[OTR-users] DH modulus size & RSA keys

Ian Goldberg ian at cypherpunks.ca
Mon Mar 28 11:32:38 EST 2005


On Mon, Mar 28, 2005 at 08:56:34AM -0500, Ian Goldberg wrote:
> On Mon, Mar 28, 2005 at 04:18:19AM -0500, Jason Cohen wrote:
> > Upon reading the Protocol Description paper I found I was incorrect
> > about the DH modulus size (It's 1536 bits rather than 1000). However, I
> > would still like to use a 2048 bit modulus which is the currently
> > recommended size. Is this possible?
> > 
> > I also saw a great deal of discussion on the developer's mailing list
> > about allowing the use of RSA signing keys in addition to DSS. Are RSA
> > signing keys currently allowed? If so, how would I go about increasing
> > the size to 2048 bits?
> 
> In this version of the protocol, the only key exchange method defined is
> DSA, and the only key agreement is 1536-bit DH.  This may change in a
> later version, at the cost of incompatibility with clients that don't
> understand it.

I'd also like to note a couple of things:

- The keysize of the authentication step only has to make it secure
  until after your buddy receives the message; after he's accepted your
  initial DH key, you don't care what happens in the future.  DSA is
  plenty fine for this today.

- The keysize of the DH only has to be large enough that you're
  comfortable with the adversary having to break a DH key agreement *per
  message*, since (approximately) each message you send is encrypted
  with a new key, derived from a fresh DH key agreement.  [And, although
  it's small comfort, even if, in 20 years, pocket calculators can break
  1536-bit DH in real time, you _still_ get the deniability properties;
  the transcripts are completely forgeable, so they'll need to be
  convinced your stored transcripts haven't been messed with over the
  decades.]

   - Ian



More information about the OTR-users mailing list