Bug#475194: [exim-dev] Bug#475194: D-H parameter generation is All Wrong

[Tom Kistner]

Dear anonymous Crypto-Expert,

> There appears to be a fundamental misapprehension about the role of
> Diffie-Hellman parameters.  Section 39.3 conflates them with the the
> RSA secret key, which is actual secret key material and should not be
> called a "parameter".  The D-H parameters are not key material, and do
> not need to be protected from inspection.  In fact, they are sent in the
> clear to everyone who initiates a TLS session.  Since the Debian package
> doesn't generate an RSA key at all, the restrictive permissions looked
> like blatant cluelessness.

I've removed the references to RSA from 39.3 completely, thanks.

> It's also not very important that the D-H parameters be changed often;

So there still is some value in changing them?

> while changing them N times makes it N times as much work for an attacker
> that wants to read ALL of your mail, it's better to just use a larger
> prime and make it N times harder for an attacker to read ANY of your
> mail.

What about doing both? :)

> In fact, many cryptographic standards just specify a menu of fixed
> D-H parameters for all implmentations for all time (e.g. RFC3526).
> Generating a set once at install time is also reasonable.  Changing it
> daily is silly.

39.3 does not say "daily", it says "the frequency depending on your 
paranoia level". Now how paranoid should Debian be? I have no idea, and 
with my limited crypto skills, I can't give them a recommendation. Stock 
Exim does exacly what you want, compute D-H params exactly once.

> I might also mention that 1024 bits (which is O(2^80) operations to
> break) is considered a bit small for serious security these days.
> GNU TLS defaults to 2048 bits, a more reasonable default.

Paranoia level again :)

/tom