Thanks for your thoughts on this Hal. Quite educational. 

> Jeff Hodges wrote:
> > It turns out the supplied default for p is 1024 bit -- I'd previously 
> > goofed 
> > when using wc on it..
> >
> > DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057
> > F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA7
> > 4B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F0
> > 5BDFF16F2FB22C583AB
> This p is a "strong" prime, one where (p-1)/2 is also a prime, a good
> property for a DH modulus.

Ok, so what tools did you use to ascertain that? I'm curious. 

> The generator g=2 generates the entire group,
> which is an OK choice. 

Same here.

> But that shouldn't matter,
> the shared secret should be hashed and/or used as the seed of a PRNG to
> generate further keys.

It is hashed, but isn't used to gen further keys. I'm crafting a review of the 
full DH exchange in the target spec that I'll post to the list today.

> The main problem as I said is that 1024 bit moduli are no longer
> considered sufficiently safe for more than casual purposes.

That's what I thought. 

> Particularly
> with discrete logs that use a widely-shared modulus like the one above,
> it would not be surprising to see it publicly broken in the next 5-10
> years, or perhaps even sooner. And if a public effort can accomplish it
> in a few years, conservatively we should assume that well funded secret
> efforts could already succeed today.


thanks again,


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to