First draft of pkinit plugin code now in Subversion
aglo at citi.umich.edu
Mon Nov 27 12:29:18 EST 2006
Olga Kornievskaia wrote:
>> I'm concerned that the code uses a 1024-bit DH group and there seems
>> to be no way to change this.
> as far as i know 1024-bit group is not weak.
i'd like to take it back. i found a posting by Russ Housley
(http://www.vpnc.org/ietf-ipsec/02.ipsec/msg02813.html) that states:
"Today you can fully break a 1024 DH exchange (i.e recover the DH
keyg^xy from g^x and g^y) in something between 2^70 to 2^80 operations.
Thus, by using a 1024-bit modulus you are essentially limited to no more
than 70-80 bits of security." We should set the default group to be 2048?
More information about the krbdev