> Hi All > > I found in NIST Special Publication 800-56A Revision 3 > 5.6.2.3.1 FFC Full Public-Key Validation Routine > 2. Verify that 1 = y q mod p.
That should be, 1 = y^q mod p. > > This test is implemented in OPENSSL > > This test relies on the fact that q and p are prime > > Pascal > > > If you want the guarantee that your DH key exchange is contributive, > > that is, that neither single party can determine with high-probability > > the DH secret produced by the key exchange, you can either 1. use one of > > the safe groups defined in RFC7919. When using these groups, you should > > pick an exponent between 2 and q-1. 2. Figure out all of the low-order > > elements of Zp* and check that the DH secret is not one of them. What must the server do if the client is old and does not support the safe groups in RFC 7919? The advice from Mozilla is generate a 1024-bit Diffie-Hellman group. Is there good code to generate safe group efficiently? Will OpenSSL generate safe group? Tk, Nasrul
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
