Re: [TLS] Short Ephermal Diffie-Hellman keys

To: Bodo Moeller <bmoeller at acm.org>
Subject: Re: [TLS] Short Ephermal Diffie-Hellman keys
From: Russ Housley <housley at vigilsec.com>
Date: Sun, 03 Jun 2007 15:55:59 -0400
Cc: tls at lists.ietf.org
In-reply-to: <20070603194730.GA14314@tau.invalid>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <op.tsa3n9ttqrq7tp@nimisha.oslo.opera.com> <4648AEA2.3020506@bolyard.com> <20070515130804.GA15682@tau.invalid> <4649D2FD.2020309@drh-consultancy.demon.co.uk> <4649E35B.4030809@bolyard.com> <20070515202726.GA24732@tau.invalid> <0MKu60-1Ho53w3DRn-0003jg@mx.kundenserver.de> <20070515224351.GA27872@tau.invalid> <20070603150710.8E87B33C4B@delta.rtfm.com> <0MKrQq-1HutnI0OD5-0006s3@mx.kundenserver.de> <20070603194730.GA14314@tau.invalid>

Thanks for the correction and clarification.

Russ

At 03:47 PM 6/3/2007, Bodo Moeller wrote:

On Sun, Jun 03, 2007 at 01:21:36PM -0400, Russ Housley wrote:

>> So, I'm no DH expert, but my understanding is that there are three
>> common cases:
>>
>> 1. Randomly generated p with no special structure
>> 2. Sophie-Germain primes where q is about p/2.
>> 3. DSA-style groups where q<<p.

>> [...]                                                    It was
>> my understanding that we mostly encouraged people to use S-G primes
>> in any case.

> I think that FIPS 140 validated modules will use 3.  And then, one
> needs to know q to detect small subgroups.

You don't really have to check that other parties' public DH keys are
in the proper subgroup (that is, in the order-q subgroup) when using
*single-use* DH keys yourself.  There's nothing that could be gained
through small-subgroup attacks in this case, and thus no need to
check.

Of course, you do need q to efficiently perform DH operations in this
setting.  Since you don't need subgroup membership tests with them,
single-use DH keys are very practical.

Bodo

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- [TLS] Short Ephermal Diffie-Hellman keys
  - From: Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Nelson B Bolyard
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Bodo Moeller
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Dr Stephen Henson
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Nelson B Bolyard
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Bodo Moeller
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Bodo Moeller
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Eric Rescorla
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Bodo Moeller

Prev by Date: Re: [TLS] Short Ephermal Diffie-Hellman keys
Next by Date: Re: [TLS] Issue 15: Mandate protection against CBC mode timing attack
Previous by thread: Re: [TLS] Short Ephermal Diffie-Hellman keys
Next by thread: Re: [TLS] Short Ephermal Diffie-Hellman keys
Index(es):
- Date
- Thread

Re: [TLS] Short Ephermal Diffie-Hellman keys

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.