Re: iSCSI: DH-CHAP and SRP groups

[Paul Koning <ni1d@arrl.net>]

>>>>> "Tom" == Tom Wu <tom@arcot.com> writes:

 Tom> Paul Koning wrote:
 >> I sent this earlier (April 10) as part of the note "DH-CHAP
 >> initial comments" but have seen no reaction, so let me try
 >> again...
 >> 
 >> Section 9 raises the open issue of chosing the D-H group(s), which
 >> is also open for SRP.  It seems to me the same solution can be
 >> applied to both, which is to adopt the groups already adopted (and
 >> verified to have the right mathematical properties) for IKE.  In
 >> particular, "Group 1" would serve, and, if people insist on a
 >> bigger one, "Group 2".  I don't see a strong reason to include any
 >> of the larger groups which have been proposed in the context of
 >> IKE and AES.

 Tom> SRP requires that the generator be a primitive root modulo the
 Tom> safe prime.  You can re-use IKE moduli, provided they are
 Tom> verified as safe primes, and choose primitive generators for
 Tom> "g".

RFC 2412 says that they were indeed verified to be Sophie Germain
primes, which is another way of saying they are "safe" primes.

As for the generator, is says to use the value 2.  It adds this note:

   Because these two primes are congruent to 7 (mod 8), 2 is a quadratic
   residue of each prime.  All powers of 2 will also be quadratic
   residues.  This prevents an opponent from learning the low order bit
   of the Diffie-Hellman exponent (AKA the subgroup confinement
   problem).  Using 2 as a generator is efficient for some modular
   exponentiation algorithms.  [Note that 2 is technically not a
   generator in the number theory sense, because it omits half of the
   possible residues mod P.  From a cryptographic viewpoint, this is a
   virtue.]

So is 2 an acceptable generator for SRP?  If not, why not?

I assume it would be an acceptable generator for DH-CHAP, right?

    paul