|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: DH-CHAP and SRP groupsPaul Koning wrote: > I sent this earlier (April 10) as part of the note "DH-CHAP initial > comments" but have seen no reaction, so let me try again... > > Section 9 raises the open issue of chosing the D-H group(s), which is > also open for SRP. It seems to me the same solution can be applied to > both, which is to adopt the groups already adopted (and verified to > have the right mathematical properties) for IKE. In particular, > "Group 1" would serve, and, if people insist on a bigger one, "Group > 2". I don't see a strong reason to include any of the larger groups > which have been proposed in the context of IKE and AES. SRP requires that the generator be a primitive root modulo the safe prime. You can re-use IKE moduli, provided they are verified as safe primes, and choose primitive generators for "g". > This could be done by removing the N and g keys from SRP and DHCHAP, > and replacing them by a single "group ID" key whose value is that of > the group ID taken from RFC 2409. > > Is there any reason why the D-H groups used in IKE would not also be > suitable for DH-CHAP? For SRP? > > paul > Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..."
Home Last updated: Wed Apr 17 10:18:35 2002 9699 messages in chronological order |