Re: SSL/TLS DHE suites and short exponents

From: Paul Rubin (//phr.cx@NOSPAM.invalid)
Date: 03/08/03


From: Paul Rubin <http://phr.cx@NOSPAM.invalid>
Date: 07 Mar 2003 19:31:17 -0800

ggr@qualcomm.com (Gregory G Rose) writes:
> To be safe, the group needs to have one (or more) large subgroup;
> usually that is chosen so that q (the prime order of the subgroup)
> has the desired 160-odd bits, or so that q == (p-1)/2. In any case,
> the recipient should check that the public key received is a member
> of the order-q subgroup by checking that k^q == k (mod p).

The recipient has to know q and check it for primality in order to
do that. Do any actual implementations actually work that way?