Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Oct 2015 22:16:19 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Seth Arnold <seth.arnold@...onical.com>
Subject: Re: Prime example of a can of worms

On Mon, Oct 19, 2015 at 3:40 PM, Daniel Kahn Gillmor <dkg@...thhorseman.net>
wrote:
>
> On the flip side, saying "use only strong (>=2048bit today in 2015?),
> well-known, well-structured, publicly-vetted groups" is very simple
> guidance: clear and easy to follow.
>
> A move to well-known, large safe primes seems simpler/saner than trying
> to work with an environment where peers are generating new primes which
> may or may not be well-formed.  (similarly, we're converging on a world
> where there are a few trusted, well-vetted, well-optimized DH groups for
> elliptic curve DH, because encouraging arbitrary ECDH groups ends up
> being sketchier for everyone)
>
>       --dkg
>

So it occurs to me that we have no corpus of data on Diffie Helman primes.
With this in mind I would like to create one. Openssl command line can
easily create them, using either the 2 (default) or 5 generator (explained
at
http://security.stackexchange.com/questions/54359/what-is-the-difference-between-diffie-hellman-generator-2-and-5
)

For example the following code:

#!/bin/bash
for i in `seq 1 100`;
do
    openssl dhparam 2048 -text >> $i
done

will generate 100 2048 bit primes. If you can ideally simply commit the
files to the following github repo:

https://github.com/RedHatProductSecurity/Diffie-Hellman-Primes/

simply create a directory in the root with your name/whatever you want to
call it (nothing rude please) and have a "2048" directory for the 2048 bit
primes and a "4096" directory for the 4096 bit primes I would appreciate
it. If you use a tool other than OpenSSL command line to generate the
primes please make a note of it (especially any command line options used)
in a .txt file in the root of your data directory. My goal is to collect a
few million primes of each size so we have some real data to work with.




--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ