[Authentication] Clarification of algorithm: dh-ietf1024-aes128-cbc-pkcs7

Stef Walter stefw at gnome.org
Fri Nov 26 14:18:36 PST 2010

As implemented (in gnome-keyring at least) the Secret Service algorithm
set dh-ietf1024-aes128-cbc-pkcs7 isn't as strong as it should be.

After DH key exchange, the resulting 1024 bit key is truncated into a
short key used for AES. This is not optimal, and was brought up on the

Here are some ways we can fix it. In either case, for compatibility, we
would add a new  algorithm set identifier and deprecate the old one.

 * Use MD5 to derive the key and use AES128 for encryption. However,
   MD5 is not recommended for use in crypto protocols.

 * Use SHA256 to derive the key and use AES256 for encryption.

 * Use HKDF [1] to derive the key. Perhaps more complex than we need?

Any other thoughts?



[1] http://tools.ietf.org/html/rfc5869

More information about the Authentication mailing list