On Tue, Aug 14, 2012, no_spam...@yahoo.com wrote: > Is there a correlation between the strength (size) of the asymmetric keys > used to do the authentication and the strength (size) of the ephemeral DH > keys generated/used to protect the session key (during the key exchange)? > > On first glance, in s3_srvr.c, it seems like the tmp_dh_callback() function > is only ever passed keylength == [512, 1024] - the result of the > SSL_C_EXPORT_PKEYLENGTH() macro. And a DH key of length 1024-bits is > roughly equivalent to a 80-bit symmetric key. It seems strange that it > would be using a 80-bit key to protect the exchange of a 128- or 256-bit > symmetric session key. > > I'm probably missing something in the OpenSSL implementation. The > documentation for SSL_CTX_set_tmp_dh_callback() says that the > "tmp_dh_callback is called with the keylength needed..." But surely this > can't be only 512 or 1024...? Is it up to the application to decide to use > a larger key size based on the information from the SSL structure passed in? >
The actual key length is only meaningful if the "is_export" parameter is non-zero. This a legacy from the days when there were export restrictions on strong crypto. If is_export is zero you are free to use whatever parameter length you consider appopriate but there is no guarantee the peer will support very large values. It is more common practice to use a fixed set of DH parameters through the SSL_CTX_set_tmp_dh API instead of using the callback. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org