296694Re: Diffie-Hellman parameters
- Nov 17, 2013Am 17.11.2013 23:36, schrieb Fedor Brunner:
> Please increase the size of Diffie-Hellman parameters inthat's all fine but breaks interoperability leading in opportunistic mode
> You recommend 1024 bit DH parameters, but for long term protection,
> these parameters are too short.
> During ephemeral Diffie-Hellman (EDH) key exchange a temporary key is
> generated from DH parameters. This temporary key is used for encryption
> of the communication and the server public RSA key is used ONLY for
> signing of this temporary key and NOT for encryption of the
> communication. If you use DH parameters shorter than you RSA key, you
> are weakening your encryption.
> If you are interested in more technical information about key sizes I
> highly recommend:
> Yearly Report on Algorithms and Keysizes (2012), D.SPA.20 Rev. 1.0,
> ICT-2007-216676 ECRYPT II, 09/2012.
> Recommendation for Key Management, Special Publication 800-57 Part 1
> Rev. 3, NIST, 07/2012
which is needed on the MTA side to let clients fall back to *unencrypted*
connections - so you may consider what is better - 1024 bit or no
encryption at all
you can do that on a webserver but not on a MTA
- << Previous post in topic Next post in topic >>