Forum Discussion

Deltavista_1797's avatar
Deltavista_1797
Icon for Nimbostratus rankNimbostratus
Dec 10, 2014

DHE key exchange: why is ephemeral key only 1024bit long?

Hello,

 

during a recent analysis comparing security options provided by Apache httpd and F5 LTM we discovered that while Apache for RHEL/CentOS has lifted a limitation of 1024 bits for ephemeral keys in Diffie-Hellman exchange in version 2.2.15-32.el6 (EL6 is the version we're using at the moment, so let's stick to that; newest available package for EL6 is 2.2.15-39.el6) and now bases the length of ephemeral keys upon the server private key (2048 bits, as per current industry standard).

 

On the other hand, F5 LTM v. 11.6.0 still uses the keys that are 1024 bits long in DH Exchange.

 

Is there a possibility to control this behaviour that I'm not aware of? If not, what is the potential impact of this parameter? Are there any plans for changes in this respect?

 

Additional reference: Bug report related to Apache httpd in RHEL6 https://bugzilla.redhat.com/show_bug.cgi?id=1071883 NIST SP 800-131A http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

 

Thanks for any information, W.Urbańczyk

 

21 Replies