Author: Tom Kistner Date: To: sacrificial-spam-address CC: exim-dev, 475194 Subject: Re: [exim-dev] Bug#475194: D-H parameter generation is All Wrong
Dear anonymous Crypto-Expert,
> There appears to be a fundamental misapprehension about the role of
> Diffie-Hellman parameters. Section 39.3 conflates them with the the
> RSA secret key, which is actual secret key material and should not be
> called a "parameter". The D-H parameters are not key material, and do
> not need to be protected from inspection. In fact, they are sent in the
> clear to everyone who initiates a TLS session. Since the Debian package
> doesn't generate an RSA key at all, the restrictive permissions looked
> like blatant cluelessness.
I've removed the references to RSA from 39.3 completely, thanks.
> It's also not very important that the D-H parameters be changed often;
So there still is some value in changing them?
> while changing them N times makes it N times as much work for an attacker
> that wants to read ALL of your mail, it's better to just use a larger
> prime and make it N times harder for an attacker to read ANY of your
> mail.
What about doing both? :)
> In fact, many cryptographic standards just specify a menu of fixed
> D-H parameters for all implmentations for all time (e.g. RFC3526).
> Generating a set once at install time is also reasonable. Changing it
> daily is silly.
39.3 does not say "daily", it says "the frequency depending on your
paranoia level". Now how paranoid should Debian be? I have no idea, and
with my limited crypto skills, I can't give them a recommendation. Stock
Exim does exacly what you want, compute D-H params exactly once.
> I might also mention that 1024 bits (which is O(2^80) operations to
> break) is considered a bit small for serious security these days.
> GNU TLS defaults to 2048 bits, a more reasonable default.