Re: SSL/TLS DHE suites and short exponents

From: Paul Rubin (//phr.cx@NOSPAM.invalid)
Date: 03/08/03


From: Paul Rubin <http://phr.cx@NOSPAM.invalid>
Date: 07 Mar 2003 19:31:17 -0800

ggr@qualcomm.com (Gregory G Rose) writes:
> To be safe, the group needs to have one (or more) large subgroup;
> usually that is chosen so that q (the prime order of the subgroup)
> has the desired 160-odd bits, or so that q == (p-1)/2. In any case,
> the recipient should check that the public key received is a member
> of the order-q subgroup by checking that k^q == k (mod p).

The recipient has to know q and check it for primality in order to
do that. Do any actual implementations actually work that way?



Relevant Pages

  • Re: SSL/TLS DHE suites and short exponents
    ... If the client sends a public value of order d and guesses ... the group needs to have one ... > (the prime order of the subgroup) has the desired ...
    (sci.crypt)
  • Re: Diffie-Hellman key exchange
    ... currently practice is to pick a base that generates a subgroup ... of large prime order. ... Now if the result of the D-H is a square, Alice knows that Bob ...
    (sci.crypt)
  • Re: Diffie-Hellman key exchange
    ... of large prime order. ... When the modulus is safe prime 'p', ... is a reason to prefer using the prime-order subgroup. ... Now if the result of the D-H is a square, Alice knows that Bob ...
    (sci.crypt)
  • Underlying group order, and member representation size.
    ... underlying subgroup of prime order of the representational group in PK ... I mean values that are representable but which are not members of the ...
    (sci.crypt)
  • Underlying group order, and member representation size.
    ... underlying subgroup of prime order of the representational group in PK ... I mean values that are representable but which are not members of the ...
    (sci.crypt)