[OTR-users] DH modulus size & RSA keys
Ian Goldberg
ian at cypherpunks.ca
Mon Mar 28 11:32:38 EST 2005
On Mon, Mar 28, 2005 at 08:56:34AM -0500, Ian Goldberg wrote:
> On Mon, Mar 28, 2005 at 04:18:19AM -0500, Jason Cohen wrote:
> > Upon reading the Protocol Description paper I found I was incorrect
> > about the DH modulus size (It's 1536 bits rather than 1000). However, I
> > would still like to use a 2048 bit modulus which is the currently
> > recommended size. Is this possible?
> >
> > I also saw a great deal of discussion on the developer's mailing list
> > about allowing the use of RSA signing keys in addition to DSS. Are RSA
> > signing keys currently allowed? If so, how would I go about increasing
> > the size to 2048 bits?
>
> In this version of the protocol, the only key exchange method defined is
> DSA, and the only key agreement is 1536-bit DH. This may change in a
> later version, at the cost of incompatibility with clients that don't
> understand it.
I'd also like to note a couple of things:
- The keysize of the authentication step only has to make it secure
until after your buddy receives the message; after he's accepted your
initial DH key, you don't care what happens in the future. DSA is
plenty fine for this today.
- The keysize of the DH only has to be large enough that you're
comfortable with the adversary having to break a DH key agreement *per
message*, since (approximately) each message you send is encrypted
with a new key, derived from a fresh DH key agreement. [And, although
it's small comfort, even if, in 20 years, pocket calculators can break
1536-bit DH in real time, you _still_ get the deniability properties;
the transcripts are completely forgeable, so they'll need to be
convinced your stored transcripts haven't been messed with over the
decades.]
- Ian
More information about the OTR-users
mailing list