IETF Logo Mail Archive

Re: [TLS] Short Ephermal Diffie-Hellman keys

pgut001@cs.auckland.ac.nz (Peter Gutmann) Tue, 05 June 2007 07:09 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HvTAH-0004Rt-JZ; Tue, 05 Jun 2007 03:09:13 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HvTAF-0004Rl-R4 for tls@lists.ietf.org; Tue, 05 Jun 2007 03:09:11 -0400
Received: from curly.its.auckland.ac.nz ([130.216.12.33] helo=mailhost.auckland.ac.nz) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HvTAE-00042Y-Dp for tls@lists.ietf.org; Tue, 05 Jun 2007 03:09:11 -0400
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 257299C166; Tue, 5 Jun 2007 19:09:05 +1200 (NZST)
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (curly.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lFaq+0cXGBlN; Tue, 5 Jun 2007 19:09:05 +1200 (NZST)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 09C2C9C144; Tue, 5 Jun 2007 19:09:05 +1200 (NZST)
Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 1859D1280A1; Tue, 5 Jun 2007 19:09:04 +1200 (NZST)
Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1HvTAE-0008Iu-00; Tue, 05 Jun 2007 19:09:10 +1200
From: pgut001@cs.auckland.ac.nz
To: bmoeller@acm.org, ekr@networkresonance.com
Subject: Re: [TLS] Short Ephermal Diffie-Hellman keys
In-Reply-To: <20070603150710.8E87B33C4B@delta.rtfm.com>
Message-Id: <E1HvTAE-0008Iu-00@medusa01.cs.auckland.ac.nz>
Date: Tue, 05 Jun 2007 19:09:10 +1200
X-Spam-Score: 0.5 (/)
X-Scan-Signature: ffa9dfbbe7cc58b3fa6b8ae3e57b0aa3
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Eric Rescorla <ekr@networkresonance.com> writes:

>So, I'm no DH expert, but my understanding is that there are three common
>cases:
>
>1. Randomly generated p with no special structure
>2. Sophie-Germain primes where q is about p/2.
>3. DSA-style groups where q<<p.
>
>Only in the last case does carrying around q offer much benefit.
>
>Is this common enough that it's worth changing the spec? It was my
>understanding that we mostly encouraged people to use S-G primes in any case.

Use of S-G primes is mostly historical.  I use the Lim-Lee algorithm, which
both produces known-good (verifiable) DSA-style primes, and is extremely
efficient (far more so than anything that produces S-G primes).  Having an
ability to (optionally) specify DSA-style parameters would be a considerable
help.

(Actually I'd make them mandatory, but I suspect that'd get too many
complaints from existing users.  Mind you given the current low use of DH
compared to the near-universal RSA, it'd be nice to get implementors into good
habits early and require verifiable DSA-style parameters).

Peter.

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email