[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Small subgroups and ISAKMP/Oakley
> > With regard to having one party force a bad key, it is still possible for
> > the second party to choose and exponential that forces many of the key
> > bits to a known value, thus opening up some room for a passive attacker.
> > There's no trick to this, it simply requires a lot of fast computation.
> By "still possible" do you mean even if the first party checks for
> confinement?
Yes. There's no number theory involved, just trial-and-error. The
reason I mention this is that I think that confinement is overall a
minor problem (because there are so many reasonable ways to avoid it)
and that worrying about confinement with an authenticated but
unscrupulous conversant is even more minor. For comparison I offer
the brute force method, an attack that is ignored because there is no
cure. At least, I don't know of one.
Hilarie
References: