=JeffH | 8 Mar 18:12 2012

fyi: initial draft of "Ciphers in Use in the Internet" is now available

Of possible interest..

Subject: [Cfrg] Fwd: New Version Notification for
	draft-irtf-cfrg-cipher-catalog-00.txt
From: David McGrew <mcgrew <at> cisco.com>
Date: Tue, 6 Mar 2012 07:05:24 -0500 (04:05 PST)
To: cfrg <at> irtf.org

Hi,

the initial version of "Ciphers in Use in the Internet" is now available at 
<http://tools.ietf.org/html/draft-irtf-cfrg-cipher-catalog-00>.   Sean and I 
ask for your review, constructive criticism, and input.    Some parts of the 
draft need more detail and organization, but it should be in sound enough shape 
for review.

If you have text to contribute, that would be appreciated, especially if you 
can supply citations for the more consequential statements.

regards,

David

Begin forwarded message:

 > From: internet-drafts <at> ietf.org
 > Subject: New Version Notification for draft-irtf-cfrg-cipher-catalog-00.txt
 > Date: March 5, 2012 8:35:57 PM EST
 > To: mcgrew <at> cisco.com
 > Cc: shenshuo <at> cnnic.cn
(Continue reading)

Sean Turner | 12 Mar 14:18 2012

Call for SAAG presentation topics

Folks,

Stephen and I are putting together the SAAG agendas for Paris.

The agenda traditionally includes one or two invited presentations after 
the working group reports.  We would appreciate submission of 
presentation topics that you believe would be of interest to the 
community.  If you can identify an appropriate presenter (not 
necessarily yourself) that would be helpful.

Thanks,

spt
Tom Yu | 14 Mar 03:09 2012
Picon

are RFC 3526 primes "safe"? (Re: [Ietf-krb-wg] RFC 4556 DH parameter oddities)

Anyone here able to answer the following?  Or should I ask CFRG?  Thanks.

To: ietf-krb-wg <at> lists.anl.gov
From: Tom Yu <tlyu <at> MIT.EDU>
Date: Fri, 09 Mar 2012 14:53:23 -0500
Subject: Re: [Ietf-krb-wg] RFC 4556 DH parameter oddities

Also, could someone with better number theory and/or cryptography
experience than me please confirm whether the RFC 3526 primes are
indeed safe primes?
Jon Callas | 14 Mar 04:04 2012

Re: are RFC 3526 primes "safe"? (Re: [Ietf-krb-wg] RFC 4556 DH parameter oddities)


On Mar 13, 2012, at 7:09 PM, Tom Yu wrote:

> Anyone here able to answer the following?  Or should I ask CFRG?  Thanks.
> 
> To: ietf-krb-wg <at> lists.anl.gov
> From: Tom Yu <tlyu <at> MIT.EDU>
> Date: Fri, 09 Mar 2012 14:53:23 -0500
> Subject: Re: [Ietf-krb-wg] RFC 4556 DH parameter oddities
> 
> Also, could someone with better number theory and/or cryptography
> experience than me please confirm whether the RFC 3526 primes are
> indeed safe primes?

What would make them non-safe primes?

I'm not being dismissive, I want to know what the concern is.

Is this related to the weak RSA key brou-ha-ha? Or is it just a matter of making sure that they've been
properly vetted not to have number-theoretic issues?

In other words, what's the *real* question?

	Jon

Nico Williams | 14 Mar 04:16 2012

Re: are RFC 3526 primes "safe"? (Re: [Ietf-krb-wg] RFC 4556 DH parameter oddities)

On Tue, Mar 13, 2012 at 10:04 PM, Jon Callas <jon <at> callas.org> wrote:
> On Mar 13, 2012, at 7:09 PM, Tom Yu wrote:
>> Also, could someone with better number theory and/or cryptography
>> experience than me please confirm whether the RFC 3526 primes are
>> indeed safe primes?
>
> What would make them non-safe primes?
>
> I'm not being dismissive, I want to know what the concern is.
>
> Is this related to the weak RSA key brou-ha-ha? Or is it just a matter of making sure that they've been
properly vetted not to have number-theoretic issues?

These are DH groups though, so this is not about the RSA common primes problem.

DH MODP groups generally need to have safe primes, or so I understand.  E.g.,

http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

which says

"The order of G should be prime or have a large prime factor to
prevent use of the Pohlig–Hellman algorithm to obtain a or b. For this
reason, a Sophie Germain prime q is sometimes used to calculate
p=2q+1, called a safe prime, since the order of G is then only
divisible by 2 and q. g is then sometimes chosen to generate the order
q subgroup of G, rather than G, so that the Legendre symbol of ga
never reveals the low order bit of a."

I believe Tom is asking whether the primes in RFC3526 are safe in this sense:
(Continue reading)

Nico Williams | 14 Mar 04:30 2012

Re: are RFC 3526 primes "safe"? (Re: [Ietf-krb-wg] RFC 4556 DH parameter oddities)

On Tue, Mar 13, 2012 at 10:16 PM, Nico Williams <nico <at> cryptonector.com> wrote:
> I suppose the answer is: subtract 1, div 2, confirm that the result is
> Sophie Germain prime.
>
> I thought of checking the form of the primes myself, but I don't know
> what " { [2^1406 pi] + 741804 }" means in this (from RFC3526):
>
> "
>   The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }
> "

Converting the hex given in the RFC to decimal (with $EDITOR and
dc(1)), and then doing mod 6 produces 5.  Mod 4 it's 3.  Mod 12 it's
11.  And that number minus 1, then div 2, is prime.

So I think it's fair to say that the 1536-bit MODP group given in
section 2 of the RFC is prime.  But there may be more features of the
number than can be tested.

Nico
--

-- 

Nico
--
_______________________________________________
saag mailing list
saag <at> ietf.org
https://www.ietf.org/mailman/listinfo/saag
Tom Yu | 14 Mar 05:11 2012
Picon

Re: are RFC 3526 primes "safe"? (Re: [Ietf-krb-wg] RFC 4556 DH parameter oddities)

Nico Williams <nico <at> cryptonector.com> writes:

> On Tue, Mar 13, 2012 at 10:16 PM, Nico Williams <nico <at> cryptonector.com> wrote:
>> I suppose the answer is: subtract 1, div 2, confirm that the result is
>> Sophie Germain prime.

Sophie Germain primes are paired with safe primes.  I believe for any
Q that is a Sophie Germain prime, P = 2Q + 1 is a safe prime by
definition.

>> I thought of checking the form of the primes myself, but I don't know
>> what " { [2^1406 pi] + 741804 }" means in this (from RFC3526):
>>
>> "
>>   The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }
>> "

It's a fairly simple arithmetic expression that produces the prime in
question.  I don't have enough digits of pi handy to compute it,
though.

> Converting the hex given in the RFC to decimal (with $EDITOR and
> dc(1)), and then doing mod 6 produces 5.  Mod 4 it's 3.  Mod 12 it's
> 11.  And that number minus 1, then div 2, is prime.
>
> So I think it's fair to say that the 1536-bit MODP group given in
> section 2 of the RFC is prime.  But there may be more features of the
> number than can be tested.

The 1536-bit MODP group in RFC 3526 has a safe prime as the modulus,
(Continue reading)

Zhu Judy | 15 Mar 02:40 2012

Solicit for time slot for draft-cao-open-sec in the SAAG presentation topics

Stephen and Sean etc AD directors
This is Judy from China Mobile. Could I ask a time slot for presenting the
draft-cao-open-sec?
My colleague cao zhen had already delivered. 

Appreciate this so much. 
Judy
-----Original Message-----
From: saag-bounces <at> ietf.org [mailto:saag-bounces <at> ietf.org] On Behalf Of Sean
Turner
Sent: 2012年3月12日 21:18
To: saag <at> ietf.org
Subject: [saag] Call for SAAG presentation topics

Folks,

Stephen and I are putting together the SAAG agendas for Paris.

The agenda traditionally includes one or two invited presentations after 
the working group reports.  We would appreciate submission of 
presentation topics that you believe would be of interest to the 
community.  If you can identify an appropriate presenter (not 
necessarily yourself) that would be helpful.

Thanks,

spt
_______________________________________________
saag mailing list
saag <at> ietf.org
(Continue reading)

Zhu Judy | 15 Mar 11:52 2012

Re: Solicit for time slot for draft-cao-open-sec in the SAAG presentation topics

Since I am really just a new comer, so sincerely waiting for the time slot
for draft-cao-open-sec. 
Thanks so much. Hehe
Judy

-----Original Message-----
From: Zhu Judy [mailto:zhuhongru <at> chinamobile.com] 
Sent: 2012年3月15日 9:40
To: 'Sean Turner'; 'saag <at> ietf.org'
Cc: 'Hui Deng'; 'Cao Zhen'; 'liufei'
Subject: [saag] Solicit for time slot for draft-cao-open-sec in the SAAG
presentation topics
Importance: High

Stephen and Sean etc AD directors
This is Judy from China Mobile. Could I ask a time slot for presenting the
draft-cao-open-sec?
My colleague cao zhen had already delivered. 

Appreciate this so much. 
Judy
-----Original Message-----
From: saag-bounces <at> ietf.org [mailto:saag-bounces <at> ietf.org] On Behalf Of Sean
Turner
Sent: 2012年3月12日 21:18
To: saag <at> ietf.org
Subject: [saag] Call for SAAG presentation topics

Folks,

(Continue reading)

Tero Kivinen | 14 Mar 05:11 2012
Picon
Picon

Re: are RFC 3526 primes "safe"? (Re: [Ietf-krb-wg] RFC 4556 DH parameter oddities)

Nico Williams writes:
> On Tue, Mar 13, 2012 at 10:04 PM, Jon Callas <jon <at> callas.org> wrote:
> > On Mar 13, 2012, at 7:09 PM, Tom Yu wrote:
> >> Also, could someone with better number theory and/or cryptography
> >> experience than me please confirm whether the RFC 3526 primes are
> >> indeed safe primes?

The primes in the RFC3526 are generated using the same method than for
RFC2409, i.e. using the method described in the RFC2412:

----------------------------------------------------------------------
2.8 Additional Security for Privacy Keys: Private Groups
...
   The security of a modular exponentiation group depends on the largest
   prime factor of the group size.  In order to maximize this, one can
   choose "strong" or Sophie Germaine primes, P = 2Q + 1, where P and Q
   are prime.  However, if P = kQ + 1, where k is small, then the
   strength of the group is still considerable.  These groups are known
   as Schnorr subgroups, and they can be found with much less
   computational effort than Sophie-Germaine primes.
...
APPENDIX E The Well-Known Groups
...
   The primes for groups 1 and 2 were selected to have certain
   properties.  The high order 64 bits are forced to 1.  This helps the
   classical remainder algorithm, because the trial quotient digit can
   always be taken as the high order word of the dividend, possibly +1.
   The low order 64 bits are forced to 1.  This helps the Montgomery-
   style remainder algorithms, because the multiplier digit can always
   be taken to be the low order word of the dividend.  The middle bits
(Continue reading)


Gmane