IETF Logo Mail Archive

Re: [TLS] Short Ephermal Diffie-Hellman keys

Bodo Moeller <bmoeller@acm.org> Sun, 03 June 2007 19:47 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Huw38-0005S0-4g; Sun, 03 Jun 2007 15:47:38 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Huw36-0005OP-KG for tls@lists.ietf.org; Sun, 03 Jun 2007 15:47:36 -0400
Received: from moutng.kundenserver.de ([212.227.126.187]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Huw35-0000Mc-7R for tls@lists.ietf.org; Sun, 03 Jun 2007 15:47:36 -0400
Received: from [80.142.163.135] (helo=tau.invalid) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1Huw321hnD-0002if; Sun, 03 Jun 2007 21:47:33 +0200
Received: by tau.invalid (Postfix, from userid 1000) id 2E2B11AF29; Sun, 3 Jun 2007 21:47:31 +0200 (CEST)
Date: Sun, 03 Jun 2007 21:47:31 +0200
From: Bodo Moeller <bmoeller@acm.org>
To: Russ Housley <housley@vigilsec.com>
Subject: Re: [TLS] Short Ephermal Diffie-Hellman keys
Message-ID: <20070603194730.GA14314@tau.invalid>
References: <op.tsa3n9ttqrq7tp@nimisha.oslo.opera.com> <4648AEA2.3020506@bolyard.com> <20070515130804.GA15682@tau.invalid> <4649D2FD.2020309@drh-consultancy.demon.co.uk> <4649E35B.4030809@bolyard.com> <20070515202726.GA24732@tau.invalid> <0MKu60-1Ho53w3DRn-0003jg@mx.kundenserver.de> <20070515224351.GA27872@tau.invalid> <20070603150710.8E87B33C4B@delta.rtfm.com> <0MKrQq-1HutnI0OD5-0006s3@mx.kundenserver.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0MKrQq-1HutnI0OD5-0006s3@mx.kundenserver.de>
User-Agent: Mutt/1.5.9i
X-Provags-ID: V01U2FsdGVkX18N/AXlgXgwql3LcQCGlfggrNIe0AT+gs1Iuib xXy8qY1H9ZO30Ipa7m57JrHqCVpL24Vp/6dMiKxdZD73LuF+cx lH+0XeA1OSC+4kK96bQJw==
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0bc60ec82efc80c84b8d02f4b0e4de22
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

On Sun, Jun 03, 2007 at 01:21:36PM -0400, Russ Housley wrote:

>> So, I'm no DH expert, but my understanding is that there are three
>> common cases:
>> 
>> 1. Randomly generated p with no special structure
>> 2. Sophie-Germain primes where q is about p/2.
>> 3. DSA-style groups where q<<p.

>> [...]                                                    It was
>> my understanding that we mostly encouraged people to use S-G primes
>> in any case.

> I think that FIPS 140 validated modules will use 3.  And then, one 
> needs to know q to detect small subgroups.

You don't really have to check that other parties' public DH keys are
in the proper subgroup (that is, in the order-q subgroup) when using
*single-use* DH keys yourself.  There's nothing that could be gained
through small-subgroup attacks in this case, and thus no need to
check.

Of course, you do need q to efficiently perform DH operations in this
setting.  Since you don't need subgroup membership tests with them,
single-use DH keys are very practical.

Bodo


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email