paul at ciphergoth.org
Mon Jun 6 12:41:08 PDT 2005
Brad Fitzpatrick wrote:
>>We could do without but it's warm fuzzies for the cryptographer at
>>little cost here...
> your call, security dictator.
Just looked at the javax.crypto definitions, and they don't have
anything for DH over Schnorr groups, only plain DH. Same for Perl
implementations, and what I could find of Python ones, and SSH and
openSSL. And SSH, at least, uses moduli of the form p = 2q + 1, which
also helps resist the sorts of attack I'm worried about, so long as you
don't accept values of 1 or p-1 for gx or gy. Given all that, it's not
worth being different here.
PKCS #3 (ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-3.asc) recommends
that the group parameters be chosen by a central authority, though, and
that's my inclination if it wouldn't offend anyone too much. We'll just
use some group parameters that SSH also uses. The first line in my SSH
moduli file looks like it would be fine.
\/ o\ Paul Crowley, paul at ciphergoth.org
More information about the yadis