-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 28/01/14 14:13, j.witvl...@mindef.nl wrote: [...snip...] > > You are right, the DH is just a safe way for transporting keys, by > means of prime-numbers (or curves). So the longer they are: the > better. But eventhough when using a decent length, when using them > very intensively for years, what are they still worth...
As the DH is a public factor ... I struggle to see how long time usage will impact it. The only parts of DH params is sent to the client (in clear text) when it connects as part of the key exchange, before the encryption has been established. So if your concerned about the integrity of the temporary encryption keys, the DH param isn't really that much valuable. It's a big prime number, and not even guaranteed to be unique. Something which might help shed more light on how SSL/TLS works: <http://www.sans.org/reading-room/whitepapers/authentication/ssl-tls-whats-hood-34297> > With regards to the generation time, I just tried some out: DH > group2 group5 512 0.4s 1,5s 1024 3.5s 30s > 2048 99s 5min 4096 13min 30min And when doing this > virtualized, quite a bit longer ;-) Yeah, this isn't atypical numbers. Group5 takes longer, as it has to find more prime numbers than group2. > Might seem long, but 5 minutes for a 2K-group-5 DH, if you only > need to do this every 3 months or so, should not pose such a > burden. And probably, it will take longer for other groups (14 > ..24) As long as it does not have significant impact upon the > creation of a vpn tunnel.... It is possible to have "dynamically created DH params" for each connection, but it's not widely used as you basically want 2048 bits, and establishing an SSL/TLS connectio would then take almost 2 minutes. > I saw some traffic about ECDH, and tried to generate some of them, > and it seems that even one of the longest, sect571, is taking up > just 0.022 second. (time openssl ecparam -genkey -out sect571r1.pem > -name sect571r1) Would be nice if openvpn can work with these > ECDH's It's coming :) ... if you want to help out testing it, please pay attention to the openvpn-devel list. You can get more info by joining our #openvpn-devel IRC channel on FreeNode as well ... currently patches are under development/review, iirc. - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEUEARECAAYFAlLnxooACgkQDC186MBRfrqIIwCY1x05jc4yofKhakRVAy6F+2K8 2wCgr+9TzWsvBaiyjqR9DjQyfWi7kJA= =j2VY -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
