[openssl-users] Working with large DH parameters
jack seth
bird_112 at hotmail.com
Mon May 4 14:00:21 UTC 2015
> There is a limit of 10000:
> #define OPENSSL_DH_MAX_MODULUS_BITS 10000
>
> I suggest you do not change this. It just gets slower without
> adding security.
>
> I have no idea why it would freeze with something larger than
> 13824.
>
> I'm not sure what is logging the size, but it might be using
> DH_size()*8 to log it. I don't think their currently is an API
> that returns it in bits.
>
>
> Kurt
Thanks for the response. Could you elaborate on why a larger size doesn't add security? For the sake of discussion, lets ignore how slow it would be. According to section 5.6.1 of http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf you would need 15360+ bit to have security equal to AES256. Is NIST wrong here? If so, why?
More information about the openssl-users
mailing list