Why is the default DH keysize only 512 bits?
Jason Wittlin-Cohen
jasonwc at brandeis.edu
Fri Sep 29 07:06:16 CEST 2006
I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits.
As DH keys have approximately the same strength as RSA keys, and 512 bit
RSA keys have already been broken, wouldn't it be adviseable to use at
least 1024 bit DH keys as the minimum size. 1024 bits is currently the
minimum recommended size for a DSA/RSA certificate. It might also be a
good idea to include the option commented out in eap.conf so users know
that it's something they can change. I originally thought that the DH
keysize would be determined by the DH parameter file and only realized
that it was still using 512 bit keys when I ran freeradius in debug
mode. As fas as performance goes, I've tested with 2048 bit and 3072 bit
DH keys with no performance degredation. Authentication occurs in 1-2
seconds using the Funk Odyssey client on Windows XP SP2 with 3072 bit
RSA certificates and 3072 bit DH key exchange.
Also, it might be a good idea to put a comment in the TLS cipher suite
comment section that the Microsoft Windows supplicant in Windows XP SP2
uses RC4-MD5 by default (TLS_RSA_WITH_RC4_128_MD5). First, MD5 is
deprecated and weak. SHA-1 should be used in its place. Secondly, DH is
preferable to RSA for key exchange because it provides perfect forward
secrecy. If RSA is used for encryption, a compromise of the client
private key would allow an attacker to gain access to the master keys
used to encrypt all prior wireless sessions whereas fresh DH keys are
produced on each authentication and deleted after use. OpenSSL's 'HIGH'
setting is probably the best for a Windows XP user as it uses
EDH-RSA-DES-CBC3-SHA (TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA), so SHA1 is
used for integrity, and DH is used for key exchange. Windows XP SP2 and
earlier versions of Windows do not support AES for use in any of the EAP
modes. Apparently, if you want to use AES you need to upgrade to Vista
(See Security in Vista
<http://www.microsoft.com/technet/itsolutions/network/evaluate/new_network.mspx>)
or use a 3rd party supplicant like the Funk Odyssey Client which I use
(uses TLS_DH_RSA_WITH_AES_256_CBC_SHA with default Freeradius setup).
Jason Wittlin-Cohen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060929/d4c2b373/attachment.html>
More information about the Freeradius-Users
mailing list