Implementation guides for DH?
Bill Stewart
bill.stewart at pobox.com
Thu Jan 2 01:38:39 EST 2003
At 03:07 PM 01/01/2003 -0800, Zulfikar Ramzan replied to Adam:
>Anton Stiglic has a paper on various security issues that
>arise in DH implementations:
>http://crypto.cs.mcgill.ca/~stiglic/Papers/dhfull.pdf
The Photuris keying system (RFC2522) also has some
good insight into Diffie-Hellman implementation issues,
including a lot of emphasis on who picks what parameters
(initiator vs. responder) to reduce threats,
guidelines for acceptable parameters, and the
cookie exchange that reduces spoofing attacks.
Stiglic's paper goes into a lot of explanation about
some issues of safe parameters, particularly recommendations
for sufficiently safe primes. Much of the discussion on the net
about prime safety for DH has been about whether safe primes
are necessary or not worth the bother, and at least with the
current methods for factoring, it's believed they aren't needed.
(One catch, of course, is that the best factoring method
10 or 50 years from now may be affected by safe vs. unsafe primes.)
At least in the initial Photuris versions, there were some
standard choices of primes that everybody used,
so it made sense to pick Sophie-Germain primes anyway.
Stiglic also refers to use of cookie puzzles such as hashcash
to further reduce the risk of swamp-the-responder attacks
by letting the responder force the initiator to do work
taking arbitrary amounts of time before the responder
needs to do any exponentiation work, which can let the responder
manage its total workload, with much more impact on an attacker
(or a slashdotting) than on non-malicious users.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list