SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    IPS security draft: SRP groups



    The security draft lists the groups from the SRP reference software,
    and in addition it says that the IKE groups may be used.  (It doesn't
    appear to allow the 768 bit IKE group, even though it does allow the
    768 bit group from the SRP reference code.  I wonder why.)
    
    Tom Wu said in a message dated 4/17/2002:
       g MUST be a generator; omitting half of the possible residues mod P
       is NOT a virtue for SRP because it can lead to an attack.  For the
       IKE moduli, which are all 7 mod 8, g cannot be 2, and it usually
       ends up being either 5 or 7.  g^((N-1)/2) must be -1 (mod N).
    
    This means that the IKE groups cannot be used as they are defined in
    the references given, because those do use the value g == 2 (for
    reasons that apply to IKE but not to SRP).
    
    Incidentally, the IKE groups come fully documented with a statement
    that N was proven (rigorously, not probabilistically) to be prime; I
    haven't found the equivalent for the SRP groups.  Does that exist?  If
    yes, it would be useful to have a reference pointing to it.
    
    Does the statement in section 2.4.2 (verifying N and g) mean:
      a. An implementation may match N and g against the list in Appendix A
         and refuse any others
    or
      b. An implementation may match N and g against the list in Appendix A
         but on a mismatch is required to verify that N and g define a
         valid group
    ?
    
    The text says "MAY start..." which seems to suggest (b).  But (b) is
    very expensive, and it doesn't seem to be a good idea to mandate (or
    even encourage) a denial of service opportunity like that.
    
    	paul
    
    


Home

Last updated: Thu Jul 04 02:18:50 2002
11113 messages in chronological order