Re: [TLS] Short Ephermal Diffie-Hellman keys

To: Eric Rescorla <ekr at networkresonance.com>,Bodo Moeller <bmoeller at acm.org>
Subject: Re: [TLS] Short Ephermal Diffie-Hellman keys
From: Russ Housley <housley at vigilsec.com>
Date: Sun, 03 Jun 2007 13:21:36 -0400
Cc: tls at lists.ietf.org
In-reply-to: <20070603150710.8E87B33C4B@delta.rtfm.com>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <op.tsa3n9ttqrq7tp@nimisha.oslo.opera.com> <4648AEA2.3020506@bolyard.com> <20070515130804.GA15682@tau.invalid> <4649D2FD.2020309@drh-consultancy.demon.co.uk> <4649E35B.4030809@bolyard.com> <20070515202726.GA24732@tau.invalid> <0MKu60-1Ho53w3DRn-0003jg@mx.kundenserver.de> <20070515224351.GA27872@tau.invalid> <20070603150710.8E87B33C4B@delta.rtfm.com>

Eric:

At Wed, 16 May 2007 00:43:51 +0200,
Bodo Moeller wrote:
> I'd suggest stating in the TLS specification that 'q' can only be
> included in the ServerKeyExchange message for the case of prime-order
> subgroups.  These are what you'd usually use, except sometimes if the
> DH subgroup is nearly as large as 'p', which is a case where knowing
> 'q' doesn't provide significant benefits anyhow.

So, I'm no DH expert, but my understanding is that there are three
common cases:

1. Randomly generated p with no special structure
2. Sophie-Germain primes where q is about p/2.
3. DSA-style groups where q<<p.

Only in the last case does carrying around q offer much benefit.

Is this common enough that it's worth changing the spec? It was
my understanding that we mostly encouraged people to use S-G primes
in any case.

I think that FIPS 140 validated modules will use 3. And then, one needs to know q to detect small subgroups.

Russ


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- [TLS] Short Ephermal Diffie-Hellman keys
  - From: Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Nelson B Bolyard
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Bodo Moeller
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Dr Stephen Henson
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Nelson B Bolyard
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Bodo Moeller
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Bodo Moeller
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Eric Rescorla

Prev by Date: Re: [TLS] Short Ephermal Diffie-Hellman keys
Next by Date: Re: [TLS] Issue 15: Mandate protection against CBC mode timing attack
Previous by thread: Re: [TLS] Short Ephermal Diffie-Hellman keys
Next by thread: Re: [TLS] Short Ephermal Diffie-Hellman keys
Index(es):
- Date
- Thread

Re: [TLS] Short Ephermal Diffie-Hellman keys

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.