IPS security draft: SRP groups

[Paul Koning <ni1d@arrl.net>]

The security draft lists the groups from the SRP reference software,
and in addition it says that the IKE groups may be used.  (It doesn't
appear to allow the 768 bit IKE group, even though it does allow the
768 bit group from the SRP reference code.  I wonder why.)

Tom Wu said in a message dated 4/17/2002:
   g MUST be a generator; omitting half of the possible residues mod P
   is NOT a virtue for SRP because it can lead to an attack.  For the
   IKE moduli, which are all 7 mod 8, g cannot be 2, and it usually
   ends up being either 5 or 7.  g^((N-1)/2) must be -1 (mod N).

This means that the IKE groups cannot be used as they are defined in
the references given, because those do use the value g == 2 (for
reasons that apply to IKE but not to SRP).

Incidentally, the IKE groups come fully documented with a statement
that N was proven (rigorously, not probabilistically) to be prime; I
haven't found the equivalent for the SRP groups.  Does that exist?  If
yes, it would be useful to have a reference pointing to it.

Does the statement in section 2.4.2 (verifying N and g) mean:
  a. An implementation may match N and g against the list in Appendix A
     and refuse any others
or
  b. An implementation may match N and g against the list in Appendix A
     but on a mismatch is required to verify that N and g define a
     valid group
?

The text says "MAY start..." which seems to suggest (b).  But (b) is
very expensive, and it doesn't seem to be a good idea to mandate (or
even encourage) a denial of service opportunity like that.

	paul