[Ach] [cryptography] Diffie-Hellman Params Best Practice on Web Server?

Aaron Zauner azet at azet.org
Wed Dec 11 17:57:03 CET 2013


Hi,

The same holds true for RSA and factoring primes in general. If we go there we should consider telling people to turn away from modern technology (ted kaczynski manged that pretty well,.. oh. wait.).

Lets recap the Diffie-Hellman key exchange (I quote Applied Cryptography by Bruce Schneier since it describes the algorithm very well and easily):
“”"
	(1) Alice chooses a random large integer X and sends Bob
		X = g^X mod n
	(2) Bob chooses a random large integer
		Y = g^Y mod n
	(3) Alice computes
		k = Y^X mod n
	(4) Bob computes
		k’ = X^Y mod n

	Both k and k’ are equal to g^xy mod n. No one listening on the channel can compute that value; they only know n, g, X, and Y. Unless they can compute the discrete logarithm and recover x or y, they do not solve the problem. So, k is the secret key that both Alice and Bob computed independently. The choice of g and n an have a substantial impact on the security of this system. The number (n - 1_/2 should also be a prime. And most important, n should be large: The security of the system is based on the difficulty of factoring numbers the same size as n. You can choose any g, such that g is primitive mod n; there’s no reason not to choose the smalles g you can—generally a one-digit number. (And actually, g does not have to be primitive; it just has to generate a large subgroup the multiplicitive group mod n.)
“”"
See also: http://cacr.uwaterloo.ca/hac/about/chap12.pdf (Page 516) and http://en.wikipedia.org/wiki/Multiplicative_group_of_integers_modulo_n

Aaron

On 11 Dec 2013, at 16:48, Pepi Zawodsky <pepi.zawodsky at maclemon.at> wrote:

> Food for thought…
> When everybody usese the same DH parameters it becomes worthwhile to brute force them, since if you manage to crack them, you get a lot of traffic you can access. More diversity makes that a broader target with less benefit to invest money/cycles/efforts into.
> 
> That of course is not a really cryptographically sound reasoning.
> Best regards
> Pepi
> 
> On 11.12.2013, at 02:28, Aaron Zauner <azet at azet.org> wrote:
>> reason to generate your own DH params
> 
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131211/847cd4fc/attachment.sig>


More information about the Ach mailing list