FYI, I asked Peter Gutmann about this, who recently posted some mathematical limits he used in:
http://permalink.gmane.org/gmane.ietf.smime/6175 His response is below. So there seems to be good reasons why we shouldn't allow too small DH prime modulus. Although I'd prefer if this were a bit better documented. /Simon From: [EMAIL PROTECTED] (Peter Gutmann) Subject: Re: On D-H prime modulus sizes in TLS To: [EMAIL PROTECTED] Date: Tue, 15 Apr 2008 20:11:37 +1200 Hi, >Thanks for providing those limits. You're welcome, and if you have any more please let me know - it costs almost nothing at key load since it's done only once, but can save a lot of headaches later. >Do you also have limits on the size of DH parameters in TLS? > >In GNUTLS we currently check if the prime modulus size is smaller than 712 >bits, and apparently there are some servers that trigger this check: > >http://thread.gmane.org/gmane.network.gnutls.general/1158 > >I have not found any useful references that discuss D-H prime modulus sizes >in TLS. I'm not sure if the table in section 8 of RFC 3526 applies. If it >does, and if <= 712 bit sizes are used widely, it seems somewhat bad. I use the same limits for DH as I do for RSA and DSA. While the strength of RSA and DH (or in general DLP-based PKCs) isn't really comparable, it is for DSA and DH, so requiring DSA to be >= 1024 bits but allowing DH down to 700 bits doesn't seem wise. Standards for DLP-based keys like FIPS 186 now require at least 1024-bit keys, so there's a good case for not allowing such short keys: it's a hard limit, you can't even get a product accepted for FIPS testing if you have keys shorter than 1024 bits. Peter. _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
