|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] IPS security draft: SRP groupsThe security draft lists the groups from the SRP reference software, and in addition it says that the IKE groups may be used. (It doesn't appear to allow the 768 bit IKE group, even though it does allow the 768 bit group from the SRP reference code. I wonder why.) Tom Wu said in a message dated 4/17/2002: g MUST be a generator; omitting half of the possible residues mod P is NOT a virtue for SRP because it can lead to an attack. For the IKE moduli, which are all 7 mod 8, g cannot be 2, and it usually ends up being either 5 or 7. g^((N-1)/2) must be -1 (mod N). This means that the IKE groups cannot be used as they are defined in the references given, because those do use the value g == 2 (for reasons that apply to IKE but not to SRP). Incidentally, the IKE groups come fully documented with a statement that N was proven (rigorously, not probabilistically) to be prime; I haven't found the equivalent for the SRP groups. Does that exist? If yes, it would be useful to have a reference pointing to it. Does the statement in section 2.4.2 (verifying N and g) mean: a. An implementation may match N and g against the list in Appendix A and refuse any others or b. An implementation may match N and g against the list in Appendix A but on a mismatch is required to verify that N and g define a valid group ? The text says "MAY start..." which seems to suggest (b). But (b) is very expensive, and it doesn't seem to be a good idea to mandate (or even encourage) a denial of service opportunity like that. paul
Home Last updated: Thu Jul 04 02:18:50 2002 11113 messages in chronological order |