On Fri, Jun 25, 1999 at 02:38:48PM -0700, Eric Rescorla wrote:
>> slow (1024 squaring operations), the obvious change would be to use DH
>> parameters with a 160-bit subprime and a 160-bit secret exponent (160
>> squarings and ca. 80 full-size multiplications, and even the second
>> exponentiation will benefit from this).
> If you use a subprime, you have to worry about small subgroup
> isuses.
I don't think so, because we have a signature that covers the host's
DH parameters, and we use every DH key just once so that there's no
target for Lim-Lee style attacks.
>> Anyway, if you're not that
>> concerned about forward-secrecy and standard conformance,
> I'm not worried about forward-secrecy and I don't believe that
> this is a standards conformance issue. I've just reviewed
> RFC-2246 and I don't see where it says you can't reuse ephemeral
> DH keys.
Depends on how you interpret the word "ephemeral" in this context;
I don't think that it's a coincidence that the adjective is not the
same as for RSA keys.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
