The tests in sections 2.1 and 2.3 are cheap and can serve as sanity checks
for an implementation as stated in the draft, even if DH is not reused.
On the other hand, the test in 2.2 is expensive, equivalent to a group
exponentiation, and therefore should not be recommended without DH re-use
(in which case the test is an expensive waste).
Actually, the right recommendation (or MUST) for 2.2 groups is NOT to reuse
DH values.
Indeed, the reason to reuse DH is to save an exponentiation but if you do
so you pay with an extra exponentiation for the membership test. Moreover,
while the exponentiation you are saving can be performed offline (before
the run of the IKE session), the group membership test is online, so either
way it makes no sense to reuse the DH exponents.
By the way, if you forbid re-use, you need to actually mandate fresh
exponents with each session (otherwise, an implementation maybe tempted to
avoid re-use by using g^x, g^{x+1}, g^{x+2}, etc.)
Hugo
On Mon, Dec 10, 2012 at 1:43 PM, Yaron Sheffer <[email protected]>wrote:
> Hi,
>
> following the recent discussion on the mailing list, Scott Fluhrer and
> myself just published a draft that updates RFC 5996 by adding the required
> recipient-side tests for ECDH. Please see http://www.ietf.org/internet-**
> drafts/draft-sheffer-ipsecme-**dh-checks-00.txt<http://www.ietf.org/internet-drafts/draft-sheffer-ipsecme-dh-checks-00.txt>
> .
>
> We have not addressed the issues raised by Dan and Tero regarding
> inconsistencies between various RFCs that define ECDH groups for IKE. I
> personally deem these issues to be out of scope of the current document.
>
> Comments are very welcome.
>
> Thanks,
> Yaron
>
> ______________________________**_________________
> IPsec mailing list
> [email protected]
> https://www.ietf.org/mailman/**listinfo/ipsec<https://www.ietf.org/mailman/listinfo/ipsec>
>
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
