[12773] in cryptography@c2.net mail archive
Re: Diffie-Hellman 128 bit
daemon@ATHENA.MIT.EDU (Derek Atkins)
Fri Mar 14 19:58:21 2003
X-Original-To: cryptography@wasabisystems.com
X-Original-To: cryptography@wasabisystems.com
To: NOP <nop@trapped-under-ice.com>
Cc: cryptography@wasabisystems.com
From: Derek Atkins <derek@ihtfp.com>
Date: 14 Mar 2003 13:53:15 -0500
In-Reply-To: <006201c2e9aa$54768200$6f42420a@lanwan>
Hi,
I'm sorry to inform you, but a brute-force attack on a 128-bit prime
is simple to mount. I don't think I can estimate the length of time
to attack a prime of this length, but it wouldn't be very long.
Consider that 425 bits is only about 4KMY (Kilo-MIP-Years) -- with
todays 2KM+ processors you're probably talking about a week or less to
crack it. Also, there aren't THAT many "strong" 128-bit primes.
If you're using these numbers for real data (even if ephemeral), I
would suggest using at least 512-bit ephemeral DH Primes.. But then
you need some way to securely AGREE upon the ephemeral prime.
How do you intend to prevent an attacker from forcing you to agree to
a prime that it's already solved?
-derek
NOP <nop@trapped-under-ice.com> writes:
> I am looking at attacks on Diffie-Hellman.
>
> The protocol implementation I'm looking at designed their diffie-hellman
> using 128 bit primes (generated each time, yet P-1/2 will be a prime, so no
> go on pohlig-hellman attack), so what attacks are there that I can look at
> to come up with either the logarithm x from (a=g^x mod p) or the session key
> that is
> calculated. A brute force wouldn't work, unless I know the starting range.
> Are there any realistic
> attacks on DH parameters of this size, or is theoretically based on
> financial computation attacks?
>
>
> Thanks for your time.
>
> Lance James
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
