Re: [TLS] [Cfrg] password-based key exchange

"Dan Harkins" <> Wed, 04 January 2012 18:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5854D21F8798 for <>; Wed, 4 Jan 2012 10:30:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.506
X-Spam-Status: No, score=-5.506 tagged_above=-999 required=5 tests=[AWL=0.759, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TmvikPI+X7Jv for <>; Wed, 4 Jan 2012 10:30:08 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E511021F8788 for <>; Wed, 4 Jan 2012 10:30:08 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 859C1A88810C; Wed, 4 Jan 2012 10:30:08 -0800 (PST)
Received: from (SquirrelMail authenticated user by with HTTP; Wed, 4 Jan 2012 10:30:08 -0800 (PST)
Message-ID: <>
In-Reply-To: <>
References: <> <>
Date: Wed, 4 Jan 2012 10:30:08 -0800 (PST)
From: "Dan Harkins" <>
To: "Igoe, Kevin M." <>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [TLS] [Cfrg] password-based key exchange
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Jan 2012 18:30:09 -0000

  Hi Kevin,

  Thank you very much for reviewing this draft.

On Wed, January 4, 2012 5:14 am, Igoe, Kevin M. wrote:
> I really like this idea & can find no problems.
> One nitpicking detail:  HashToElement should return an element of a
> cryptographic subgroup of (Z/pZ)*, i.e. an element of a cyclic subgroup
> of prime order q, q suitably large.  (Of course both sides should use
> the
> same subgroup, but in practice this isn't a problem since the standard
> mod p
> groups specify both q and an element g of order q which generates the
> cryptographic subgroup.)

  I believe the two techniques used in section 4.1-- one for FFC groups,
another for ECC groups-- return an element from a subgroup of prime
order q.

> I'm curious as to what size parameters are under consideration by IEEE.

  The specification of this key exchange in IEEE 802.11 uses the IANA
registry created by IKE for "diffie-hellman groups" so it can use the
NIST elliptic curves, and the safe prime FFC groups (from 1024 bits
up to 8192 bits). Implementations are required to support NIST's 256 bit
random ECP group (group 19 from IKE's IANA registry).