[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Small subgroups and ISAKMP/Oakley
Hilarie,
In light of Dan Harkin's comments about the HASH'ed authenticated
exponentials preventing middleman confinement attack in the latest
draft of ISAKMP/Oakley, I presume we're now talking about DH in
general. In regards to John's and Lewis' comments about end-party
confinement, I think the significance of this is largely for other uses
of DH. With this in mind, ...
At 07:55 PM 4/16/97 -0400, you wrote:
> With regard to having one party force a bad key, it is still possible for
> the second party to choose and exponential that forces many of the key
> bits to a known value, thus opening up some room for a passive attacker.
> There's no trick to this, it simply requires a lot of fast computation.
By "still possible" do you mean even if the first party checks for
confinement?
I think the problem of known key bits is only there if the chosen exponential
is of small order. If the "bad" exponential is a generator of a
large-order group,
then the good party's large random exponent should prevent any
predictable bits.
There was some discussion related to this at the last P1363 meeting.
Specifically, does one need to insure that the result is in the correct large
subgroup, or is it enough to prevent it from being in a small subgroup?
And then if so, how small is small? How to properly deal with
prime moduli with large co-factors was left as an open issue.
Raising the result to the co-factor works, but may not be the
most efficient solution.
-- David
------------------------------------
David P. Jablon
Tel: +1 508 898 9024
http://world.std.com/~dpj/
E-mail: dpj@world.std.com
Follow-Ups:
References: