IETF Logo Mail Archive

Re: [TLS] Short Ephermal Diffie-Hellman keys

Russ Housley <housley@vigilsec.com> Sun, 03 June 2007 19:56 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HuwBL-0004cs-65; Sun, 03 Jun 2007 15:56:07 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HuwBJ-0004cn-NK for tls@lists.ietf.org; Sun, 03 Jun 2007 15:56:05 -0400
Received: from woodstock.binhost.com ([66.150.120.2]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1HuwBI-0001b0-Cl for tls@lists.ietf.org; Sun, 03 Jun 2007 15:56:05 -0400
Received: (qmail 1671 invoked by uid 0); 3 Jun 2007 19:55:58 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (66.243.88.163) by woodstock.binhost.com with SMTP; 3 Jun 2007 19:55:58 -0000
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Sun, 03 Jun 2007 15:55:59 -0400
To: Bodo Moeller <bmoeller@acm.org>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: [TLS] Short Ephermal Diffie-Hellman keys
In-Reply-To: <20070603194730.GA14314@tau.invalid>
References: <op.tsa3n9ttqrq7tp@nimisha.oslo.opera.com> <4648AEA2.3020506@bolyard.com> <20070515130804.GA15682@tau.invalid> <4649D2FD.2020309@drh-consultancy.demon.co.uk> <4649E35B.4030809@bolyard.com> <20070515202726.GA24732@tau.invalid> <0MKu60-1Ho53w3DRn-0003jg@mx.kundenserver.de> <20070515224351.GA27872@tau.invalid> <20070603150710.8E87B33C4B@delta.rtfm.com> <0MKrQq-1HutnI0OD5-0006s3@mx.kundenserver.de> <20070603194730.GA14314@tau.invalid>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.1 (/)
X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Message-Id: <E1HuwBL-0004cs-65@megatron.ietf.org>

Thanks for the correction and clarification.

Russ

At 03:47 PM 6/3/2007, Bodo Moeller wrote:
>On Sun, Jun 03, 2007 at 01:21:36PM -0400, Russ Housley wrote:
>
> >> So, I'm no DH expert, but my understanding is that there are three
> >> common cases:
> >>
> >> 1. Randomly generated p with no special structure
> >> 2. Sophie-Germain primes where q is about p/2.
> >> 3. DSA-style groups where q<<p.
>
> >> [...]                                                    It was
> >> my understanding that we mostly encouraged people to use S-G primes
> >> in any case.
>
> > I think that FIPS 140 validated modules will use 3.  And then, one
> > needs to know q to detect small subgroups.
>
>You don't really have to check that other parties' public DH keys are
>in the proper subgroup (that is, in the order-q subgroup) when using
>*single-use* DH keys yourself.  There's nothing that could be gained
>through small-subgroup attacks in this case, and thus no need to
>check.
>
>Of course, you do need q to efficiently perform DH operations in this
>setting.  Since you don't need subgroup membership tests with them,
>single-use DH keys are very practical.
>
>Bodo


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email