At 03:07 PM 01/01/2003 -0800, Zulfikar Ramzan replied to Adam:
Anton Stiglic has a paper on various security issues that arise in DH implementations: http://crypto.cs.mcgill.ca/~stiglic/Papers/dhfull.pdf
The Photuris keying system (RFC2522) also has some good insight into Diffie-Hellman implementation issues, including a lot of emphasis on who picks what parameters (initiator vs. responder) to reduce threats, guidelines for acceptable parameters, and the cookie exchange that reduces spoofing attacks.
Stiglic's paper goes into a lot of explanation about some issues of safe parameters, particularly recommendations for sufficiently safe primes. Much of the discussion on the net about prime safety for DH has been about whether safe primes are necessary or not worth the bother, and at least with the current methods for factoring, it's believed they aren't needed. (One catch, of course, is that the best factoring method 10 or 50 years from now may be affected by safe vs. unsafe primes.) At least in the initial Photuris versions, there were some standard choices of primes that everybody used, so it made sense to pick Sophie-Germain primes anyway. Stiglic also refers to use of cookie puzzles such as hashcash to further reduce the risk of swamp-the-responder attacks by letting the responder force the initiator to do work taking arbitrary amounts of time before the responder needs to do any exponentiation work, which can let the responder manage its total workload, with much more impact on an attacker (or a slashdotting) than on non-malicious users. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
