Re: pubkeys for p and g
also sprach Arnold G. Reinhold <[EMAIL PROTECTED]> [2003.06.29.0424 +0200]: > >I am not sure I understand. How does this relate to my question? > > > >Where does the other factor come from? > > I got the impression, and maybe I misunderstood, that you were > viewing a product of two primes aA, where a was the private part= and > A was the public part. That is not how RSA works. The produce aA is > the public key. Either factor can be the private part. Oh, I get it. No, that was my bad. aA and bB are simply the private/Public keypairs for A and B. Yeah, yeah, I know. Algebra is always haunting me... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] invalid PGP subkeys? use subkeys.pgp.net as keyserver! "our destiny exercises its influence over us even when, as yet, we have not learned its nature; it is our future that lays down the law of our today." - friedrich nietzsche pgp0.pgp Description: PGP signature
Re: pubkeys for p and g
also sprach Nomen Nescio <[EMAIL PROTECTED]> [2003.06.27.2230 +0200]: > Do you have a reference to what exactly Check Point says about this? > Maybe you are misunderstanding or misinterpreting them. If you could > quote it here verbatim (or provide a link if it is online) we might be > able to understand their claim better. It would be wise to make sure > it is not a simple misunderstanding before you put something critical > about them in your book. Of course, that's why I am here. Problem is that my co-author has seen it and I haven't found it. He's on vacation at the moment, so we won't know until next week. I did check the FP3 Mgmt II Student and Instructor Notes, but no reference there. He says it's in the slides, but I don't have Powerpoint here and OpenOffice is a little bitchy about them. Let's suspend this until I know more. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] invalid PGP subkeys? use subkeys.pgp.net as keyserver! i need not suffer in silence while i can still moan, whimper and complain. pgp0.pgp Description: PGP signature
Re: pubkeys for p and g
martin f krafft writes: > My point was that some commercial vendors (Check Point and others) > claim, that if two partners want to perform a DH key exchange, they > may use their two public keys for g and p. This, in effect, would > mean that g and p were not globally known, but that the public keys > are used in their place. > ... > We are writing a book and simply want to have some backup. I am > almost sure that Check Point is bullshitting (wouldn't be the first > time), so unless anyone has actually heard of this possibility, I am > going to write this down and influence a thousand people, basically > claiming that Check Point is wrong. Do you have a reference to what exactly Check Point says about this? Maybe you are misunderstanding or misinterpreting them. If you could quote it here verbatim (or provide a link if it is online) we might be able to understand their claim better. It would be wise to make sure it is not a simple misunderstanding before you put something critical about them in your book. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: pubkeys for p and g
martin f krafft wrote: > also sprach Peter Fairbrother <[EMAIL PROTECTED]> [2003.06.27.1903 +0200]: >> Can you give me a ref to where they say that? I'd like to know >> exactly what they are claiming. > > this will have to wait a couple of days. > >> Perhaps they are encrypting the DH secrets with RSA keys to provide some >> recipient authentication? > > nope. > >> Or perhaps they are using DH instead of RSA for their public keys? > > nope. Hmmm. It's not exactly DH, but if you used the e of a RSA key as g, and the N as p, that would actually work. It's only one RSA key tho'. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: pubkeys for p and g
martin f krafft wrote: > My point was that some commercial vendors (Check Point and others) > claim, that if two partners want to perform a DH key exchange, they > may use their two public keys for g and p. This, in effect, would > mean that g and p were not globally known, but that the public keys > are used in their place. Can you give me a ref to where they say that? I'd like to know exactly what they are claiming. Perhaps they are encrypting the DH secrets with RSA keys to provide some recipient authentication? Or perhaps they are using DH instead of RSA for their public keys? > Thus every communication party would have a key pair, aA and bB, > where the capital letter is the public key. Then, the following > happens: > > let g = A and p = B > let A' = g^a mod p and B' = g^b mod p > = A^a mod B= A^b mod B > > and off you go, doing DH with g = A, p = B, and the keypairs aA' and > bB' on either side. (I assume a and b the usual DH secrets) > This would, in my opinion, only be possible if: > > - there would be a rule to decide which public key is p and which > is g. > - all public keys (RSA in this case) are primes. > - all public keys are good generators mod p. You mean "all public keys are good generators mod all public keys" This won't work, for instance, the N's in RSA keys can't be prime. The e's can be, but there is then no way that I can think of to ensure that an e is a generator of a sufficiently large subgroup of another, unknown at generation, e. It might be possible to use some algorithm to find a suitable g, but that doesn't conform to your/ their stipulation. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: pubkeys for p and g
> I'm not certain I understand your questions, but here are some > answers (I think). To clear this up: I am well aware how DH works, and what the mathematical properties of p and g are and have to be. My point was that some commercial vendors (Check Point and others) claim, that if two partners want to perform a DH key exchange, they may use their two public keys for g and p. This, in effect, would mean that g and p were not globally known, but that the public keys are used in their place. I am well aware that p and g are globally known as defined in the chosen DH Group. However, I am wondering how Check Point (and others) can claim that public keys may well be used in place, thereby invalidating the need for a globally constant p and g pair. These public keys are independent of the public keys exchanged as part of DH, which are simply calculated by the g^x mod p formula of DH, from the private keys. Thus every communication party would have a key pair, aA and bB, where the capital letter is the public key. Then, the following happens: let g = A and p = B let A' = g^a mod p and B' = g^b mod p = A^a mod B= A^b mod B and off you go, doing DH with g = A, p = B, and the keypairs aA' and bB' on either side. This would, in my opinion, only be possible if: - there would be a rule to decide which public key is p and which is g. - all public keys (RSA in this case) are primes. - all public keys are good generators mod p. We are writing a book and simply want to have some backup. I am almost sure that Check Point is bullshitting (wouldn't be the first time), so unless anyone has actually heard of this possibility, I am going to write this down and influence a thousand people, basically claiming that Check Point is wrong. Does it make sense now? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] invalid PGP subkeys? use subkeys.pgp.net as keyserver! experience is what causes a person to make new mistakes instead of old ones. pgp0.pgp Description: PGP signature
Re: pubkeys for p and g
I'm not certain I understand your questions, but here are some answers (I think). In the DH protocol you have what we call public parameters, p and g. p is a large prime integer, which defines a group Z*p, g is a generator which defines a subgroup in Z*p. You can use fix values for p an g. Now, participants will choose private and public keys. The private key is simply chosen as a random number x, whose value is between 1 and p-1. The public key associated to x will be y = g^x mod p. Participants keep x secret and y is public. You can say that (y, g, p) is the public key, or simply say that y is the public key if g and p (the public parameters) are implicitly known. Participants can choose a different x and associated y on each execution of the protocol, or have long term private public key pairs. --Anton >The Check Point Firewall-1 Docs insist, that the public keys be used >for p and g for the Oakley key exchange. I ask you: is this >possible? > > - which of the two pubkeys will be p, which g? > - are they both always primes? > - are they both always suitable generators mod p? > >It just seems to me that Check Point isn't entirely sure themselves >here. I'd appreciate a short cleanup... > >To my knowledge, g and p are globally defined, either in DH Groups >(which are nothing but pre-defined g's and p's, right?), or >otherwise set constant. Am I wrong about this? Thanks. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
