[LINK] RFI: The Key-Length Currently Needed for SSL Security

Roger Clarke Roger.Clarke at xamax.com.au
Fri Dec 10 11:04:17 AEDT 2010 

At 9:10 +1000 10/12/10, rene wrote:
>http://www.geekrant.org/2010/12/10/citylink-poor-security/

This is odd too.

1.  The message from Chrome is:
>This error message is triggered if the SSL/TLS handshake attempts to 
>use a public key, smaller than 512 bits, for ephemeral 
>Diffie-Hellman key agreement.

2.  But then it recommends:
>use a 1024-bit (or larger) Diffie-Hellman key ...

The first comment on the article contains a material error, but it 
does lead to one speculation:

I wonder if the Chrome message is badly expressed, and should be 
referring to the length of the random number used as a basis for both 
parties to generate the symmetric encryption key.

The process is neatly described here:

http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Description
*   In order to generate the session keys used for the secure 
connection, the client encrypts a random number (RN) with the 
server's public key (PbK), and sends the result to the server. Only 
the server should be able to decrypt it (with its private key (PvK)): 
this is the one fact that makes the keys hidden from third parties, 
since only the server and the client have access to this data. The 
client knows PbK and RN, and the server knows PvK and (after 
decryption of the client's message) RN. A third party is only able to 
know RN if PvK has been compromised.
*   From the random number, both parties generate key material for 
encryption and decryption.

But unfortunately I can't see an indication of which standard 
declares how long the random number should be, nor what current 
standards say about it.


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list