Re: SSL/TLS DHE suites and short exponents
From: Paul Rubin (//phr.cx@NOSPAM.invalid)
From: Paul Rubin <http://phr.cx@NOSPAM.invalid> Date: 07 Mar 2003 19:31:17 -0800
firstname.lastname@example.org (Gregory G Rose) writes:
> To be safe, the group needs to have one (or more) large subgroup;
> usually that is chosen so that q (the prime order of the subgroup)
> has the desired 160-odd bits, or so that q == (p-1)/2. In any case,
> the recipient should check that the public key received is a member
> of the order-q subgroup by checking that k^q == k (mod p).
The recipient has to know q and check it for primality in order to
do that. Do any actual implementations actually work that way?