Re: [TLS] Short Ephermal Diffie-Hellman keys

Russ Housley <housley@vigilsec.com> Sun, 03 June 2007 17:23 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HutnH-0003RW-RX; Sun, 03 Jun 2007 13:23:07 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HutnG-0003RR-UU for tls@lists.ietf.org; Sun, 03 Jun 2007 13:23:06 -0400
Received: from woodstock.binhost.com ([66.150.120.2]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1HutnF-0004DH-ND for tls@lists.ietf.org; Sun, 03 Jun 2007 13:23:06 -0400
Received: (qmail 4478 invoked by uid 0); 3 Jun 2007 17:22:58 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (66.243.88.163) by woodstock.binhost.com with SMTP; 3 Jun 2007 17:22:58 -0000
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Sun, 03 Jun 2007 13:21:36 -0400
To: Eric Rescorla <ekr@networkresonance.com>, Bodo Moeller <bmoeller@acm.org>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: [TLS] Short Ephermal Diffie-Hellman keys
In-Reply-To: <20070603150710.8E87B33C4B@delta.rtfm.com>
References: <op.tsa3n9ttqrq7tp@nimisha.oslo.opera.com> <4648AEA2.3020506@bolyard.com> <20070515130804.GA15682@tau.invalid> <4649D2FD.2020309@drh-consultancy.demon.co.uk> <4649E35B.4030809@bolyard.com> <20070515202726.GA24732@tau.invalid> <0MKu60-1Ho53w3DRn-0003jg@mx.kundenserver.de> <20070515224351.GA27872@tau.invalid> <20070603150710.8E87B33C4B@delta.rtfm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 0bc60ec82efc80c84b8d02f4b0e4de22
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Message-Id: <E1HutnH-0003RW-RX@megatron.ietf.org>

Eric:

>At Wed, 16 May 2007 00:43:51 +0200,
>Bodo Moeller wrote:
> > I'd suggest stating in the TLS specification that 'q' can only be
> > included in the ServerKeyExchange message for the case of prime-order
> > subgroups.  These are what you'd usually use, except sometimes if the
> > DH subgroup is nearly as large as 'p', which is a case where knowing
> > 'q' doesn't provide significant benefits anyhow.
>
>So, I'm no DH expert, but my understanding is that there are three
>common cases:
>
>1. Randomly generated p with no special structure
>2. Sophie-Germain primes where q is about p/2.
>3. DSA-style groups where q<<p.
>
>Only in the last case does carrying around q offer much benefit.
>
>Is this common enough that it's worth changing the spec? It was
>my understanding that we mostly encouraged people to use S-G primes
>in any case.

I think that FIPS 140 validated modules will use 3.  And then, one 
needs to know q to detect small subgroups.

Russ


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls