Re: [TLS] Short Ephermal Diffie-Hellman keys

To: Bodo Moeller <bmoeller at acm.org>
Subject: Re: [TLS] Short Ephermal Diffie-Hellman keys
From: Eric Rescorla <ekr at networkresonance.com>
Date: Sun, 03 Jun 2007 08:07:10 -0700
Cc: tls at lists.ietf.org
In-reply-to: <20070515224351.GA27872@tau.invalid>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <op.tsa3n9ttqrq7tp@nimisha.oslo.opera.com> <4648AEA2.3020506@bolyard.com> <20070515130804.GA15682@tau.invalid> <4649D2FD.2020309@drh-consultancy.demon.co.uk> <4649E35B.4030809@bolyard.com> <20070515202726.GA24732@tau.invalid> <0MKu60-1Ho53w3DRn-0003jg@mx.kundenserver.de> <20070515224351.GA27872@tau.invalid>
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Wed, 16 May 2007 00:43:51 +0200,
Bodo Moeller wrote:
> I'd suggest stating in the TLS specification that 'q' can only be
> included in the ServerKeyExchange message for the case of prime-order
> subgroups.  These are what you'd usually use, except sometimes if the
> DH subgroup is nearly as large as 'p', which is a case where knowing
> 'q' doesn't provide significant benefits anyhow.

So, I'm no DH expert, but my understanding is that there are three
common cases:

1. Randomly generated p with no special structure
2. Sophie-Germain primes where q is about p/2.
3. DSA-style groups where q<<p.

Only in the last case does carrying around q offer much benefit.

Is this common enough that it's worth changing the spec? It was
my understanding that we mostly encouraged people to use S-G primes
in any case.

-Ekr

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Peter Gutmann
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Russ Housley
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Bodo Moeller

References:
- [TLS] Short Ephermal Diffie-Hellman keys
  - From: Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Nelson B Bolyard
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Bodo Moeller
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Dr Stephen Henson
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Nelson B Bolyard
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Bodo Moeller
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Bodo Moeller

Prev by Date: [TLS] Clarify DH calculations
Next by Date: Re: [TLS] Short Ephermal Diffie-Hellman keys
Previous by thread: Re: [TLS] Short Ephermal Diffie-Hellman keys
Next by thread: Re: [TLS] Short Ephermal Diffie-Hellman keys
Index(es):
- Date
- Thread

Re: [TLS] Short Ephermal Diffie-Hellman keys

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.