DH in IKE and its parameters

Azim.Ferchichi at SWISSCOM.COM Azim.Ferchichi at SWISSCOM.COM
Thu Apr 13 09:08:46 EDT 2000


Dear all,

In Diffie-Hellman protocol we have the followings:

Alice and Bob choose a large prime 'n' and a number 'g' that has to be
primitive mod n. Then Alice and Bob choose a large integer (let's say 'x'
for Alice and 'y' for Bob) that they keep secret. Then Alice compute
(g^x)mod n  and sends it to bob. Bob compute (g^y)mod n and sends it to
Alice.
Finally both Alice and Bob compute g^(x.y)mod n which gives the shared
secret key.
When I looked at IKE rfc, groups are defined (Oakley group), to fix some of
the parameters. In group one, 'n' the large prime is fixed (known value) and
is 768 bit long and in group two it's also fixed and it's 1024 bit long. In
addition in Oakley RFC they give the value of the prime modulus 'g' which is
21 I think. Now concerning the size of the private exponent Alice and Bob
have to choose (size of 'x' and 'y')there is a vague explanation saying that
'' the strength of a key derived from diffie-Helmann exchange using any of
the groups defined here depends on the inherent strength of the group, the
size of the exponent used, the entropy provided by the random number
generator used.'' They recommend for group one and if the key derived is
used with DES, to use a length of at least 160 bit for the private exponent.
My Questions are:
1- Is there any more serious study or recommendation which gives exponent
size depending on the group (at least for group 1 and 2), on the Encryption
algorithm used within IKE and the strength of the random number generator?
2- In you experience with the different products, is the private exponent
parametrable? If yes what length did you choose? If no what is length set by
default by your product?

Thanks for help

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list