[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Small subgroups and ISAKMP/Oakley

To: JKENNEDY@novell.com
Subject: Re: Small subgroups and ISAKMP/Oakley
From: ho@earth.hpc.org (Hilarie Orman)
Date: Wed, 16 Apr 1997 19:55:51 -0400
Cc: ipsec@tis.com
In-reply-to: Yourmessage <199704162320.QAA22212@baskerville.CS.Arizona.EDU>
Sender: owner-ipsec@ex.tis.com

The 1,-1 check should be added to the spec, but I think the rest of the
good work of IEEE and X9.42 is beyond the intended scope of ISAKMP/OAKLEY;
there's no intent to reference all possible attacks.

I recommend adding a comment that only strong/Sophie Germaine/j=2 primes
be used for the modulus in the New Group exchange, but the consenting parties
must either trust each other's math or be able to independently validate
the Sophie Germaineness of the modulus (off-line beforehand or in-line on
a fast machine).

With regard to having one party force a bad key, it is still possible for
the second party to choose and exponential that forces many of the key
bits to a known value, thus opening up some room for a passive attacker.
There's no trick to this, it simply requires a lot of fast computation.

Hilarie

Follow-Ups:

Re: Small subgroups and ISAKMP/Oakley

From: "David P. Jablon" <dpj@world.std.com>

Prev by Date: Small subgroups and ISAKMP/Oakley
Next by Date: notes from developer's portion of IETF meeting
Prev by thread: Re: Small subgroups and ISAKMP/Oakley
Next by thread: Re: Small subgroups and ISAKMP/Oakley
Index(es):
- Main
- Thread