On Sep 8, 2013, at 8:16 PM, Peter Gutmann wrote:
Patrick Pelletier <[email protected]> writes:
It seems generally accepted that 1024-bit Diffie-Hellman is no
longer secure,
Really? DLP != factoring.
I'm an engineer, not a cryptographer, and I don't claim to understand
the math. But I've seen statements to that effect here, for example:
http://blog.erratasec.com/2013/09/tor-is-still-dhe-1024-nsa-crackable.html
The IETF's own RFC 3766/BCP 86 indicates that 1024-bit Diffie-Hellman
would fall in between a 70 and 80 bit symmetric key:
+-------------+-----------+--------------+--------------+
| System | | | |
| requirement | Symmetric | RSA or DH | DSA subgroup |
| for attack | key size | modulus size | size |
| resistance | (bits) | (bits) | (bits) |
| (bits) | | | |
+-------------+-----------+--------------+--------------+
| 70 | 70 | 947 | 129 |
| 80 | 80 | 1228 | 148 |
| 90 | 90 | 1553 | 167 |
| 100 | 100 | 1926 | 186 |
| 150 | 150 | 4575 | 284 |
| 200 | 200 | 8719 | 383 |
| 250 | 250 | 14596 | 482 |
+-------------+-----------+--------------+--------------+
and other such tables come to similar conclusions. For example,
ECRYPT II says a 1248-bit discrete log group only provides protection
until 2015:
http://www.keylength.com/en/3/
How about something along the lines of "Diffie-Hellman parameters
of at least
2048 bits SHOULD be chosen"?
Why at least 2048 bits? What's wrong with 1280, or 1536, which will
be quite
a lot faster.
It seems like a good ballpark from looking at these tables, but I'm
certainly not claiming 2048 exactly the right number. My point was
merely that the draft should say something about DH group size. If
1024 is in fact good enough, then it should say that, rather than
being silent on the subject.
--Patrick
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
