|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: IPS security draft: SRP groupsExcerpt of message (sent 3 July 2002) by Bernard Aboba: > In answer to your question, here is a suggestion from Dan Simon for > determining the appropriate generators for the IKE primes, for use with SRP. Ok. I didn't know that but I probably would have learned it if I had done the necessary reading about groups and generators. But the point of my question wasn't "is it possible to compute g" but rather "how about supplying g in the spec" (since the g=2 from IKE is not appropriate). It seems a bit redundant for everyone to repeat the search for a suitable g... So what's the story about unlisted groups? Is an implementation that accepts only the groups listed in appendix A, but not any "locally generated" ones, a compliant implementation? If not, why not? > -----Original Message----- > From: Dan Simon > Sent: Friday, June 07, 2002 2:36 PM > To: iscsi-security@external.cisco.com > Subject: SRP groups > > To determine if a given g is a generator of the whole group (a necessary > property for SRP), you need to know the factorization of (p - 1); you > raise the candidate to the power of x for all x which are factors (not > just prime factors) of p - 1, and reject it if you ever get 1 (mod p). In > the case of the IKE primes, which are of the form p - 1 = 2q, q prime, just > test that neither g^2 nor g^q are 1 (mod p); any g that passes that test > will do. If the SRP primes were generated randomly, then their predecessors > (i.e., p - 1) may not be easy to factor; but if they are, then you can > choose a generator for them as I've described. > > Hope that helps, > > Dan > > > ---------- Forwarded message ---------- > Date: Wed, 10 Apr 2002 21:19:18 -0700 > From: Tom Wu <tom@arcot.com> > To: Bernard Aboba <aboba@internaut.com> > Cc: iscsi-security@external.cisco.com > Subject: Re: SRP groups > Bernard, > > I generated the non-IKE primes randomly. I did not go through the full > process of generating numbers with optimized forms, nor did I attempt to > prove them prime using a rigorous test. This was primarily because, at the > time I generated them, those prepackged groups were intended mainly as a > timesaver for people installing the SRP distribution; I expected many admins > to generate their own groups, using the Open Source tconf tool in the SRP > distribution, for their own peace of mind. Ok, so now I'm confused. Dan says "you need to know the factorization of p-1" but presumably that is not known for a randomly chosen p. > The secondary reason was that the requirements/constraints for SRP > groups are not quite the same as the IKE groups. The IKE groups have > the prime as 7 (mod 8) because of the lower-bits optimization, and g = > 2, which can be faster with some bignum implementations. This means > that g generates the group of size (p-1)/2, whereas SRP requires that g > generate the largest group of size (p-1), i.e. a primitive root. > > That said, I'd have no problem with re-using the IKE primes as the prime for > SRP groups, using a different "g" such that it is a primitive root. That's > already been done for bitlengths 768 and 1024. That being the case, it would be good for those values for g to be listed in the spec. paul
Home Last updated: Sat Jul 06 22:18:49 2002 11144 messages in chronological order |