Re: IPS security draft: SRP groups

[Paul Koning <ni1d@arrl.net>]

Excerpt of message (sent 3 July 2002) by Bernard Aboba:
> In answer to your question, here is a suggestion from Dan Simon for 
> determining the appropriate generators for the IKE primes, for use with SRP.

Ok.  I didn't know that but I probably would have learned it if I had
done the necessary reading about groups and generators.  But the point
of my question wasn't "is it possible to compute g" but rather "how
about supplying g in the spec" (since the g=2 from IKE is not
appropriate).   It seems a bit redundant for everyone to repeat the
search for a suitable g...

So what's the story about unlisted groups?  Is an implementation that
accepts only the groups listed in appendix A, but not any "locally
generated" ones, a compliant implementation?  If not, why not?

> -----Original Message-----
> From: Dan Simon
> Sent: Friday, June 07, 2002 2:36 PM
> To: iscsi-security@external.cisco.com
> Subject: SRP groups
> 
> To determine if a given g is a generator of the whole group (a necessary
> property for SRP), you need to know the factorization of (p - 1); you
> raise the candidate to the power of x for all x which are factors (not
> just prime factors) of p - 1, and reject it if you ever get 1 (mod p).  In 
> the case of the IKE primes, which are of the form p - 1 = 2q, q prime, just 
> test that neither g^2 nor g^q are 1 (mod p); any g that passes that test 
> will do.  If the SRP primes were generated randomly, then their predecessors 
> (i.e., p - 1) may not be easy to factor; but if they are, then you can 
> choose a generator for them as I've described.
> 
>                 Hope that helps,
> 
>                           Dan
> 
> 
> ---------- Forwarded message ----------
> Date: Wed, 10 Apr 2002 21:19:18 -0700
> From: Tom Wu <tom@arcot.com>
> To: Bernard Aboba <aboba@internaut.com>
> Cc: iscsi-security@external.cisco.com
> Subject: Re: SRP groups
> Bernard,
> 
> I generated the non-IKE primes randomly.  I did not go through the full
> process of generating numbers with optimized forms, nor did I attempt to 
> prove them prime using a rigorous test.  This was primarily because, at the 
> time I generated them, those prepackged groups were intended mainly as a 
> timesaver for people installing the SRP distribution; I expected many admins 
> to generate their own groups, using the Open Source tconf tool in the SRP 
> distribution, for their own peace of mind.

Ok, so now I'm confused.  Dan says "you need to know the factorization
of p-1" but presumably that is not known for a randomly chosen p.  

> The secondary reason was that the requirements/constraints for SRP
> groups are not quite the same as the IKE groups.  The IKE groups have
> the prime as 7 (mod 8) because of the lower-bits optimization, and g =
> 2, which can be faster with some bignum implementations.  This means
> that g generates the group of size (p-1)/2, whereas SRP requires that g
> generate the largest group of size (p-1), i.e. a primitive root.
> 
> That said, I'd have no problem with re-using the IKE primes as the prime for 
> SRP groups, using a different "g" such that it is a primitive root. That's 
> already been done for bitlengths 768 and 1024.

That being the case, it would be good for those values for g to be
listed in the spec.

       paul