October 13th, 2011, 11:30 AM
Looking for suggestions
I'm building the security for a system which must authenticate users by a password, and then secure the traffic between them.
I need to use the SRP protocol for authentication and to establish a session key. The traffic is only sensitive while a session is active, and the system is often near 80% CPU usage or higher. So ideally I'm only looking for a 128-bit security level.
I have a couple of questions I was hoping someone could help with.
- Could anyone recommend a symmetric cipher? AES wants a few too many CPU cycles, but some of the eStream ciphers look promising.
- Is there a way of hashing the output of the SRP protocol into a 128 bit session key? Most hash functions seem to output 256 bits.
- Is there an estimate on how big a Diffie-Hellman group needs to be to achieve 128 or 256 bits security?
Any help is much appreciated
October 21st, 2011, 10:35 AM
It seems to me that you can select 128 bits from the output of any wider hash function. How this selection is done isn't important, but it must be consistent on both sides of the protocol.
Caveat: In making my suggestion, I am appealing to my commonsense notion that strong hash functions appear to be statistically random functions of their input, and that selecting m bits from a strong n-bit hash function will be as good as a strong m-bit hash. But I could be making some big mistake about that! That being said, when the two sides of the protocol use a hash to obtain the session key, they are using the hash only for the purpose of "compression" (that is, to distill random-looking bit sequence into a smaller sequence). Compared to the use of hashes in signatures and the like, where well-defined properties of collision resistance are required, the use of a hash function for compression is much less rigorous. Probably all that is really needed is that the effect of changes to input bits be diffused among output bits in a fairly uniform fashion.
The standard answer for both RSA & DH is about 3000 bits to achieve the equivalent of 128 bit strength, or about 15000 bits to reach the equivalent of 256 bit strength.
These are estimates based on the best known algorithms, and may be revised as algorithms and/or attacks improve. However, I am aware of no published breakthroughs in factoring, the discrete logarithm problem (DLP), or the Diffie-Hellman problem during the past decade - indeed, GNFS (the factoring method of choice for RSA) is almost 20 years old.