I strongly vote for the ES version of D-H. The benefits of not having to
define fixed groups (especially the really small ones needed for dealing
with import/export restrictions of some governments) combined with the
anonymous behavior of ES is just overwhelming.
Jim Schaad
-----Original Message-----
From: Russ Housley [mailto:housley(_at_)spyrus(_dot_)com]
Sent: Friday, October 02, 1998 5:28 AM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Diffie-Hellman Choices
The S/MIME WG needs to select one mandatory to implement variant of
Diffie-Hellman. This not presents the two alternatives that have been
proposed. I would like the WG to discuss these alternatives and then select
the one that will be included in CMS. Both alternatives were presented at
the face-to-face session in Chicago.
The criteria for selecting the most appropriate choice include security,
performance, and patents.
The two alternatives are both variants of X9.42, the ANSI Draft
Diffie-Hellman (D-H) standard.
Static-Static D-H is the first alternative.
Certicom has a pending patent that covers a check to avoid the small
subgroup attack. Certicom has offered royalty-free lisence for CMS and PKIX
implemntations if this is chosen as the mandatory to implement algorithm.
Static-Static D-H requires one exponentiation per recipient when sending
encrypted messages.
Static-Static D-H provides data origin authuthentication. This is due to
the originator public key being contained in a certificate.
Static-Static D-H would have a shorter certificate than the Ephemeral-Static
D-H alternative.
The originator certerficate is carried in message. The public key in the
certificate is used by all recipients.
Static-Static D-H requires a common set of D-H parameters (p,q,g) for the
entire community.
Sample processing:
- Certificate contains Ya = ( g ** Xa ) mod p
- Originator certificate transferred in the header
- Originator generates random, R, that is transferred in plaintext in the
header
- Key = SHA1 [ ( g ** XaXb ) mod p || algorithm ID || counter || R ]
Ephemeral-Static D-H is the second alternative.
No patents known patents. If there are any (including pending patents),
please make us aware of them now.
Ephemeral-Static D-H requires two exponentiations per recipient when sending
encrypted messages.
Ephemeral-Static D-H provides no authentication. The originator uses an
ephemeral public/private key pair for each recipient, so there is not
originator certificate.
The recipient certificate must contain the D-H paramters (p,q,g), so the
certificate is longer than the Static-Static D-H alternative.
Neither the originator nor the recipient certificate is carried in the
message.
When generating the ephemeral public/private key pair, the originator uses
the recipient's D-H parmaters (p,q,g) obtained from the recipient
certificate. Thus, the community does not need to agree on a common set of
D-H paramters (p,q,g).
Sample processing:
- No originator certificate; Recipient certificate contains Yb = ( g ** Xb
) mod p
- Originator generates D-H key pair for each recipient, using the recipient
p,q,g values
- Originator Yr = ( g ** Xr ) mod p transferred in header for each
recipient
- Key = SHA1 [ ( g ** XrXb ) mod p || algorithm ID || counter ]
Which alternative do you prefer? Why?
Russ