|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: DH-CHAP and SRP groups>>>>> "Tom" == Tom Wu <tom@arcot.com> writes: Tom> Paul Koning wrote: >> I sent this earlier (April 10) as part of the note "DH-CHAP >> initial comments" but have seen no reaction, so let me try >> again... >> >> Section 9 raises the open issue of chosing the D-H group(s), which >> is also open for SRP. It seems to me the same solution can be >> applied to both, which is to adopt the groups already adopted (and >> verified to have the right mathematical properties) for IKE. In >> particular, "Group 1" would serve, and, if people insist on a >> bigger one, "Group 2". I don't see a strong reason to include any >> of the larger groups which have been proposed in the context of >> IKE and AES. Tom> SRP requires that the generator be a primitive root modulo the Tom> safe prime. You can re-use IKE moduli, provided they are Tom> verified as safe primes, and choose primitive generators for Tom> "g". RFC 2412 says that they were indeed verified to be Sophie Germain primes, which is another way of saying they are "safe" primes. As for the generator, is says to use the value 2. It adds this note: Because these two primes are congruent to 7 (mod 8), 2 is a quadratic residue of each prime. All powers of 2 will also be quadratic residues. This prevents an opponent from learning the low order bit of the Diffie-Hellman exponent (AKA the subgroup confinement problem). Using 2 as a generator is efficient for some modular exponentiation algorithms. [Note that 2 is technically not a generator in the number theory sense, because it omits half of the possible residues mod P. From a cryptographic viewpoint, this is a virtue.] So is 2 an acceptable generator for SRP? If not, why not? I assume it would be an acceptable generator for DH-CHAP, right? paul
Home Last updated: Wed Apr 17 12:18:26 2002 9700 messages in chronological order |