> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Michael Richardson > Aha.... so: > > o It MUST check both that the peer's public value is in range (1 < > r > < p-1) and that r**q = 1 mod p (where q is the size of the > > ... > o It MUST NOT reuse DH private values (that is, the DH private > value > for each DH exchange MUST be generated from a fresh output of a > > So, in section 2.2 we talk both about what we should do with something > received, and also place a mandate about generating. > > Perhaps these things belong in seperate sections. > It seems that from the receiver of g^x's point of view, point two > repeats point one, since the receiver is not in a position to know if > the DH private value was reused. > [DB] The concern is that receiver wants to protect her own reused private key from an invalid public key from a malicious peer. To do this, the receiver checks the received value to make sure it is valid and safe to combine with her reused private key. Another option for the receiver is not reusing the private key at all.
--------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
