Date: Mon, 19 Oct 2015 22:16:19 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Cc: Seth Arnold <seth.arnold@...onical.com> Subject: Re: Prime example of a can of worms On Mon, Oct 19, 2015 at 3:40 PM, Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote: > > On the flip side, saying "use only strong (>=2048bit today in 2015?), > well-known, well-structured, publicly-vetted groups" is very simple > guidance: clear and easy to follow. > > A move to well-known, large safe primes seems simpler/saner than trying > to work with an environment where peers are generating new primes which > may or may not be well-formed. (similarly, we're converging on a world > where there are a few trusted, well-vetted, well-optimized DH groups for > elliptic curve DH, because encouraging arbitrary ECDH groups ends up > being sketchier for everyone) > > --dkg > So it occurs to me that we have no corpus of data on Diffie Helman primes. With this in mind I would like to create one. Openssl command line can easily create them, using either the 2 (default) or 5 generator (explained at http://security.stackexchange.com/questions/54359/what-is-the-difference-between-diffie-hellman-generator-2-and-5 ) For example the following code: #!/bin/bash for i in `seq 1 100`; do openssl dhparam 2048 -text >> $i done will generate 100 2048 bit primes. If you can ideally simply commit the files to the following github repo: https://github.com/RedHatProductSecurity/Diffie-Hellman-Primes/ simply create a directory in the root with your name/whatever you want to call it (nothing rude please) and have a "2048" directory for the 2048 bit primes and a "4096" directory for the 4096 bit primes I would appreciate it. If you use a tool other than OpenSSL command line to generate the primes please make a note of it (especially any command line options used) in a .txt file in the root of your data directory. My goal is to collect a few million primes of each size so we have some real data to work with. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ