[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Small subgroups and ISAKMP/Oakley

To: dpj@world.std.com
Subject: Re: Small subgroups and ISAKMP/Oakley
From: ho@earth.hpc.org (Hilarie Orman)
Date: Thu, 17 Apr 1997 10:54:14 -0400
Cc: ipsec@tis.com, lmccarth@cs.umass.edu, JKENNEDY@novell.com
In-reply-to: Yourmessage <3.0.1.16.19970417103637.22bf37a0@world.std.com>
Sender: owner-ipsec@ex.tis.com

>  > With regard to having one party force a bad key, it is still possible for
>  > the second party to choose and exponential that forces many of the key
>  > bits to a known value, thus opening up some room for a passive attacker.
>  > There's no trick to this, it simply requires a lot of fast computation.

>  By "still possible" do you mean even if the first party checks for
>  confinement?

Yes.  There's no number theory involved, just trial-and-error.  The
reason I mention this is that I think that confinement is overall a
minor problem (because there are so many reasonable ways to avoid it)
and that worrying about confinement with an authenticated but
unscrupulous conversant is even more minor.  For comparison I offer
the brute force method, an attack that is ignored because there is no
cure.  At least, I don't know of one.

Hilarie

References:

Re: Small subgroups and ISAKMP/Oakley

From: "David P. Jablon" <dpj@world.std.com>

Prev by Date: Re: Small subgroups and ISAKMP/Oakley
Next by Date: CBC IV generation in ISAKMP/Oakley
Prev by thread: Re: Small subgroups and ISAKMP/Oakley
Next by thread: Re: Small subgroups and ISAKMP/Oakley
Index(es):
- Main
- Thread