[Operators] IM Observatory and Diffie-Hellman parameters

Fedor Brunner fedor.brunner at azet.sk
Wed Nov 13 15:31:10 UTC 2013


Hi all,
the IM Observatory displays use of the DHE key exchange and there is a
note "Ephemeral Diffie-Hellman is a key exchange algorithm with forward
secrecy. The security depends on the Diffie-Hellman parameters used by
the server". But the actual strength of the DH parameters is not displayed.

This information is quite important because during DHE key exchange a
temporary key is generated. This temporary key is used for encryption of
the communication and the server public RSA key is used ONLY for signing
of this temporary key and NOT for encryption of the communication. The
problem is that in many cases the temporary key much shorter than the
server RSA key.

For example the server jabber.ccc.de uses 2048 bit RSA public key, but
the length of the temporary key is only 1024 bit. The public key score
is 90, cipher score is 90
http://xmpp.net/result.php?domain=jabber.ccc.de&type=server

Many administrators enable forward secrecy, but because they set
incorrect DH parameters they weaken the encryption. Please display the
actual strength of DH parameters and use it also to calculate the score.

https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
https://wiki.openssl.org/index.php/Diffie_Hellman


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 992 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131113/cd8ed3d0/attachment.pgp>


More information about the Operators mailing list