[Operators] IM Observatory and Diffie-Hellman parameters

Thijs Alkemade thijs at xnyhps.nl
Wed Nov 13 16:00:36 UTC 2013

On 13 nov. 2013, at 16:31, Fedor Brunner <fedor.brunner at azet.sk> wrote:

> Hi all,
> the IM Observatory displays use of the DHE key exchange and there is a
> note "Ephemeral Diffie-Hellman is a key exchange algorithm with forward
> secrecy. The security depends on the Diffie-Hellman parameters used by
> the server". But the actual strength of the DH parameters is not displayed.
> This information is quite important because during DHE key exchange a
> temporary key is generated. This temporary key is used for encryption of
> the communication and the server public RSA key is used ONLY for signing
> of this temporary key and NOT for encryption of the communication. The
> problem is that in many cases the temporary key much shorter than the
> server RSA key.
> For example the server jabber.ccc.de uses 2048 bit RSA public key, but
> the length of the temporary key is only 1024 bit. The public key score
> is 90, cipher score is 90
> http://xmpp.net/result.php?domain=jabber.ccc.de&type=server
> Many administrators enable forward secrecy, but because they set
> incorrect DH parameters they weaken the encryption. Please display the
> actual strength of DH parameters and use it also to calculate the score.
> https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
> https://wiki.openssl.org/index.php/Diffie_Hellman

Indeed, that is a good thing to check and it is on my TODO list. I haven't yet
looked at how easy it is to check the dhparam sent by the server using
OpenSSL, though.

The elliptic curve chosen by the server would be interesting too.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131113/36ff9f60/attachment.pgp>

More information about the Operators mailing list