RE: Implementation guides for DH?
Much of the discussion on the net about prime safety for DH has been about whether safe primes are necessary or not worth the bother, and at least with the current methods for factoring, it's believed they aren't needed. (One catch, of course, is that the best factoring method 10 or 50 years from now may be affected by safe vs. unsafe primes.) At least in the initial Photuris versions, there were some standard choices of primes that everybody used, so it made sense to pick Sophie-Germain primes anyway. For RSA, Silverman and Rivest have a paper arguing that *strong* primes are not currently beleived to be needed (see the paper for the def of strong prime). In DH key exchange, when you work in a group (mod a prime) you want to make sure that there are no little subgroups that an attacker can exploit (choosing a *safe* prime (p = 2q + 1, q and p prime, or p = Rq + 1, with p and q sufficiently large), and working in the subgroup of order q guarantees you this, so it usefull to have these kind of primes for DH. Cheers, --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Implementation guides for DH?
Hi Adam -- Anton Stiglic has a paper on various security issues that arise in DH implementations: http://crypto.cs.mcgill.ca/~stiglic/Papers/dhfull.pdf The paper not only considers number-theoretic attacks, but also looks at other vulnerabilities (side-channel attacks, timing attacks, DoS, etc). Section seven has a nice summary of various secure DH implementation principles. Hope this helps! Regards, Zully P.S. If you come across any other pointers, please let me know. Zulfikar Ramzan IP Dynamics, Inc. http://www.ipdynamics.com Secure, Scalable Virtual Community Networks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adam Shostack Sent: Wednesday, January 01, 2003 10:54 AM To: [EMAIL PROTECTED] Subject: Implementation guides for DH? I'm looking for a list of common implementation flaws in DH. Things like: How to check the key the other side sends, what are acceptable values for p, etc? Any pointers? Adam -- It is seldom that liberty of any kind is lost all at once. -Hume - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Implementation guides for DH?
Adam, This may be of use: http://citeseer.nj.nec.com/anderson96minding.html Over the last year or two, a large number of attacks have been found by the authors and others on protocols based on the discrete logarithm problem, such as ElGamal signature and Diffie Hellman key exchange. These attacks depend on causing variables to assume values whose discrete logarithms can be calculated, whether by forcing a protocol exchange into a smooth subgroup or by choosing degenerate values directly. We survey these attacks and discuss how to build systems that are robust against... @inproceedings{ anderson96minding, author = Anderson and Vaudenay, title = Minding Your p's and q's, booktitle = {ASIACRYPT}: Advances in Cryptology -- {ASIACRYPT}: International Conference on the Theory and Application of Cryptology, publisher = LNCS, Springer-Verlag, year = 1996, url = citeseer.nj.nec.com/anderson96minding.html } Cheers, -J On Wednesday, Jan 1, 2003, at 13:53 US/Eastern, Adam Shostack wrote: I'm looking for a list of common implementation flaws in DH. Things like: How to check the key the other side sends, what are acceptable values for p, etc? Any pointers? Adam -- It is seldom that liberty of any kind is lost all at once. -Hume - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]