 |
 |
I wanted to note the latest rebase to fix up the nice inputs from @amadio also changed the DH parameters to increase to a 3072-bit size. This is because, in further reading, 2048 bit DH only provides 112 bits of security for the session key yet the default session key is 128 bits. Despite anything over 100 bits being seen as secure, 112 is not perceived to be as bulletproof as it used to. For example, XRootD doesn't use an appropriate key derivation after the Diffie Hellman generation of the shared secret, weakening the shared key; I don't know how much that knocks off from the 112 bits of security. Accordingly, I decided to increase the DH security to 128-bits by using the 3,072 bit parameters. This way, despite the lack of a KDF, that part of the handshake isn't introducing weaknesses.. -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/pull/2026#issuecomment-1580784311 You are receiving this because you are subscribed to this thread. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1