3

I'm currently working on a protocol, which uses Diffie-Hellman for an key exchange. I receive a packet, which consists of an aes-128 encrypted part and a 128 Bit DH Public Key.

In a very last step in the protocol, the aes key is sent to another peer in the network. This aes-key should be encrypted with a cipher using a 128 bit strong secretkey.

I plan to use Blowfish (can also be another cipher, doesn't really matter for the problem)

Now to encrypt the aes-key, with lets say blowfish, I have to build a secretkey for the encryption with a class called SecretKeySpec (I'm using javax.crypto stuff), which takes an byteArray in the constructor to build the secretKey.

The sharedkey from DH is a 128 Bit BigInteger. Well, now I can interpret my shared-key as a byteArray (wich gives me still 128 Bit in 16Bytes [where the numbers are interpreted as frames of 8 Bit data])

So my question is, how strong is my key really?

Is there any impact because I only use numbers as input for the byteArray (so does this limit the keyspace in any way?)

I think this is not the case, but I'm not 100% sure. Maybe someone can do the math and proof me right or wrong.

If I'm wrong what keysize for the shared key give me piece of mind to finally get to the 128Bit SecretKey for the encryption?

evildead
  • 4,607
  • 4
  • 25
  • 49
  • 1
    Note that encrypting an AES key with Blowfish will reduce the strength of your protocol to the _weakest_ of AES or Blowfish. While there have been some attacks against AES discovered after it was published, I'd still wager [AES is stronger](http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks) (and better examined) than Blowfish. – sarnold Oct 28 '11 at 23:38
  • @sarnold: thanks for the note, I'm aware of that problem. Blowfish was just an example, maybe I use AES for that too. I'm not sure yet if I need to transmit at that step a little bit more, so I planned running with a streamcipher, to get rid of the fixed sizes aes forces me to use (or to fill up my data). I'm limited to one ethernet packet, so each byte I can avoid the better. :) – evildead Oct 28 '11 at 23:47

2 Answers2

2

The Crypto++ website suggests using a minimum p of 3072 bits (or 256 bits for an ECC implementation) to transport a 128 bit AES key.

You might wish to study the references provided at http://www.keylength.com/en/compare/ for further information about comparing key lengths among different algorithms.

sarnold
  • 102,305
  • 22
  • 181
  • 238
  • this is a really great link. Thank you very much! I'm waiting if there are more suggestions like this posted here before I close the question. – evildead Oct 29 '11 at 23:27
  • I'm missing, why 3072 Bit is considered "safe" for transmitting a 128-Bit AES key. Maybe I didnt find the right place there yet. Hopefully someone can enlighten me with that. – evildead Oct 29 '11 at 23:34
  • It's a matter of "computational complexity" -- you're trying to compare the complexity of the [best known attacks against AES](http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security) (currently 2^126 or so for key-recovery of 128-bit AES) with the best known attacks against the [discrete logarithm](http://en.wikipedia.org/wiki/Discrete_logarithm) problem. Over the integers, as you surmised, not every bit is independent from the others -- ECC improves upon this by reducing the correlation between bits, but the bits are still not completely independent. – sarnold Oct 30 '11 at 00:32
  • what is the meaning of key under discrete logarithm? The group matches 3072, but 256 for key, what should this tell me? – evildead Oct 30 '11 at 00:57
  • ah ok, i missed the references. Will do some study on my own on that topic, thank you very much again. – evildead Oct 30 '11 at 01:11
1

Not an expert in DH here, but to me it seems that DH's keyspace for the shared key represented in n bits is somewhat smaller than 2^n.

JimmyB
  • 12,101
  • 2
  • 28
  • 44
  • It seems like it is, the link posted by sarnold tells you should use 3072 Bit p at minimum. But why, I couldn't find out yet :( – evildead Oct 29 '11 at 23:35