Re: [exim-dev] Bug#475194: D-H parameter generation is All W…

Top Page
Delete this message
Reply to this message
Author: Tom Kistner
Date:  
To: sacrificial-spam-address
CC: exim-dev, 475194
Subject: Re: [exim-dev] Bug#475194: D-H parameter generation is All Wrong
Dear anonymous Crypto-Expert,

> There appears to be a fundamental misapprehension about the role of
> Diffie-Hellman parameters. Section 39.3 conflates them with the the
> RSA secret key, which is actual secret key material and should not be
> called a "parameter". The D-H parameters are not key material, and do
> not need to be protected from inspection. In fact, they are sent in the
> clear to everyone who initiates a TLS session. Since the Debian package
> doesn't generate an RSA key at all, the restrictive permissions looked
> like blatant cluelessness.


I've removed the references to RSA from 39.3 completely, thanks.

> It's also not very important that the D-H parameters be changed often;


So there still is some value in changing them?

> while changing them N times makes it N times as much work for an attacker
> that wants to read ALL of your mail, it's better to just use a larger
> prime and make it N times harder for an attacker to read ANY of your
> mail.


What about doing both? :)

> In fact, many cryptographic standards just specify a menu of fixed
> D-H parameters for all implmentations for all time (e.g. RFC3526).
> Generating a set once at install time is also reasonable. Changing it
> daily is silly.


39.3 does not say "daily", it says "the frequency depending on your
paranoia level". Now how paranoid should Debian be? I have no idea, and
with my limited crypto skills, I can't give them a recommendation. Stock
Exim does exacly what you want, compute D-H params exactly once.

> I might also mention that 1024 bits (which is O(2^80) operations to
> break) is considered a bit small for serious security these days.
> GNU TLS defaults to 2048 bits, a more reasonable default.


Paranoia level again :)

/tom