[Cryptography] DH non-prime kills "socat" command security
Ray Dillinger
bear at sonic.net
Tue Feb 9 12:06:06 EST 2016
On 02/08/2016 07:03 PM, Benjamin Kreuter wrote:
> On Thu, 2016-02-04 at 18:30 -0800, Henry Baker wrote:
>> There is an outstanding problem: if we all use the same primes, large
>> nation-states can build log (rainbow-like) tables for these primes;
>> if we use different primes, we then have to prove to our
>> correspondent that the "prime" we propose is really
>> prime. Generating such primes and generating such easily-checkable
>> proofs appears to take too much time for normal HTTPS ecommerce.
> Also note that allowing people to generate their own parameters adds
> complexity to protocols that are already notoriously difficult to get
> right, and to their implementations which are also notoriously
> difficult to get right. IMO it is better to choose common parameters
> large enough to resist nation-state attacks, and for everyone to use
> those parameters.
I think I disagree. It's easier to get code that deals with
general parameters right - once - than to rely on individual
implementations that depend on specific hardcoded numbers
for each of a dozen different groups being used in different
applications.
And I think I'd be as happy with code that does a hundred
iterations of three or four *different* probabilistic primality
tests as I'd be with a proof of primality. Proofs of primality
are likely only to apply to a very small set of numbers having
very specific properties some of which we don't necessarily
fully understand.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160209/b0c7f826/attachment.sig>
More information about the cryptography
mailing list