On 18 March 2013 21:44, Matt Caswell <fr...@baggins.org> wrote:
> However, you are correct that the DH computation does not use q, although
> I do not
>
> know whether JCE requires it to be specified (not having used JCE).
>
> One other point on this - X9.42 describes an optional validation procedure
which does use q. From RFC2631 (based on X9.42):
The following algorithm MAY be used to validate a received public key
y.
1. Verify that y lies within the interval [2,p-1]. If it does not,
the key is invalid.
2. Compute y^q mod p. If the result == 1, the key is valid.
Otherwise the key is invalid.
The primary purpose of public key validation is to prevent a small
subgroup attack [LAW98] on the sender's key pair. If Ephemeral-Static
mode is used, this check may not be necessary. See also [P1363] for
more information on Public Key validation.
Matt
