Re: [Cfrg] password-based key exchange

"Dan Harkins" <dharkins@lounge.org> Wed, 04 January 2012 18:30 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62A2D21F8788 for <cfrg@ietfa.amsl.com>; Wed, 4 Jan 2012 10:30:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.615
X-Spam-Level:
X-Spam-Status: No, score=-5.615 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NlKGZv+pA6b0 for <cfrg@ietfa.amsl.com>; Wed, 4 Jan 2012 10:30:09 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 0B6F121F878A for <cfrg@irtf.org>; Wed, 4 Jan 2012 10:30:09 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 859C1A88810C; Wed, 4 Jan 2012 10:30:08 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Wed, 4 Jan 2012 10:30:08 -0800 (PST)
Message-ID: <4ef8068ab2486a8f2ba8e067c07be426.squirrel@www.trepanning.net>
In-Reply-To: <80F9AC969A517A4DA0DE3E7CF74CC1BB425B8F@MSIS-GH1-UEA06.corp.nsa.gov>
References: <10c1dacc5c5001fbaf130c3098f37dd8.squirrel@www.trepanning.net> <80F9AC969A517A4DA0DE3E7CF74CC1BB425B8F@MSIS-GH1-UEA06.corp.nsa.gov>
Date: Wed, 4 Jan 2012 10:30:08 -0800 (PST)
From: "Dan Harkins" <dharkins@lounge.org>
To: "Igoe, Kevin M." <kmigoe@nsa.gov>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: cfrg@irtf.org, tls@ietf.org
Subject: Re: [Cfrg] password-based key exchange
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 18:30:09 -0000

  Hi Kevin,

  Thank you very much for reviewing this draft.

On Wed, January 4, 2012 5:14 am, Igoe, Kevin M. wrote:
> I really like this idea & can find no problems.
>
> One nitpicking detail:  HashToElement should return an element of a
> cryptographic subgroup of (Z/pZ)*, i.e. an element of a cyclic subgroup
> of prime order q, q suitably large.  (Of course both sides should use
> the
> same subgroup, but in practice this isn't a problem since the standard
> mod p
> groups specify both q and an element g of order q which generates the
> cryptographic subgroup.)

  I believe the two techniques used in section 4.1-- one for FFC groups,
another for ECC groups-- return an element from a subgroup of prime
order q.

> I'm curious as to what size parameters are under consideration by IEEE.

  The specification of this key exchange in IEEE 802.11 uses the IANA
registry created by IKE for "diffie-hellman groups" so it can use the
NIST elliptic curves, and the safe prime FFC groups (from 1024 bits
up to 8192 bits). Implementations are required to support NIST's 256 bit
random ECP group (group 19 from IKE's IANA registry).

  regards,

  Dan.