Re: iSCSI: DH-CHAP and SRP groups

To: Paul Koning <ni1d@arrl.net>
Subject: Re: iSCSI: DH-CHAP and SRP groups
From: Tom Wu <tom@arcot.com>
Date: Wed, 17 Apr 2002 09:01:21 -0700
CC: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii; format=flowed
Organization: Arcot Systems
References: <15548.35548.790000.274666@gargle.gargle.HOWL> <3CBD1561.4010502@arcot.com> <15549.30724.11603.998279@pkoning.dev.equallogic.com>
Sender: owner-ips@ece.cmu.edu
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020204

Paul Koning wrote:
>>>>>>"Tom" == Tom Wu <tom@arcot.com> writes:
>>>>>>
> 
>  Tom> Paul Koning wrote:
>  >> I sent this earlier (April 10) as part of the note "DH-CHAP
>  >> initial comments" but have seen no reaction, so let me try
>  >> again...
>  >> 
>  >> Section 9 raises the open issue of chosing the D-H group(s), which
>  >> is also open for SRP.  It seems to me the same solution can be
>  >> applied to both, which is to adopt the groups already adopted (and
>  >> verified to have the right mathematical properties) for IKE.  In
>  >> particular, "Group 1" would serve, and, if people insist on a
>  >> bigger one, "Group 2".  I don't see a strong reason to include any
>  >> of the larger groups which have been proposed in the context of
>  >> IKE and AES.
> 
>  Tom> SRP requires that the generator be a primitive root modulo the
>  Tom> safe prime.  You can re-use IKE moduli, provided they are
>  Tom> verified as safe primes, and choose primitive generators for
>  Tom> "g".
> 
> RFC 2412 says that they were indeed verified to be Sophie Germain
> primes, which is another way of saying they are "safe" primes.
> 
> As for the generator, is says to use the value 2.  It adds this note:
> 
>    Because these two primes are congruent to 7 (mod 8), 2 is a quadratic
>    residue of each prime.  All powers of 2 will also be quadratic
>    residues.  This prevents an opponent from learning the low order bit
>    of the Diffie-Hellman exponent (AKA the subgroup confinement
>    problem).  Using 2 as a generator is efficient for some modular
>    exponentiation algorithms.  [Note that 2 is technically not a
>    generator in the number theory sense, because it omits half of the
>    possible residues mod P.  From a cryptographic viewpoint, this is a
>    virtue.]
> 
> So is 2 an acceptable generator for SRP?  If not, why not?

It depends on the modulus.  g MUST be a generator; omitting half of the 
possible residues mod P is NOT a virtue for SRP because it can lead to 
an attack.  For the IKE moduli, which are all 7 mod 8, g cannot be 2, 
and it usually ends up being either 5 or 7.  g^((N-1)/2) must be -1 (mod N).

Tom

> I assume it would be an acceptable generator for DH-CHAP, right?
> 
>     paul
> 



-- 
Tom Wu
Principal Software Engineer
Arcot Systems
(408) 969-6124
"The Borg?  Sounds Swedish..."

References:
- iSCSI: DH-CHAP and SRP groups
  - From: Paul Koning <ni1d@arrl.net>
- Re: iSCSI: DH-CHAP and SRP groups
  - From: Tom Wu <tom@arcot.com>
- Re: iSCSI: DH-CHAP and SRP groups
  - From: Paul Koning <ni1d@arrl.net>

Prev by Date: RE: iSCSI: possible DH-CHAP rationale
Next by Date: RE: iSCSI: possible DH-CHAP rationale
Prev by thread: Re: iSCSI: DH-CHAP and SRP groups
Next by thread: Concensus call: Inclusion of DH-CHAP
Index(es):
- Date
- Thread

Home

Last updated: Wed Apr 17 14:18:24 2002
9701 messages in chronological order