you think
about this?