# Re: SSL/TLS DHE suites and short exponents

**From:** Paul Rubin (*//phr.cx@NOSPAM.invalid*)

**Date:** 03/08/03

**Next message:**David Wilson: "Re: Answer(s) to Kryptos Puzzle?"**Previous message:**Paul Rubin: "Re: SSL/TLS DHE suites and short exponents"**In reply to:**Gregory G Rose: "Re: SSL/TLS DHE suites and short exponents"**Next in thread:**Gregory G Rose: "Re: SSL/TLS DHE suites and short exponents"**Reply:**Gregory G Rose: "Re: SSL/TLS DHE suites and short exponents"**Messages sorted by:**[ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Paul Rubin <http://phr.cx@NOSPAM.invalid> Date: 07 Mar 2003 19:31:17 -0800

ggr@qualcomm.com (Gregory G Rose) writes:

*> To be safe, the group needs to have one (or more) large subgroup;
*

*> usually that is chosen so that q (the prime order of the subgroup)
*

*> has the desired 160-odd bits, or so that q == (p-1)/2. In any case,
*

*> the recipient should check that the public key received is a member
*

*> of the order-q subgroup by checking that k^q == k (mod p).
*

The recipient has to know q and check it for primality in order to

do that. Do any actual implementations actually work that way?

**Next message:**David Wilson: "Re: Answer(s) to Kryptos Puzzle?"**Previous message:**Paul Rubin: "Re: SSL/TLS DHE suites and short exponents"**In reply to:**Gregory G Rose: "Re: SSL/TLS DHE suites and short exponents"**Next in thread:**Gregory G Rose: "Re: SSL/TLS DHE suites and short exponents"**Reply:**Gregory G Rose: "Re: SSL/TLS DHE suites and short exponents"**Messages sorted by:**[ date ] [ thread ] [ subject ] [ author ] [ attachment ]