[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MODP groups draft concern

Walker, Jesse writes:
> This e-mail asks whether it is appropriate at this time to include the
> suggested 8192-bit MODP group in the draft. If I correctly understood your
> presentation at the San Diego IPsec meeting, not only do we not know whether
> the proposed 8192-bit modulus is a Sophie-Germain prime, but we don't even
> know if it is prime. If this is true, then we aren't at all certain of its
> security properties, so don't know whether it meets its design goal of
> providing the level of security suggested as necessary for AES-192.
> Probabalistic assurances are something we have never agreed to before for
> well-known IKE groups. In the past our standard has been the modulus for any
> well-known group must be a verified Sophie-Germaine prime. This criteria has
> served us well for every well-known group to date. Why abandon it now?

Because I haven't had enough time to check the prime. My search
program searches the primes by using Miller-Rabin test with limit 200.
This gives the information that number is not prime the propability of
1/4^200 == 1/2582249878086908589655919172003011874329705792829223512830659356540647622016841194629645353280137831435903171972747493376.

I agree, that might not be enough for some people to use the group,
but those should verify all the groups given in the draft themselfs
anyways, and not to trust somebody else to verify the groups for them.

You should also remember that almost all RSA key pairs are generated
by using the propabilistic primes. Also when generating those primes
the limit is normally used only up to 20 or so... So it is much more
likely that your RSA key pair is weak than this group being weak.
Anyways I will try to run the tests on it if I just have enough cpu to
do it. 

> I can think of at least three plausible ways forward:
> a. The IPsec community could dedicate resources to help verify that the
> value is indeed a Sophie-Germain prime (assuming it is). In the eventuality
> of a successful verification, it would be appropriate for the value to
> remain in the draft. Many would see this as the most desirable outcome,
> because we would possess a value anyone could use, safe in the knowledge
> that it actually provides the level of security we hope it does.

If you have spare alpha machine available, just go to


and fetch the ECPP program we have been using. The only problem is
that it is only available for the alpha machines, thus limiting the
number of machines that can run it. Also running it can take lots of

> It is not obvious to me that the need for an 8K or larger group is
> sufficiently urgent to abandon our long standing criteria. Let the
> verification algorithm crank a few months or years or however long is
> necessary to tell us whether the value has the right properties we need for
> security. We can standardize a new 8K group whenever this completes with a
> verified Sophie-Germain prime, or generates a Schnorr group, or whatever we
> define as safe. Until then, let's not tell the world this value is OK to use
> by including it in the draft, because we just don't know.

I am going to leave it in the draft for now on, but if I don't have
the verification for it when we are going to RFC, then I will consider
things more. I might end up having two RFC, one with the proven groups
and second with those checked only using propabilistic methods. 
kivinen@ssh.fi                               Work : +358 303 9870
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups: References: