On Mon, 10 Oct 2016, Dang, Quynh (Fed) wrote:
A conclusion of the paper was "Our results are yet another reminder that
1024-bit primes should be considered insecure for the security of cryptosystems
based on the hardness of discrete
logarithms. The discrete logarithm computation for our backdoored prime was
only feasible because of the 1024-bit size, and the most effective protection
against any backdoor of this
type has always been to use key sizes for which any computation is infeasible. NIST
recommended transitioning away from 1024-bit key sizes for DSA, RSA, and
Diffie-Hellman in 2010 [6]."
NIST has been urging users to move away from groups with 1024- bit p and
160-bit q for many years now.
Sure.
In our document, we stated that group generators "should" provide their seeds. The reason for
having "should" instead of "shall (must)" was that anyone could run our suggested method
to
generate their own group. A user who generates his/her own group for her/his
own application could have a choice of publishing the seed or not. If a user
had a contractor/third party to
generate a group for him/her, he or she could ask for all documentation about
the whole process.
But why should I trust the RFC-5114 2048-bit MODP Group with 256-bit
Prime Order Subgroup? The problem of not knowing the seed remains the
same. We just think the NSA does not have a mathemathical advantage over
academia, but that's still a big unknown.
And for IKE, you cannot just generate your own groups.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
