Ok, I see now what you mean. I 'll try to hash the shared value with SHA1, then truncate it to obtain 128 bits ...
2011/4/20 Mike Mohr <akih...@gmail.com> > Look, the typical way you'd use the DH shared secret would be to hash > it using an appropriate hash function. I personally like using Tiger > with AES-192, YMMV. > > On Tue, Apr 19, 2011 at 3:56 PM, ikuzar <razuk...@gmail.com> wrote: > > So, have I to generate a prime with length = 3200 bits ?, ( the > > corresponding exponent will belong to 3200-bit MODP group ) in order to > > generate an AES 128 session key ? ( I use 2 as generator ). > > Here http://tools.ietf.org/html/rfc3526, it is said : > > "The new Advanced Encryption Standard (AES) cipher [AES], which has > > more strength, needs stronger groups. For the 128-bit AES we need > > about a 3200-bit group [Orman01]. ..;" > > in this IETF, 6 MODP groups are exposed. 3200-bit is not among this > > groups... > > Concretly, what should I write to obtain AES 128 session key? i Wrote > > something like this ( in command line ): > > openssl dhparam -outform PEM -out dhParams.pem -2 3200 > > Then I decode dhParams.pem into internal C struct: dh. Then I > > call DH_generate_key(DH *dh); > > , then DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); with > the > > peer pub_key > > and I finally want to store this session key at key > > > > > > 2011/4/19 Michael Sierchio <ku...@tenebras.com> > >> > >> Addendum - depending on the use of DH (usually using the DH shared > >> secret as a basis for key exchange), the choice of prime is more > >> important than private exponent length. Safe primes or strong primes > >> are warranted. Most systems use small generators (e.g., 2). > >> > >> - M > >> > >> On Mon, Apr 18, 2011 at 7:25 PM, Mike Mohr <akih...@gmail.com> wrote: > >> > You might take a look at RFC 3526: > >> > > >> > http://tools.ietf.org/html/rfc3526 > >> > > >> > It is my understanding that the DH exponent can be significantly > >> > shorter than the modulus without compromising security. RFC 3526 is > >> > from 2003, but I haven't found anything published since then that > >> > would make me think its assertions are invalid or outdated. The > >> > paranoid tinfoil hat crowd can probably take twice the maximum bit > >> > count from section 8 (620x2=1240) and be happy. > >> > > >> > Mike > >> > > >> > On Mon, Apr 18, 2011 at 8:01 AM, ikuzar <razuk...@gmail.com> wrote: > >> >> Hello, > >> >> I 'd like to know the length of DH session key generated by > >> >> DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : > >> >> http://www.openssl.org/docs/crypto/DH_generate_key.html > >> >> It is said that key must point to DH_size(dh) bytes of memory. is 128 > >> >> bits > >> >> the default length ? how can I adjust this length according the > >> >> symetric-key > >> >> algorithm I use ( AES128/ICM) > >> >> Thanks for your help. > >> >> > >> >> > >> > ______________________________________________________________________ > >> > OpenSSL Project > http://www.openssl.org > >> > User Support Mailing List > openssl-users@openssl.org > >> > Automated List Manager > majord...@openssl.org > >> > > >> ______________________________________________________________________ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing List openssl-users@openssl.org > >> Automated List Manager majord...@openssl.org > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
