Re: IPS security draft: SRP groups

To: Black_David@emc.com
Subject: Re: IPS security draft: SRP groups
From: Tom Wu <tom@arcot.com>
Date: Sun, 07 Jul 2002 21:22:32 -0700
CC: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii; format=flowed
References: <277DD60FB639D511AC0400B0D068B71E0564C033@CORPMX14>
Sender: owner-ips@ece.cmu.edu
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020607

David,

I'll tackle the SRP generator issue:

For the Oakley Group 2 (1024 bit prime) defined in RFC2412:
Primitive roots (acceptable as SRP generators):
5,11,13,19,29,31
Subgroup generators (NOT acceptable):
2,3,7,17,23

(MODP moduli taken from draft-ietf-ipsec-ike-modp-groups-04.txt)
For the 1536-bit MODP group:
Acceptable generators:
31
NOT acceptable generators:
2,3,5,7,11,13,17,19,23,29

For the 2048-bit MODP group:
Acceptable generators:
11,13,17,23,29,31
NOT acceptable generators:
2,3,5,7,19

For the 3072-bit MODP group:
Acceptable generators:
5,7,17,23,31
NOT acceptable generators:
2,3,11,13,19,29

For the 4096-bit MODP group:
Acceptable generators:
5,13,29,31
NOT acceptable generators:
2,3,7,11,17,19,23

For the 6144-bit MODP group:
Acceptable generators:
5,11,13,17,23,29
NOT acceptable generators:
2,3,7,19,31

For the 8192-bit MODP group:
Acceptable generators:
19,23,29,31
NOT acceptable generators:
2,3,5,7,11,13,17

All the above generators are in base 10 (decimal).

As far as proving the primality of the SRP moduli, that should be done 
by someone with more expertise in the area.  I should point out that 
those moduli are also "safe primes", i.e. both N and (N-1)/2 are prime, 
so it is easy to find generators for them, and I chose numbers that had 
2 as safe SRP generators.

Tom

Black_David@emc.com wrote:
> Missed this earlier, sorry ...
> 
> 
>>Ok.  I didn't know that but I probably would have learned it if I had
>>done the necessary reading about groups and generators.  But the point
>>of my question wasn't "is it possible to compute g" but rather "how
>>about supplying g in the spec" (since the g=2 from IKE is not
>>appropriate).   It seems a bit redundant for everyone to repeat the
>>search for a suitable g...
>>
>>So what's the story about unlisted groups?  Is an implementation that
>>accepts only the groups listed in appendix A, but not any "locally
>>generated" ones, a compliant implementation?
>>
> 
> Yes - accepting those groups and only those groups is the minimum
> (MUST) requirement.  If the IKE groups are to remain allowed, we
> need to specify generators for their use with SRP - please consider
> this to be a serious *PLEA* for someone to volunteer to do the
> crpto-theoretic number crunching needed to find SRP generators for
> those groups and/or prove the primality of the SRP primes.  Lack of
> progress here has the potential to hold up the security draft on
> which *all* of our protocol drafts depend (normative references).
> We can promise at least 30 minutes of fame (*twice* the proverbial
> 15 ;-) ) to those who resolve this issue ...
> 
> Thanks,
> --David
> ---------------------------------------------------
> David L. Black, Senior Technologist
> EMC Corporation, 42 South St., Hopkinton, MA  01748
> +1 (508) 249-6449            FAX: +1 (508) 497-8018
> black_david@emc.com       Mobile: +1 (978) 394-7754
> ---------------------------------------------------


-- 
Tom Wu
Principal Software Engineer
Arcot Systems
(408) 969-6124
"The Borg?  Sounds Swedish..."

References:
- RE: IPS security draft: SRP groups
  - From: Black_David@emc.com

Prev by Date: ISCSI: comments on iSCSI 14.
Next by Date: Introduction on ADSL
Prev by thread: RE: IPS security draft: SRP groups
Next by thread: RE: IPS security draft: SRP groups
Index(es):
- Date
- Thread

Home

Last updated: Mon Jul 08 11:18:49 2002
11173 messages in chronological order