pubkeys for p and g

[Peter Fairbrother]

martin f krafft wrote:


> My point was that some commercial vendors (Check Point and others)
> claim, that if two partners want to perform a DH key exchange, they
> may use their two public keys for g and p. This, in effect, would
> mean that g and p were not globally known, but that the public keys
> are used in their place.

Can you give me a ref to where they say that? I'd like to know exactly what
they are claiming. 

Perhaps they are encrypting the DH secrets with RSA keys to provide some
recipient authentication?

Or perhaps they are using DH instead of RSA for their public keys?

> Thus every communication party would have a key pair, aA and bB,
> where the capital letter is the public key. Then, the following
> happens:
> 
> let g = A and p = B
> let A' = g^a mod p and B' = g^b mod p
> = A^a mod B        = A^b mod B
> 
> and off you go, doing DH with g = A, p = B, and the keypairs aA' and
> bB' on either side.

(I assume a and b the usual DH secrets)

> This would, in my opinion, only be possible if:
> 
> - there would be a rule to decide which public key is p and which
> is g.
> - all public keys (RSA in this case) are primes.
> - all public keys are good generators mod p.

You mean "all public keys are good generators mod all public keys"

This won't work, for instance, the N's in RSA keys can't be prime. The e's
can be, but there is then no way that I can think of to ensure that an e is
a generator of a sufficiently large subgroup of another, unknown at
generation, e. 

It might be possible to use some algorithm to find a suitable g, but that
doesn't conform to your/ their stipulation.




-- 
Peter Fairbrother



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com