[Cryptography] Defending against weak/trapdoored keys
Ron Garret
ron at flownet.com
Thu Oct 13 12:08:19 EDT 2016
On Oct 13, 2016, at 5:37 AM, Henry Baker <hbaker1 at pipeline.com> wrote:
> At 11:18 PM 10/12/2016, David Johnston wrote:
>> On 10/12/16 11:55 AM, Henry Baker wrote:
>>> Here's my (hopefully non-lame) attempt to fix DH to defend against weak and/or trapdoored primes/ECC-groups.
>>
>> Rather that running two DHs, why not give both ends a hand in choosing the prime randomly?
>>
>> Alice and bob swap random numbers and hash them.
>>
>> Alice and Bob both know their fresh random number went into the hash.
>>
>> Use the hash output to seed a CSPRNG that services a prime search algorithm.
>>
>> Use the prime that is found.
>>
>> You will want to do the usual stuff to prevent MITMs.
>>
>> Then it becomes a race between what's more efficient, the extra round trip of DH or the extra cost of the prime search.
>>
>> This will depend on compute vs network capability.
>
> I'm not at all convinced that random "secure" primes/ECCgroups can be quickly & efficiently generated in real time.
>
> However, by using multiple DH's, we might be able to force Eve to have to break them all.
Or we could just use ECDH on Curve25519 and be done with it.
rg
More information about the cryptography
mailing list