Well, I'm attacking a protocol, I know the rules of DH parameters, and the issue here is I'm trying to solve x, brute forcing that in the 128 bit range can be difficult, and x doesn't have to be a prime. (a = g^x mod P). Their primes are 128 bit primes, as well as their pubkeys, I've done some tests on their prime, and all perform under this method of (p-1)/2 = prime. This eliminates the pohlig-hellman discrete logarithm attack, but I'm trying to learn the Gaussian integer method.
Lance James ----- Original Message ----- From: "Derek Atkins" <[EMAIL PROTECTED]> To: "NOP" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, March 14, 2003 10:53 AM Subject: Re: Diffie-Hellman 128 bit > Hi, > > I'm sorry to inform you, but a brute-force attack on a 128-bit prime > is simple to mount. I don't think I can estimate the length of time > to attack a prime of this length, but it wouldn't be very long. > Consider that 425 bits is only about 4KMY (Kilo-MIP-Years) -- with > todays 2KM+ processors you're probably talking about a week or less to > crack it. Also, there aren't THAT many "strong" 128-bit primes. > > If you're using these numbers for real data (even if ephemeral), I > would suggest using at least 512-bit ephemeral DH Primes.. But then > you need some way to securely AGREE upon the ephemeral prime. > > How do you intend to prevent an attacker from forcing you to agree to > a prime that it's already solved? > > -derek > > NOP <[EMAIL PROTECTED]> writes: > > > I am looking at attacks on Diffie-Hellman. > > > > The protocol implementation I'm looking at designed their diffie-hellman > > using 128 bit primes (generated each time, yet P-1/2 will be a prime, so no > > go on pohlig-hellman attack), so what attacks are there that I can look at > > to come up with either the logarithm x from (a=g^x mod p) or the session key > > that is > > calculated. A brute force wouldn't work, unless I know the starting range. > > Are there any realistic > > attacks on DH parameters of this size, or is theoretically based on > > financial computation attacks? > > > > > > Thanks for your time. > > > > Lance James > > > > > > --------------------------------------------------------------------- > > The Cryptography Mailing List > > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] > > -- > Derek Atkins > Computer and Internet Security Consultant > [EMAIL PROTECTED] www.ihtfp.com > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] > --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
