Re: [Jessie-discuss] FYI: Diffie Hellman parameters

[Martin Egholm Nielsen]

Hello Casey,

> I've noticed that the default Diffie Hellman parameters -- "group 18"  
> -- take a very long time to create session keys, even when run  compiled 
> with GCJ. This causes Firefox to time out (Mozilla browsers  use DH key 
> exchanges before RSA ones, it seems). 
Hear!

> These parameters are very large, so it is probably one of:
>   - A really slow random number generator.
>   - A really slow BigInteger implementation.
> that's causing this problem (I'm pretty sure Classpath has both of  
> these). 
And Sun's VM, as well... Running on a P4 I'm seeing this...

> The solution is to specify a different group with the
> "jessie.key.dh.group" security property, e.g.:
>
>   Security.setProperty ("jessie.key.dh.group", "5");
>
> This comes at a cost of security margin (smaller numbers use smaller  
> primes), but for most applications, group 5 is probably good enough.
Tadaaah!! It works!

I can now remove my silly exclusions:

      if (allCiphers[i].endsWith("_DHE_RSA_WITH_AES_256_CBC_SHA")
          || allCiphers[i].endsWith("_DHE_RSA_WITH_AES_128_CBC_SHA")
          || allCiphers[i].endsWith("_DHE_RSA_WITH_3DES_EDE_CBC_SHA")
          || allCiphers[i].endsWith("_DHE_RSA_WITH_DES_CBC_SHA"))
      {
        // Remove the cipher...
      } // if

Though not tested on my embedded target (133mhz ppc + GCJ) yet...

> I'm going to change the default group to something smaller; group 5  
> looks good to me, a key exchange takes about 3sec with GCJ BC- compiled 
> GNU Crypto and Jessie.
Super!

Thanks Casey - you're the best!

// Martin