[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DH Group strengths
> From the Oakley draft,
> Wellknown group Group Strength (bits)
> --------------- ---------------------
> 1 66
> 2 77
> 3 76
> 4 91
> Am I correct in assuming that these are the maximum possible strengths
> of the groups, i.e. no matter what the size of the exponent, the group
> cannot provide better strength?
Yes. Also note that these are estimates based on state of the art; they
can only decrease over time.
> If this is the case, then which one
> of the above groups can be used to derive a key for 3DES?
What actual strength do you want for 3DES? There's a sort of general
consensus that 80-90 bits is sufficient for most purposes.
> Does the
> SKEYID computation described in the resolution draft add to the
> strength of the keymaterial?
No.
> Also, if keys are to be generated for an authentication algorithm, and
> an encryption algorithm, is the key length for the authentication
> algorithm also a factor in selecting a DH group?
No. The strength indicates how long it would take to derive the key
by brute force, and this is basically the same as for encryption.
>If yes, how are the
> key requirements for the two algorithms combined in choosing a DH
> group? For example, if ESP is to use DES and HMAC-MD5, then 56 bits
> are required for DES and 128 bits for HMAC-MD5. Does this mean that
> the DH group should provide 56 + 128 = 184 bits of strength, or 128
> bits or 56 bits or some combination of 56 and 128? Also, how would
> the length of the DH exponent be picked? Would it be 184 *2, or 56
> *2, or 128 *2?
As above, no, there's no need to combine the strengths. Also note
that each bit of strength adds significant time to the DH
computations, because the size of the integers increases. 200 bits of
strength would be really, really slow (to use a common term of
quantification).