issues with DHE group parameter selection (PFS is not yet a panacea)

Posted Nov 7, 2013 22:20 UTC (Thu) by dkg (subscriber, #55359)
In reply to: issues with DHE group parameter selection (PFS is not yet a panacea) by dkg
Parent article: Let's talk about perfect forward secrecy

In addition to the aforementioned 16-bit DH group offered by https://demo.cmrg.net/, I've now configured https://demo.cmrg.net:4433/ to offer a 504-bit DH group. It looks to me like NSS will happily connect to it, with no indication to the user that their expectations of confidentiality are likely to be unmet for this session if an adversary is logging it and wants to bother finding the discrete log of either side's public key.

NSS rejects a 503-bit DH group, though, probably because it is testing the number of bytes used to store P, and 504 "rounds up" to 512.