Re: [TLS] Short Ephermal Diffie-Hellman keys

[Bodo Moeller <bmoeller@acm.org>]

On Tue, May 15, 2007 at 05:54:27PM -0400, Russ Housley wrote:
> Bodo:

>>>> Speaking of which what do people think about including the sub prime
>>>> value (aka "q") as an optional value in DH parameters in a TLS 1.2
>>>> handshake?

>> Yes, this definitely should be done!

> RFC 2412 does not seem use "q" this way.  Does anyone every use 
> Oakley groups with TLS?  If so, then you probably need some more 
> general way to indicate the size of the subgroup.

For the Oakley well-known groups, the generator actually is a
generator of a prime-order subgroup, so specifying a 'q' value is no
problem.  (It doesn't help much in this case, though, since 'q' is
just one bit shorter than 'p'.)

In general, Oakley-style group specifications include a "group order
largest prime factor" field, which is pretty useless for
implementations.  It only helps to estimate the security that
can be obtained using such a group when doing Diffie-Hellman
*properly*, which is something for which you *don't* need this piece
of information (and for which you shouldn't rely too much on
Appendix D of RFC 2412).  What you do need for implementations is the
group order, and (if you want to use the short-exponent trick
suggested in RFC 2412 App. D) information on whether the group order
is prime (which is *not* part of Oakley-style group specifications).


I'd suggest stating in the TLS specification that 'q' can only be
included in the ServerKeyExchange message for the case of prime-order
subgroups.  These are what you'd usually use, except sometimes if the
DH subgroup is nearly as large as 'p', which is a case where knowing
'q' doesn't provide significant benefits anyhow.

Bodo


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls