Re: speaking of keys

[Hugo Krawczyk <hugo@ee.technion.ac.il>]

On Fri, 6 Dec 2002, The Purple Streak, Hilarie Orman wrote:

.....
> 
> Also, the Diffie-Hellman group is a single basket holding all past
> session keys.  Just because it is strong enough for one paranoid
> usage doesn't account for the risk of having all past keys revealed.
> You need a very healthy entropy margin to account for that.
> 
> Hilarie
> 

Hilarie, can you please explain what you mean by "very healthy entropy
margin"? WHat is it needed for and how is it achieved? And what is a
"single paranoid use"? 

If a DH group is eventually cryptanalyzed to the extent of allowing
recovering the key g^xy from the public g^x and g^y for any key negotiated
over that group then there is zero "entropy margin" left (regardless of
what your key derivation and key usage does).  So are you envisioning a
cryptanalytical break that will allow for a partial discovery of the g^xy
key? What do you mean by "entropy margin" in this case? Against partial 
cryptanalysis/leakage the best defense is the hashing that we do for
deriving KEYSEED.

BTW, the only solution that I know for preventing the catastrophic problem
of a standarized group being fully cryptanlyzed is to use 
"private groups" (which adds management and computational complexity,
as well as raises security issues about the generation of these groups),
or using the "revided encryption mode" of IKE (which encrypts the DH
exponentials under a private encryption key).

Hugo