Great video *but* the advice of using 1024 bit p is outdated and only applies if you are stuck with an old implementation. The third official publication regarding DSS (FIPS 186-3)* from June 2009 added support for 2048 and 3072 bit p, and 224 or 256 bit q, as well as support for the SHA-2 family of hash functions with digest sizes of 224 or 256 bits (aka SHA-224 and SHA-256). The previous parameters of 1024 bit p and 160 bit q with the SHA-1 hash algorithm is widely considered insecure. Not only have SHA-1 collisions been published**, but also the 1024 bit p is considered dangerously close to the current discrete logarithm record which was modulo a prime of over 700 bits. So, please make sure you are using at least the parameter sizes 2048/224. (And since 224 bits, being indivisible by 64, will probably not gain you a lot of performance vs. 256 bit on a 64 bit CPU, you might then as well use 2048/256, unless the signature size also matters a lot.) *) The current standard as of this writing is FIPS 186-4 from July 2013: csrc.nist.gov/publications/detail/fips/186/4/final **) resulting from a joint effort of CWI Amsterdam and Google: security.googleblog.com/2017/02/announcing-first-sha1-collision.html
this video helped me a lot thank you very much it was clean and explicit
I am happy to help!, you are welcome.
Hi Leo, thanks a lot for the video. A question about the prime pair (p,q) though:
Do they have to be fresh or are we allowed to use standard ones?
Great video *but* the advice of using 1024 bit p is outdated and only applies if you are stuck with an old implementation. The third official publication regarding DSS (FIPS 186-3)* from June 2009 added support for 2048 and 3072 bit p, and 224 or 256 bit q, as well as support for the SHA-2 family of hash functions with digest sizes of 224 or 256 bits (aka SHA-224 and SHA-256). The previous parameters of 1024 bit p and 160 bit q with the SHA-1 hash algorithm is widely considered insecure. Not only have SHA-1 collisions been published**, but also the 1024 bit p is considered dangerously close to the current discrete logarithm record which was modulo a prime of over 700 bits.
So, please make sure you are using at least the parameter sizes 2048/224. (And since 224 bits, being indivisible by 64, will probably not gain you a lot of performance vs. 256 bit on a 64 bit CPU, you might then as well use 2048/256, unless the signature size also matters a lot.)
*) The current standard as of this writing is FIPS 186-4 from July 2013: csrc.nist.gov/publications/detail/fips/186/4/final
**) resulting from a joint effort of CWI Amsterdam and Google: security.googleblog.com/2017/02/announcing-first-sha1-collision.html
What is exactly that "efficient alg"? I can't find it on the web. Thank you in advance.