On 13 nov. 2013, at 16:31, Fedor Brunner <[email protected]> wrote:
> Hi all, > the IM Observatory displays use of the DHE key exchange and there is a > note "Ephemeral Diffie-Hellman is a key exchange algorithm with forward > secrecy. The security depends on the Diffie-Hellman parameters used by > the server". But the actual strength of the DH parameters is not displayed. > > This information is quite important because during DHE key exchange a > temporary key is generated. This temporary key is used for encryption of > the communication and the server public RSA key is used ONLY for signing > of this temporary key and NOT for encryption of the communication. The > problem is that in many cases the temporary key much shorter than the > server RSA key. > > For example the server jabber.ccc.de uses 2048 bit RSA public key, but > the length of the temporary key is only 1024 bit. The public key score > is 90, cipher score is 90 > http://xmpp.net/result.php?domain=jabber.ccc.de&type=server > > Many administrators enable forward secrecy, but because they set > incorrect DH parameters they weaken the encryption. Please display the > actual strength of DH parameters and use it also to calculate the score. > > https://wiki.openssl.org/index.php/Diffie-Hellman_parameters > https://wiki.openssl.org/index.php/Diffie_Hellman Indeed, that is a good thing to check and it is on my TODO list. I haven't yet looked at how easy it is to check the dhparam sent by the server using OpenSSL, though. The elliptic curve chosen by the server would be interesting too. Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
