[Cryptography] Defending against weak/trapdoored keys
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Oct 13 05:59:20 EDT 2016
David Johnston <dj at deadhat.com> writes:
>Rather that running two DHs, why not give both ends a hand in choosing the
>prime randomly? Alice and bob swap random numbers and hash them. Alice and
>Bob both know their fresh random number went into the hash. Use the hash
>output to seed a CSPRNG that services a prime search algorithm. Use the prime
>that is found. You will want to do the usual stuff to prevent MITMs.
See my other message, it's (theoretically) not too hard to do using SSH or TLS
client and server random, but the overhead of generating the parameters is
crippling.
If you wanted to be really clever you could use the hash of entire client and
server hello to generate the DH parameters, so you also get integrity
protection of the initial messages. You've still got the high overhead
problem though. So overall I think this falls into the cute-but-impractical
category.
Peter.
More information about the cryptography
mailing list