FWIW, I'm with Viktor in this argument. From cryptography point of view he's right. I suspect he's right from the practical point of view as well.
P.S. Those concerned that a nation-state would attack them, are advised to change the default config anyway.
--
Regards,
Uri Blumenthal
On 5/31/18, 14:01, "openssl-users on behalf of Viktor Dukhovni" <openssl-users-bounces@xxxxxxxxxxx on behalf of openssl-users@xxxxxxxxxxxx> wrote:
> On May 31, 2018, at 12:37 PM, Tomas Mraz <tmraz@xxxxxxxxxx> wrote:
>
> I would not say that weak DH parameters are fully rejected by OpenSSL.
> The 1024 bit DH parameters could be in theory attacked by state
> agencies by precomputation of the discrete logarithm table.
That's speculative. If the idea is to prefer kECDHE over kDHE,
OpenSSL already does that. In practice ECDHE is negotiated
when available. The issue at hand is whether kDHE is worse
than kRSA. Which is more likely later key compromise or
a brute force attack on 1024-bit DHE likely costing 10's to
100's of millions of dollars per key...
> And openssl
> still accepts 1024 bit DH by default if I am not mistaken.
Yes, but unless you're another nation-state with secrets
worth attacking at all costs, it seems rather unlikely
that this is a concern.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
