Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ipsecme-dh-checks
Tero Kivinen <kivinen@iki.fi> Tue, 09 April 2013 13:07 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0417321F9138 for <ipsec@ietfa.amsl.com>; Tue, 9 Apr 2013 06:07:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mK-i1wSlPoHs for <ipsec@ietfa.amsl.com>; Tue, 9 Apr 2013 06:07:19 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by ietfa.amsl.com (Postfix) with ESMTP id D875C21F89CF for <ipsec@ietf.org>; Tue, 9 Apr 2013 06:07:18 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id r39D5sZc019880 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Apr 2013 16:05:54 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id r39D5rqS025781; Tue, 9 Apr 2013 16:05:53 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20836.4657.322399.281541@fireball.kivinen.iki.fi>
Date: Tue, 09 Apr 2013 16:05:53 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
In-Reply-To: <A113ACFD9DF8B04F96395BDEACB34042090604F1@xmb-rcd-x04.cisco.com>
References: <9F821C79-A855-4060-A356-ED8E5C50048B@vpnc.org> <51634894.1030306@brainhub.org> <A113ACFD9DF8B04F96395BDEACB34042090604F1@xmb-rcd-x04.cisco.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 3 min
X-Total-Time: 3 min
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Andrey Jivsov <openpgp@brainhub.org>
Subject: Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ipsecme-dh-checks
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2013 13:07:20 -0000
Scott Fluhrer (sfluhrer) writes: > Now, there are q-1 different primitive elements; that's more than we > could reasonably list. We could specify a test to reject primitive > elements; however, that test isn't cheap (it can be done cheaper > than the full r**q==1 test, nevertheless, not cheaply. In addition, > an attacker injecting a primitive element could use it to deduce the > lsbit of the private exponent; however that cannot deduce any more > than that. I don't believe that the expense of the full test is > worth protecting one bit of the exponent. Hmm... there is text in the RFC2412 about this I think: ---------------------------------------------------------------------- Because these two primes are congruent to 7 (mod 8), 2 is a quadratic residue of each prime. All powers of 2 will also be quadratic residues. This prevents an opponent from learning the low order bit of the Diffie-Hellman exponent (AKA the subgroup confinement problem). Using 2 as a generator is efficient for some modular exponentiation algorithms. [Note that 2 is technically not a generator in the number theory sense, because it omits half of the possible residues mod P. From a cryptographic viewpoint, this is a virtue.] ---------------------------------------------------------------------- I assume this the same thing you are talking about i.e. opponent learning the low order bit of the DH exponent, and RFC2412 claims that the nature of the primes that attack is not possible. Right? -- kivinen@iki.fi
- [IPsec] NUDGE: WG Last Call for draft-ietf-ipsecm… Paul Hoffman
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Dan Brown
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Andrey Jivsov
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Scott Fluhrer (sfluhrer)
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Andrey Jivsov
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Michael Richardson
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Scott Fluhrer (sfluhrer)
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Tero Kivinen
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Michael Richardson
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Dan Brown
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Michael Richardson
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Yoav Nir
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Andrey Jivsov
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Dan Brown
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Scott Fluhrer (sfluhrer)
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Dan Harkins
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Johannes Merkle
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Paul Hoffman
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Paul Hoffman
- Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ip… Michael Richardson