On Tue, Oct 20, 2015 at 7:43 PM, Giancarlo Razzolini <[email protected]> wrote: > Em 20-10-2015 10:25, Kimmo Paasiala escreveu: >> Someone correct me if I'm wrong but as far as I know the prime numbers >> used in DH group exchange are not secret but must be known by everyone >> (and couple other parameters are also public) for the key exchange to >> be possible in the first place. > > How is that different from pre-shared keys then? You can generate your > own primes. If you don't the defaults get used. And it are these > defaults that can be precomputed, because almost everyone do not > generate their own dh parameters. > >> What NSA can do is to perform a >> "pre-calculation" over the possible key exchange results and the >> danger is in that too small DH group can be covered sufficiently by >> them to be able to crack DH exchange on the fly. >> >> Hence the recommendation to increase the size of the group size used. > > The OpenSSH project regenerates the moduli file every release, AFAIK. > And the DH parameters for IPSec on OpenBSD just got bumped to 3072 if > I'm not mistaken. Bottom line, generate your own (big) parameters and > keep them as safe as possible. The dh parameters are even more important > than your private key. Specially if you do not change it after a key > replacement. > > Cheers, > Giancarlo Razzolini > > >
There are probably some implementation details and the plain DH exchange is not used alone because it's totally insecure against man in the middle attacks but the basics should be the same, the prime numbers are not keys but fixed parameters to the DH exchange algorithm. Maybe someone who knows more can chime in? -Kimmo
