RSA Security 5.2.2 Manual

A SERVICE OF

next previous

Performing Diffie-Hellman Key Agreement

250 RSA BSAFE Crypto-C Developer’s Guide

Step 2: Setting The Algorithm Object

There is only one AI for generating Diffie-Hellman parameters: AI_DHParamGen. The

format of

info

supplied to B_SetAlgorithmInfo is a pointer to the following struct:

Crypto-C will generate the prime, but you must decide how big that prime will be. As

with the RSA modulus, the number of prime bits can be anywhere from 256 to 2048.

Larger numbers provide greater security, but operations with larger numbers are

much slower. RSA Security recommends 768. To save time, because this is for

illustrative purposes only, this example will use 512.

The exponent is the private value, generated randomly by each party during Phase 1.

The value

exponentBits

is the length of that private value. The Diffie-Hellman

algorithm allows the parameter generator (the central authority) to optionally

determine the length of the private value. Crypto-C exercises that option and requires

the length.

The exponent length should be at least twice the general security level of the system.

For instance, if 80-bit security against brute-force attack is desired, the exponent

should be 160 bits long. (This is how DSS does it.) The prime length should be chosen

to have a comparable level of difficulty against the best discrete logarithm algorithms.

The relationship between the sizes changes from time to time; a 1024-bit prime would

not be too far off from the 80-bit level.

The closer the exponent length is to the prime length, the longer it takes to generate

the Diffie-Hellman parameters, because Crypto-C generates a prime p and a prime q

where p-1 is a multiple of q, and the length of q is the same as the desired length of the

exponent. If the lengths are very close it will take a long time to find an appropriately

related pair of primes, because for a given q there won't be all that many possible p’s.

For example: for a one-bit difference between the prime and exponent lengths, p must

equal 2q+1, and it's unlikely that q and 2q+1 are simultaneously prime.

The Chapter 2 entry for

AI_DHParamGen notes that the “

exponentBits

must be less than

primeBits

.” For this example, choose 512 prime bits and 504 exponent bits:

typedef struct {

unsigned int primeBits; /* size of prime modulus in bits */

unsigned int exponentBits; /* size of random exponent in bits */

} A_DH_PARAM_GEN_PARAMS;