Re: [TLS] I can has SHA-1 hashes for RFC 2409/3526 MODP groups?

[Geoffrey Keating <geoffk@geoffk.org>]

Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:

> I can has SHA-1 hashes for RFC 2409/3526 MODP groups?
> 
> The MODP groups for DH specified in RFC 2409 and 3526 seem to be widely used
> in things like SSH and SSL/TLS, however unlike the RFC 5114 groups there's no
> subgroup given and so no way to verify that the prime hasn't been corrupted in
> some way (the generator is easy, it's always 2).  OTOH the RFC 5114 groups
> have stupid generators so I don't know why anyone would use them.
> 
> In any case I'd like to have a means of verifying the validity of the data for
> the RFC 2409/3526 primes as stored in memory, but if I generate my own SHA-1
> hashes then there's the risk that I'm verifying flawed data.  Does anyone have
> SHA-1 hash values for the RFC 2409/3526 primes, i.e. the 1024/1536/2048/etc-
> bit values in the two RFCs?  The values I've got are:
> 
> RFC 2409, 1024-bit prime: c0 33 bd 43 51 fb a3 73 25 45 ea 2e 01 6d 52 b0 ...
> RFC 3526, 1536-bit prime: 49 ec ab a9 72 7a 1a f0 63 60 82 c4 67 48 5a 1a ...
> RFC 3526, 2048-bit prime: b9 5c 79 9a a5 dd 38 8c 6d f5 e7 23 98 cb 9d 7d ...
> RFC 3526, 3072-bit prime: 94 1a 04 77 38 fe 55 33 33 69 e2 b3 86 b6 d6 18 ...

I'd encourage you to do the derivation again: compute

2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }

and verify that it's prime.  I don't think any special security
measures were taken during the creation of RFC 3526, you'd think by
now someone would have noticed if the 'primes' weren't prime or didn't
match the claimed polynomial, but if everyone thinks someone else has
checked...