On 03/12/2014 01:19 PM, Jeffrey Hutzelman wrote: > The MODP groups given in RFC5114 are taken from DSS and NIST SP-800-56A, > and do not have this same structure. The RFC has nothing to say on how > they were selected, and my recollection from the last time I looked was > that the NIST publications don't say anything either. It's not clear to me that there is any advantage in a DH key exchange to using the RFC 5114 discrete log groups. The selection of a discrete log group with a subgroup of targeted size q (instead of using a group with a safe prime modulus, which only allows subgroups of at worst (p-1)/2 if you exclude (p-1) as a valid public key) makes it costly to check whether the peer is forcing your shared secret into one of the other smaller subgroups. Note that this kind of subgroup-forcing attack was used in the DHE variant of Bhargavan et al's recent attack against client certification in TLS (other mistakes in the TLS protocol played a role in these attacks too, of course) Using a group with a known safe prime modulus should avoid this concern. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature