[Cryptography] Defending against weak/trapdoored keys
David Johnston
dj at deadhat.com
Thu Oct 13 02:18:38 EDT 2016
On 10/12/16 11:55 AM, Henry Baker wrote:
> Here's my (hopefully non-lame) attempt to fix DH to defend against weak and/or trapdoored primes/ECC-groups.
>
Rather that running two DHs, why not give both ends a hand in choosing
the prime randomly? Alice and bob swap random numbers and hash them.
Alice and Bob both know their fresh random number went into the hash.
Use the hash output to seed a CSPRNG that services a prime search
algorithm. Use the prime that is found. You will want to do the usual
stuff to prevent MITMs.
Then it becomes a race between what's more efficient, the extra round
trip of DH or the extra cost of the prime search. This will depend on
compute vs network capability.
More information about the cryptography
mailing list