[13708] in cryptography@c2.net mail archive
Re: pubkeys for p and g
daemon@ATHENA.MIT.EDU (martin f krafft)
Thu Jun 26 21:25:36 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 27 Jun 2003 00:29:47 +0200
From: martin f krafft <madduck@madduck.net>
To: cryptography@metzdowd.com
Mail-Followup-To: cryptography@metzdowd.com
In-Reply-To: <002301c33bf4$b10c05c0$4300a8c0@p1038mobile>
--QTprm0S8XgL7H0Dt
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
> I'm not certain I understand your questions, but here are some
> answers (I think).
To clear this up:
I am well aware how DH works, and what the mathematical properties
of p and g are and have to be.
My point was that some commercial vendors (Check Point and others)
claim, that if two partners want to perform a DH key exchange, they
may use their two public keys for g and p. This, in effect, would
mean that g and p were not globally known, but that the public keys
are used in their place.
I am well aware that p and g are globally known as defined in the
chosen DH Group. However, I am wondering how Check Point (and
others) can claim that public keys may well be used in place,
thereby invalidating the need for a globally constant p and g pair.
These public keys are independent of the public keys exchanged as
part of DH, which are simply calculated by the g^x mod p formula of
DH, from the private keys.
Thus every communication party would have a key pair, aA and bB,
where the capital letter is the public key. Then, the following
happens:
let g =3D A and p =3D B
let A' =3D g^a mod p and B' =3D g^b mod p
=3D A^a mod B =3D A^b mod B
and off you go, doing DH with g =3D A, p =3D B, and the keypairs aA' and
bB' on either side.
This would, in my opinion, only be possible if:
- there would be a rule to decide which public key is p and which
is g.
- all public keys (RSA in this case) are primes.
- all public keys are good generators mod p.
We are writing a book and simply want to have some backup. I am
almost sure that Check Point is bullshitting (wouldn't be the first
time), so unless anyone has actually heard of this possibility, I am
going to write this down and influence a thousand people, basically
claiming that Check Point is wrong.
Does it make sense now?
--=20
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
=20
invalid PGP subkeys? use subkeys.pgp.net as keyserver!
=20
experience is what causes a person
to make new mistakes
instead of old ones.
--QTprm0S8XgL7H0Dt
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE++3PbIgvIgzMMSnURAs91AKDZ2z8AYNcEbijAfsWJKHCxVfSMwACaAvP2
G5qAtXzCSOGRXYmfo5asO+E=
=pQW2
-----END PGP SIGNATURE-----
--QTprm0S8XgL7H0Dt--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
