View Single Post
  #7   (View Single Post)  
Old 1st September 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Just FYI regarding cipher and key sizes.

The computational work units needed to crack the AES block cipher strength at 128 is the same computational work units needed to crack a DH key at 3072 bits.

DH 1024 is no longer sufficient. DH 2048 is becoming insufficient.

AES128 is MORE then sufficient for a real-time stream, especially if you cipher block chain as openVPN does by default, and is out of reach for a fair while still given today's available processing power, including grid computing and Moore's Law factored in. DH3072 is out of reach for quite a while.

I love Admin's who use a weak 512 or 1024 DH key to secure an overly-strong AES256 cipher key.

Recommend you dial down the AES and dial up the periodic-event DH strengths. It'll help with your throughput.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 1st September 2009 at 04:11 AM.
Reply With Quote