Re: [TLS] I can has SHA-1 hashes for RFC 2409/3526 MODP groups?
Henrick Hellström <henrick@streamsec.se> Sat, 01 March 2014 15:02 UTC
Return-Path: <henrick@streamsec.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F09501A0F52 for <tls@ietfa.amsl.com>; Sat, 1 Mar 2014 07:02:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.45
X-Spam-Level: *
X-Spam-Status: No, score=1.45 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jabjZ7GTWOLU for <tls@ietfa.amsl.com>; Sat, 1 Mar 2014 07:02:22 -0800 (PST)
Received: from vsp6.ballou.se (vsp6.ballou.se [91.189.40.85]) by ietfa.amsl.com (Postfix) with SMTP id B8C121A0F50 for <tls@ietf.org>; Sat, 1 Mar 2014 07:02:20 -0800 (PST)
Received: from nmail1.ballou.se (unknown [10.0.0.116]) by vsp6.ballou.se (Halon Mail Gateway) with ESMTP; Sat, 1 Mar 2014 16:02:07 +0100 (CET)
Received: from [192.168.0.195] (c-a2c1e555.06-134-73746f39.cust.bredbandsbolaget.se [85.229.193.162]) (Authenticated sender: henrick@streamsec.se) by nmail1.ballou.se (Postfix) with ESMTPSA id 8AF8F1E09F; Sat, 1 Mar 2014 16:02:13 +0100 (CET)
Message-ID: <5311F652.4090804@streamsec.se>
Date: Sat, 01 Mar 2014 16:01:38 +0100
From: Henrick Hellström <henrick@streamsec.se>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Geoffrey Keating <geoffk@geoffk.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C73723848D4@uxcn10-6.UoA.auckland.ac.nz> <m24n3jylsi.fsf@localhost.localdomain>
In-Reply-To: <m24n3jylsi.fsf@localhost.localdomain>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/fWQiwE2LSSahR3jTLT1NVgQHU1c
X-Mailman-Approved-At: Sat, 01 Mar 2014 08:28:29 -0800
Cc: "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] I can has SHA-1 hashes for RFC 2409/3526 MODP groups?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: henrick@streamsec.se
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Mar 2014 15:02:24 -0000
On 2014-02-28 22:22, Geoffrey Keating wrote:
> I'd encourage you to do the derivation again: compute
>
> 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }
>
> and verify that it's prime. I don't think any special security
> measures were taken during the creation of RFC 3526, you'd think by
> now someone would have noticed if the 'primes' weren't prime or didn't
> match the claimed polynomial, but if everyone thinks someone else has
> checked...
There is more.
1. The MODP primes are supposed to be safe primes (i.e. primes on the
form p = 2q+1 where q is also prime). Furthermore, 2 will be a generator
of the large sub group of order q, rather than of the entire
multiplicative group of order 2q.
2. Pi might be calculated using the Bailey–Borwein–Plouffe formula. I
calculated it for the first 2048 hexadecimal digits, which was a
sufficiently good approximation for all of the MODP groups up to the
8192 bit one.
3. All of the MODP primes are on the form p = 2^n - 2^(n-64) + 2^64(
[2^(n-130)pi] + k). The value k is supposed to be the least positive
integer, such that p is a safe prime. This check is important, to rule
out that any candidates have been deliberately skipped, because they
lack some (hidden) property.
I have generated the primes 1024, 2048, 3072, 4096, 6144 and 8192 from
the formulae and verified that:
a: The numbers match the numbers in the RFCs.
b: The numbers are safe primes (using both Miller-Rabin tests and Lucas
tests on q = (p-1)/2, and then the Pocklington Criterion on p).
c: The small constant k is indeed the least positive integer such that
the number is a safe prime. (Well, to be honest I am still running this
test for the largest group, just make sure once more.)
- [TLS] I can has SHA-1 hashes for RFC 2409/3526 MO… Peter Gutmann
- Re: [TLS] I can has SHA-1 hashes for RFC 2409/352… Geoffrey Keating
- Re: [TLS] I can has SHA-1 hashes for RFC 2409/352… Henrick Hellström
- Re: [TLS] I can has SHA-1 hashes for RFC 2409/352… Peter Gutmann
- Re: [TLS] I can has SHA-1 hashes for RFC 2409/352… Peter Gutmann
- Re: [TLS] I can has SHA-1 hashes for RFC 2409/352… Peter Gutmann
- Re: [TLS] I can has SHA-1 hashes for RFC 2409/352… Mouse
- Re: [TLS] I can has SHA-1 hashes for RFC 2409/352… Kurt Roeckx
- Re: [TLS] I can has SHA-1 hashes for RFC 2409/352… Henrick Hellström
- Re: [TLS] I can has SHA-1 hashes for RFC 2409/352… Peter Gutmann
- Re: [TLS] I can has SHA-1 hashes for RFC 2409/352… Mark D. Baushke
- [TLS] MODP group modulus derivation [was: Re: I c… Daniel Kahn Gillmor
- Re: [TLS] MODP group modulus derivation [was: Re:… Henrick Hellström
- Re: [TLS] MODP group modulus derivation [was: Re:… Watson Ladd
- Re: [TLS] MODP group modulus derivation [was: Re:… Henrick Hellström
- Re: [TLS] MODP group modulus derivation [was: Re:… Niels Möller
- Re: [TLS] MODP group modulus derivation [was: Re:… Niels Möller
- Re: [TLS] MODP group modulus derivation [was: Re:… Niels Möller
- Re: [TLS] MODP group modulus derivation [was: Re:… Daniel Kahn Gillmor
- Re: [TLS] MODP group modulus derivation [was: Re:… Jeffrey Hutzelman