On Tue, Aug 14, 2012 at 12:23 PM, <no_spam...@yahoo.com> wrote: > Is there a correlation between the strength (size) of the asymmetric keys > used to do the authentication and the strength (size) of the ephemeral DH > keys generated/used to protect the session key (during the key exchange)? Yes, there is.
> On first glance, in s3_srvr.c, it seems like the tmp_dh_callback() function > is only ever passed keylength == [512, 1024] - the result of the > SSL_C_EXPORT_PKEYLENGTH() macro. And a DH key of length 1024-bits is roughly > equivalent to a 80-bit symmetric key. It seems strange that it would be > using a 80-bit key to protect the exchange of a 128- or 256-bit symmetric > session key. That's a classic Security Level mismatch. > I'm probably missing something in the OpenSSL implementation. The > documentation for SSL_CTX_set_tmp_dh_callback() says that the > "tmp_dh_callback is called with the keylength needed..." But surely this > can't be only 512 or 1024...? Is it up to the application to decide to use a > larger key size based on the information from the SSL structure passed in? No, OpenSSL is doing things per the standards. The standards are the problem here. > More generally, is there a standard that defines or set of "best practices" > that recommends the strength of ephemeral DH keys based on the cipher suite, > strength (size) of the keys used for authentication, etc.? > Yes, FIPS, ECRYPT, NESSIE, etc: * SP800-57, Part 1, Recommendation for Key Management, Section 5.6.1 * SP 800-131, Recommendation for the Transitioning of Cryptographic Algorithms and Key Lengths * ECRYPT2 Yearly Report on Algorithms and Keysizes (2010) Also see http://www.cryptopp.com/wiki/Security_Level. Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org