[OTR-dev] Fwd: Some DH groups found weak; is OTR vulnerable?
Louis Granboulan
louis.granboulan.developer at gmail.com
Mon May 25 17:49:56 EDT 2015
Dear all,
On 25 May 2015 at 22:34, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> On Fri, May 22, 2015 at 2:55 PM, Jacob Appelbaum <jacob at appelbaum.net>
> wrote:
> > A larger shared prime that is standardized is the safe option of the
> > three - it is hard to know if you've got bad entropy, it is also hard
> > to know if you've chosen badly.
>
> There is an additional argument I think you may find more persuasive
> which I've made about this in the past:
>
> If you use arbitrary groups they must be signaled. This doubles the
> required communication. At most this creates a linear cost increase
> for the attacker (proportional to the number of users).
>
> Using the same communications resources you can instead double the
> size of the static group being used, which is (presumed) to be
> exponentially harder for the attacker.
>
> The same argument can even apply to signaling from a fixed set of
> static groups
Indeed, using a random group should not be decided to protect against
attacks that use precomputation to efficiently attack many users of the
same group.
However, it may be the case that an attack against some public and fixed
group is based on having found specific mathematical properties of that
group. This is unlikely to be the case if the public group was generated
randomly, but it may be the case if it was generated with performance
optimisations in mind. The groups of RFC 3526 are generated such that the
64 lower bits are 1. It would be suprising to find a way to exploit this
property, but they are not based on random primes (whatever random prime
means).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20150525/d14ffb2e/attachment.html>
More information about the OTR-dev
mailing list