Is there a correlation between the strength (size) of the asymmetric keys used to do the authentication and the strength (size) of the ephemeral DH keys generated/used to protect the session key (during the key exchange)?
On first glance, in s3_srvr.c, it seems like the tmp_dh_callback() function is only ever passed keylength == [512, 1024] - the result of the SSL_C_EXPORT_PKEYLENGTH() macro. And a DH key of length 1024-bits is roughly equivalent to a 80-bit symmetric key. It seems strange that it would be using a 80-bit key to protect the exchange of a 128- or 256-bit symmetric session key. I'm probably missing something in the OpenSSL implementation. The documentation for SSL_CTX_set_tmp_dh_callback() says that the "tmp_dh_callback is called with the keylength needed..." But surely this can't be only 512 or 1024...? Is it up to the application to decide to use a larger key size based on the information from the SSL structure passed in? More generally, is there a standard that defines or set of "best practices" that recommends the strength of ephemeral DH keys based on the cipher suite, strength (size) of the keys used for authentication, etc.? Thanks. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
