> On Fri, Jun 25, 1999 at 08:43:14AM -0700, Eric Rescorla wrote:
>
> >> Forward secrecy is exactly the point (that's what the temporary keys
> >> are for, if we leave aside export ciphers). You're right that it
> >> shouldn't be necessary to create a fresh key every time we need one,
> >> but it does not cost a lot;
>
> > I'm not sure what you mean by 'doesn't cost a lot'. It essentially
> > doubles the computation cost, because it requires two modular
> > exponentiations instead of one.
>
> But this doesn't make it twice as expensive, because for the first
> exponentiation the generator is usually 2;
If that's how your implementation does it. X9.42 DH, for instance,
uses a full-size generator. (Admittedly now we're getting outside
SSL).
> and if that's still too
> slow (1024 squaring operations), the obvious change would be to use DH
> parameters with a 160-bit subprime and a 160-bit secret exponent (160
> squarings and ca. 80 full-size multiplications, and even the second
> exponentiation will benefit from this).
If you use a subprime, you have to worry about small subgroup
isuses.
> Anyway, if you're not that
> concerned about forward-secrecy and standard conformance,
I'm not worried about forward-secrecy and I don't believe that
this is a standards conformance issue. I've just reviewed
RFC-2246 and I don't see where it says you can't reuse ephemeral
DH keys.
-Ekr
[Eric Rescorla [EMAIL PROTECTED]]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
