| |
 |
|
|
Science Forum Index » Cryptography Forum » RSA vs DH
Page 4 of 6 Goto page Previous 1, 2, 3, 4, 5, 6 Next
|
| Author |
Message |
| Paul Rubin |
 Posted: Fri Dec 19, 2003 3:36 pm |
|
|
|
Guest
|
djohn37050@aol.com (DJohn37050) writes:
Quote: There are 5 security levels 80, 112, 128, 192 and 256. The q size is twice
that. P is 1024, 2048, 3072, 8192, 15360. There are also p of 4096 and 6144
assessed as 128.
Where'd they get these numbers--a magic 8 ball? |
|
|
| Back to top |
|
| DJohn37050 |
| Posted: Fri Dec 19, 2003 4:16 pm |
|
|
|
Guest
|
i got the numbers from NIST disclosure to ANSI X9F1 plans for DSA which also
translates to DH.
Don Johnson |
|
|
| Back to top |
|
| DJohn37050 |
| Posted: Fri Dec 19, 2003 4:18 pm |
|
|
|
Guest
|
nIST got these numbers from 80 bits of security being current and good to 2010,
112 being tdes good to 2030, 128 being aes-l and good for 2031+ with 192 and
256 for extra security assurances.
Don Johnson |
|
|
| Back to top |
|
| Gregory G Rose |
| Posted: Sat Dec 20, 2003 2:30 am |
|
|
|
Guest
|
In article <87r7z1jgsu.fsf@saltationism.subnet.hedonism.cluefactory.org.uk>,
Paul Crowley <paul@JUNKCATCHER.ciphergoth.org> wrote:
Quote: This way madness lies.
Regrettably, no.
Quote: The best way to design a crypto protocol which guards against
incompetent implementation is to make it easy to get right. Asking
one end to check the competence of the other end is a lost cause; you
will add enormous complication to that end and only check for a small
class of errors, and the complexity of the implementation is
increased, which increases the chance of error overall.
There are a number of attacks, particularly on
Diffie-Hellman, where a MITM can feed you bad
parameters in such a way that can break the
system. These checks are not optional.
Quote: No, the only time I'm going to check that group parameters were fairly
generated will be when you ask me to generate a public key using
parameters you specify.
I don't think we were referring to checking the
group parameters. We were referring to checking
which subgroup the D-H public key belonged in.
(That's if I'm remembering the thread correctly.)
This is a necessary check.
Greg.
--
Greg Rose
232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
Qualcomm Australia: http://www.qualcomm.com.au |
|
|
| Back to top |
|
| Roger Schlafly |
| Posted: Sat Dec 20, 2003 3:55 am |
|
|
|
Guest
|
"Gregory G Rose" <ggr@qualcomm.com> wrote
Quote: I don't think we were referring to checking the
group parameters. We were referring to checking
I think Don wanted to check the group parameters. |
|
|
| Back to top |
|
| Gregory G Rose |
| Posted: Sat Dec 20, 2003 5:12 am |
|
|
|
Guest
|
In article <q8UEb.4922$Ep2.958295183@twister1.starband.net>,
Roger Schlafly <rogersc@mindspring.com> wrote:
Quote: "Gregory G Rose" <ggr@qualcomm.com> wrote
I don't think we were referring to checking the
group parameters. We were referring to checking
I think Don wanted to check the group parameters.
(a) damn this newsfeed... I only ever have half
the context.
(b) even so... to check that a particular D-H
public key is in the order-q (for whatever large
prime q it is that divides p-1) subgroup, you have
to know the factorization of p-1, and to know that
it either has to be built in, or provided by the
other end in which case you should check it, or
you have to factor p-1 at the client which is
really a big ask...
So I still refute the statement that there's no
point checking parameters.
Greg.
--
Greg Rose
232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
Qualcomm Australia: http://www.qualcomm.com.au |
|
|
| Back to top |
|
| Paul Crowley |
| Posted: Sat Dec 20, 2003 5:59 am |
|
|
|
Guest
|
"Roger Schlafly" <rogersc@mindspring.com> writes:
Quote: There is no reliable way to check either her competence or her
parameters. It is possible to construct weak DSA parameters, but
she would have to do so willfully.
If I want many people to use the same parameters for their keys, then
I can use the "official" method to generate them, and display the seed
and count to prove that they were generated with this method. This
would make imposing cooked DSA parameters extremely difficult.
--
__ Paul Crowley
\/ o\ sig@paul.ciphergoth.org
/\__/ http://www.ciphergoth.org/ |
|
|
| Back to top |
|
| Henrick Hellström |
| Posted: Sat Dec 20, 2003 6:42 am |
|
|
|
Guest
|
Gregory G Rose wrote:
Quote: There are a number of attacks, particularly on
Diffie-Hellman, where a MITM can feed you bad
parameters in such a way that can break the
system. These checks are not optional.
Yes, if the TLS server has a static DH key a rogue client can send a
sequence of ephemeral DH keys starting at -1 (mod p) and gradually learn
the server private key.
However, I am not sure such attacks can be made to work against
authenticated ephemeral DH. If the server doesn't require client
authentication but the client requires server authentication, the MITM
will be able to impersonate the client but not to impersonate the server
(because the client will reject the server key exchange message unless
it is signed by the server). |
|
|
| Back to top |
|
| Paul Crowley |
| Posted: Sat Dec 20, 2003 7:11 am |
|
|
|
Guest
|
"Roger Schlafly" <rogersc@mindspring.com> writes:
Quote: "Paul Rubin" <http://phr.cx@NOSPAM.invalid> wrote
I thought FIPS pub whatever said 512-1024 bits. Although you could
make the big field larger anyway, the small field is still normally
160 bits, so you might not gain from making the big field bigger.
You can make both parameters as large as you like. See IEEE-1363.
The largest discrete logs in a non-special field that anyone has done
were only about 400 bits, so 1024 bits is plenty secure for most
purposes anyway.
I was under the impression that for the same key sizes, DL and
factorization were around the same difficulty, which would suggest
that factorization has only been extended to longer keys because it is
the more famous problem. Disclaimer, however: I do not understand
NFS, nor its applicability to discrete log.
--
__ Paul Crowley
\/ o\ sig@paul.ciphergoth.org
/\__/ http://www.ciphergoth.org/ |
|
|
| Back to top |
|
| David Wagner |
| Posted: Sat Dec 20, 2003 8:42 am |
|
|
|
Guest
|
Gregory G Rose wrote:
Quote: There are a number of attacks, particularly on
Diffie-Hellman, where a MITM can feed you bad
parameters in such a way that can break the
system. These checks are not optional.
But not if the parameters are signed by the party you wanted to
communicate with, surely? Or is there some more subtle protocol
attack that I overlooked?
Quote: I don't think we were referring to checking the
group parameters. We were referring to checking
which subgroup the D-H public key belonged in.
(That's if I'm remembering the thread correctly.)
This is a necessary check.
Oh, I agree that this check is necessary (or at least, a very good
idea), but I thought we were talking about the group parameters... |
|
|
| Back to top |
|
| DJohn37050 |
| Posted: Sat Dec 20, 2003 10:21 am |
|
|
|
Guest
|
The way aNSI X9 and NISt words it is that one needs assurance of validity of DP
and public keys. If one has no assurance or if one knows they are invalid,
then one should not use them. There are various ways assurance can be
provided.
My scenario was that someone gave me a new set of DP. My choice would be to
ensure the DP are good arithmetically (i.e., meet the standard's spec), that
is, not solely rely on the other user's system to do it right. It is
straightforward to check. There can be HW errors, SW errors, intermittent
errors, user errors and errors introduced by an adversary. One can hope or
one can check or one may have other means of assurance. Hoping in this biz
does not seem right to me.
Don Johnson |
|
|
| Back to top |
|
| Tom St Denis |
| Posted: Sat Dec 20, 2003 10:46 am |
|
|
|
Guest
|
"DJohn37050" <djohn37050@aol.com> wrote in message
news:20031220102131.13580.00001430@mb-m10.aol.com...
Quote: The way aNSI X9 and NISt words it is that one needs assurance of validity
of DP
and public keys. If one has no assurance or if one knows they are
invalid,
then one should not use them. There are various ways assurance can be
provided.
My scenario was that someone gave me a new set of DP. My choice would be
to
ensure the DP are good arithmetically (i.e., meet the standard's spec),
that
is, not solely rely on the other user's system to do it right. It is
straightforward to check. There can be HW errors, SW errors,
intermittent
errors, user errors and errors introduced by an adversary. One can hope
or
one can check or one may have other means of assurance. Hoping in this
biz
does not seem right to me.
See I do it the funner way in LTC now... When you make a DH key the
parameters are stuck in LTC. So you can test them once an go about your
business. When you make a DSA key your key has your own q, p and g. I
wrote a routine to test a persons public key [e.g. the parameters work] but
you never use them to make your own DSA key.
This might sound like a bad idea except that key generation is very fast
[under 1/2 second for a 160/1024 key on my 1.7Ghz Athlon XP]. In fact the
keygen time is roughly equal to the time it takes to make the prime p.
Point being though is that there is no risk of making your own key pair off
of an attackers weak (p, q, g)-tuple.
Tom |
|
|
| Back to top |
|
| Henrick Hellström |
| Posted: Sat Dec 20, 2003 12:54 pm |
|
|
|
Guest
|
DJohn37050 wrote:
Quote: The way aNSI X9 and NISt words it is that one needs assurance of validity of DP
and public keys. If one has no assurance or if one knows they are invalid,
then one should not use them. There are various ways assurance can be
provided.
My scenario was that someone gave me a new set of DP. My choice would be to
ensure the DP are good arithmetically (i.e., meet the standard's spec), that
is, not solely rely on the other user's system to do it right. It is
straightforward to check. There can be HW errors, SW errors, intermittent
errors, user errors and errors introduced by an adversary. One can hope or
one can check or one may have other means of assurance. Hoping in this biz
does not seem right to me.
I agree completely: The ((p-1)/q)x(q/(p-1)) (mod q) cofactor
exponentiation trick from IEEE 1363 (was it you?) is one of the things
one could do. |
|
|
| Back to top |
|
| Roger Schlafly |
| Posted: Sat Dec 20, 2003 1:23 pm |
|
|
|
Guest
|
"DJohn37050" <djohn37050@aol.com> wrote
Quote: My scenario was that someone gave me a new set of DP. My choice would be
to
ensure the DP are good arithmetically (i.e., meet the standard's spec),
that
is, not solely rely on the other user's system to do it right.
If you have excess cycles, and you are eager to burn them with
superfluous checks, then go ahead. But it is a rare situation that
an attack is even possible. Most users can forget about it, without
any possible harm. |
|
|
| Back to top |
|
| DJohn37050 |
| Posted: Sat Dec 20, 2003 8:13 pm |
|
|
|
Guest
|
If the DP are invalid, basically all bets are off, including validation of the
subgroup order of a public key meaning anything. Roger, of course, can choose
to be as insecure as he wants to be.
Don Johnson |
|
|
| Back to top |
|
| |
Page 4 of 6 Goto page Previous 1, 2, 3, 4, 5, 6 Next
All times are GMT - 5 Hours
The time now is Fri Oct 10, 2008 11:31 pm
|
|