Btw, I have had some discussion about the MODP Diffie-Hellman groups
used in the IKE in the IEEE 802.11ai mailing list, and during that
discussion I did notice one more pieces of text I had completely
forgotten. The RFC2412 which defines the original Diffie-Hellman MODP
groups used in the IKE has following text:
----------------------------------------------------------------------
5. Security Implementation Notes
Timing attacks that are capable of recovering the exponent value used
in Diffie-Hellman calculations have been described by Paul Kocher
[Kocher]. In order to nullify the attack, implementors must take
pains to obscure the sequence of operations involved in carrying out
modular exponentiations.
A "blinding factor" can accomplish this goal. A group element, r, is
chosen at random. When an exponent x is chosen, the value r^(-x) is
also calculated. Then, when calculating (g^y)^x, the implementation
will calculate this sequence:
A = (rg^y)
B = A^x = (rg^y)^x = (r^x)(g^(xy))
C = B*r^(-x) = (r^x)(r^-(x))(g^(xy)) = g^(xy)
The blinding factor is only necessary if the exponent x is used more
than 100 times (estimate by Richard Schroeppel).
----------------------------------------------------------------------
This directly relates to the exponent reuse case, and thats why I
think it might be good idea to include pointer to that in the
dh-checks draft too. Especially to point out that if exponent x is
reused too often this kind of blinding factor is needed.
Btw, Appendix E in RFC2412 also tells how those MODP groups are
generated just in case someone has missed that and is interested in
it...
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
