oss-sec mailing list archives
Re: Prime example of a can of worms
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 19 Oct 2015 22:16:19 -0600
On Mon, Oct 19, 2015 at 3:40 PM, Daniel Kahn Gillmor <dkg () fifthhorseman net> wrote:
On the flip side, saying "use only strong (>=2048bit today in 2015?), well-known, well-structured, publicly-vetted groups" is very simple guidance: clear and easy to follow. A move to well-known, large safe primes seems simpler/saner than trying to work with an environment where peers are generating new primes which may or may not be well-formed. (similarly, we're converging on a world where there are a few trusted, well-vetted, well-optimized DH groups for elliptic curve DH, because encouraging arbitrary ECDH groups ends up being sketchier for everyone) --dkg
So it occurs to me that we have no corpus of data on Diffie Helman primes. With this in mind I would like to create one. Openssl command line can easily create them, using either the 2 (default) or 5 generator (explained at http://security.stackexchange.com/questions/54359/what-is-the-difference-between-diffie-hellman-generator-2-and-5 ) For example the following code: #!/bin/bash for i in `seq 1 100`; do openssl dhparam 2048 -text >> $i done will generate 100 2048 bit primes. If you can ideally simply commit the files to the following github repo: https://github.com/RedHatProductSecurity/Diffie-Hellman-Primes/ simply create a directory in the root with your name/whatever you want to call it (nothing rude please) and have a "2048" directory for the 2048 bit primes and a "4096" directory for the 4096 bit primes I would appreciate it. If you use a tool other than OpenSSL command line to generate the primes please make a note of it (especially any command line options used) in a .txt file in the root of your data directory. My goal is to collect a few million primes of each size so we have some real data to work with. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- Prime example of a can of worms Kurt Seifried (Oct 18)
- Re: Prime example of a can of worms Alex Gaynor (Oct 18)
- Re: Prime example of a can of worms Matt U (Oct 18)
- Re: Prime example of a can of worms Seth Arnold (Oct 19)
- Re: Prime example of a can of worms Kurt Seifried (Oct 19)
- Re: Prime example of a can of worms Tim (Oct 19)
- Re: Prime example of a can of worms Daniel Kahn Gillmor (Oct 19)
- Re: Prime example of a can of worms Kurt Seifried (Oct 19)
- Re: Prime example of a can of worms Daniel Kahn Gillmor (Oct 19)
- Re: Prime example of a can of worms Brad Knowles (Oct 20)
- Re: Prime example of a can of worms Kurt Seifried (Oct 20)
- Re: Prime example of a can of worms gremlin (Oct 20)
- Re: Prime example of a can of worms Alex Gaynor (Oct 18)
- Re: Prime example of a can of worms Matthias Weckbecker (Oct 21)
- Re: Prime example of a can of worms Kurt Seifried (Oct 21)
- Re: Prime example of a can of worms Joshua Rogers (Oct 21)
- Re: Prime example of a can of worms Kurt Seifried (Oct 21)
- Re: Prime example of a can of worms Florent Daigniere (Oct 22)
- Re: Prime example of a can of worms Daniel Kahn Gillmor (Oct 22)