Dr. Stephen Henson | 15 Aug 00:24 2012

Re: Size of ephemeral DH keys

On Tue, Aug 14, 2012, no_spam_98@... wrote:

> Is there a correlation between the strength (size) of the asymmetric keys
> used to do the authentication and the strength (size) of the ephemeral DH
> keys generated/used to protect the session key (during the key exchange)?
> On first glance, in s3_srvr.c, it seems like the tmp_dh_callback() function
> is only ever passed keylength == [512, 1024] - the result of the
> SSL_C_EXPORT_PKEYLENGTH() macro.  And a DH key of length 1024-bits is
> roughly equivalent to a 80-bit symmetric key.  It seems strange that it
> would be using a 80-bit key to protect the exchange of a 128- or 256-bit
> symmetric session key.
> I'm probably missing something in the OpenSSL implementation.  The
> documentation for SSL_CTX_set_tmp_dh_callback() says that the
> "tmp_dh_callback is called with the keylength needed..."  But surely this
> can't be only 512 or 1024...?  Is it up to the application to decide to use
> a larger key size based on the information from the SSL structure passed in?

The actual key length is only meaningful if the "is_export" parameter is
non-zero. This a legacy from the days when there were export restrictions on
strong crypto.

If is_export is zero you are free to use whatever parameter length you
consider appopriate but there is no guarantee the peer will support very large

It is more common practice to use a fixed set of DH parameters through the
SSL_CTX_set_tmp_dh API instead of using the callback.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...