Re: [IPsec] New draft on IKE Diffie-Hellman checks

Hugo Krawczyk <> Mon, 10 December 2012 19:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F1B1221F860A for <>; Mon, 10 Dec 2012 11:50:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.31
X-Spam-Status: No, score=-1.31 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WoqOgDbtIYPY for <>; Mon, 10 Dec 2012 11:50:48 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 2669F21F85EA for <>; Mon, 10 Dec 2012 11:50:48 -0800 (PST)
Received: by with SMTP id fw7so3167932vcb.31 for <>; Mon, 10 Dec 2012 11:50:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=8of+Mji61BZH/jXMukofDoAO6GzD0G5BcggmGbajfXA=; b=C6cdpl3wD7ldx8hj7Ygdang/jiDjIJoeE9PPBlMmKpOt63eYBrpaqqGKhKDqKqHW0M /10tbtlH7ZuPloP+fwWWQ3DeKmi6qYAfXkDUHvkt2bcRrSA5kk/KM3otRiANMBkOYbB7 0rf/wdbP30ECXK/dop18iKo+lYdarfnt8/KgWc1FWQ7PqIurWOIlsvebIDAGvDvmKJhf e+TcQ5xaI2+YmSal4vH7DPuwdHDkss/31o7OLwTdnwpqi5szSQTAHA4tJcKceHPf1BE7 LXe1WqZ5/EZbvtGpABfs2gVaVXvDQmCI3fG1KDy/JW2DTd3oKePwgT5xwxFKxKswotJv uZww==
Received: by with SMTP id l19mr10019172ves.15.1355169047524; Mon, 10 Dec 2012 11:50:47 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 10 Dec 2012 11:50:27 -0800 (PST)
In-Reply-To: <>
References: <>
From: Hugo Krawczyk <>
Date: Mon, 10 Dec 2012 14:50:27 -0500
X-Google-Sender-Auth: E2zJyVXIz8GOLI6Q93kWMs-PW6I
Message-ID: <>
To: Yaron Sheffer <>
Content-Type: multipart/alternative; boundary="047d7b6d8102b033ae04d084e1c4"
Cc: IPsecme WG <>
Subject: Re: [IPsec] New draft on IKE Diffie-Hellman checks
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Dec 2012 19:50:49 -0000

The tests in sections 2.1 and 2.3 are cheap and can serve as sanity checks
for an implementation as stated in the draft, even if DH is not reused.

On the other hand, the test in 2.2 is expensive, equivalent to a group
exponentiation, and therefore should not be recommended without DH re-use
(in which case the test is an expensive waste).

Actually, the right recommendation (or MUST) for 2.2 groups is NOT to reuse
DH values.
Indeed, the reason to reuse DH is to save an exponentiation but if you do
so you pay with an extra exponentiation for the membership test. Moreover,
while the exponentiation you are saving can be performed offline (before
the run of the IKE session), the group membership test is online, so either
way it makes no sense to reuse the DH exponents.
By the way, if you forbid re-use, you need to actually mandate fresh
exponents with each session (otherwise, an implementation maybe tempted to
avoid re-use by using g^x, g^{x+1}, g^{x+2}, etc.)


On Mon, Dec 10, 2012 at 1:43 PM, Yaron Sheffer <>wrote:

> Hi,
> following the recent discussion on the mailing list, Scott Fluhrer and
> myself just published a draft that updates RFC 5996 by adding the required
> recipient-side tests for ECDH. Please see**
> drafts/draft-sheffer-ipsecme-**dh-checks-00.txt<>
> .
> We have not addressed the issues raised by Dan and Tero regarding
> inconsistencies between various RFCs that define ECDH groups for IKE. I
> personally deem these issues to be out of scope of the current document.
> Comments are very welcome.
> Thanks,
>     Yaron
> ______________________________**_________________
> IPsec mailing list