questions on RFC2631 and DH key agreement
Hal Finney
hal at finney.org
Wed Feb 6 12:35:08 EST 2008
Jeff Hodges writes:
> If a purportedly "secure" protocol employing a nominal DH exchange in order to
> establish a shared secret key between a requester and responder, employs
> widely known published (on the web) fixed values for g ("2") and p (a
> purportedly prime 1040 bit number) for many of it's implementations and
> runtime invocations, what are the risks its designers are assuming with
> respect to the resultant properties of ZZ?
This can be reasonably safe, if p is chosen properly. There is no problem
with using g=2, with the right p. The main issue is that with current
technology, a 1040 bit p stands a substantial chance of being broken.
A 1024 bit special-form number was factored last year, with claims that
the technique might apply to general RSA moduli of that size. Finding
discrete logs takes similar work. A widely reused p value would be a
fat target for such an effort.
> I suspect that many implementations will simply use the equivalent of whatever
> rand() function is available to get the bits for their private keys directly,
> and will likely not reallocate private keys unless the implementation or
> machine are restarted. So if the random number generator has known flaws, then
> there may be some predictability in both the public keys and in ZZ, yes?
> Additionally there's the previously noted issue with the values of static
> private keys slowly leaking.
I'm not sure about this leaking, I asked Ashwood for clarification.
Certainly if the secret exponents are poorly chosen, the system will be
insecure. I would not necessarily assume that rand() is being used; I
would hope in this day and age that people would know better than that.
/dev/random on Linux&Mac and CryptGenRandom on Windows should provide
adequate security for this use, and hopefully the implementors would be
aware of the need for secure random numbers.
Hal Finney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list