Nils Larsch wrote: > > On Thursday, 25. April 2002 22:47, you wrote: > > Hi, > > > > I'm tring to use DH params from > > http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ike-modp-groups-04.txt > > <http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ike-modp-groups-04.tx > >t > > > > > , but none get imported in openssl, and openssl returns > > > > DH_NOT_SUITABLE_GENERATOR... Can any one give me a reason why ?? > > Hi Aslam, > > the problem is that DH_check() whether the supplied generator > ( in our case 2 ) is a generating element of the full multiplicative > group ( of the field GF(p) ) . In the DH-parameters from the > draft-ietf-ipsec-ike-modp-groups-04.txt ( created in accordance > with rfc-2412 Appendix E ) the generator 2 is a is a quadratic > residue mod p ( e.g. there exits a x in GF(p) with 2 = x^2 mod p ) > and hence 2 is not a generator of the full multiplicative group. > I propose you ignore ( if you can ) the result of DH_check(), > because I don't think the parameters are insecure :)
In general, if you generate a large subset, you are still secure. In fact, using a generator, g, that generates the whole group leaks the bottom bit of k, given g^k. You also can't invert the exponents if the generator generates the whole group. Both of these are discussed in my paper on Lucre (http://anoncvs.aldigital.co.uk/lucre/theory2.pdf). Note that RFC 2412 says: "Note that 2 is technically not a generator in the number theory sense, because it omits half of the possible residues mod P. From a cryptographic viewpoint, this is a virtue.", which is precisely the type of generator I use for Lucre. To check for that, we check that: g^2 mod p != 1 and g^((p-1)/2) mod p == 1. We should perhaps revise the OpenSSL checks to do that. It should also be required that (p-1)/2 is prime, so that, too should be checked. Of course, this would break all existing "satisfactory" DH parameters. Hmmm. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
