[strongSwan-dev] [PATCH] DiffieHellman Groups 22-24 in RFC5114

[Joy Latten]

On Wed, 2010-04-07 at 10:12 +0200, Andreas Steffen wrote:
> Hi Joy,
> Joy Latten wrote:
> > This patch adds the MODP DH Groups 22-24 defined in RFC 5114.
> > 
> > After consulting with ietf ipsec mailing list, I realized all I needed
> > to do was add the constants for these groups. 
> > 
> > I tried interoperability testing with openswan's DH groups 22-24.
> > Unfortunately, I could not get strongswan->openswan to work with 
> > any of the new or old modp groups. Openswan complained about the message
> > ID it received, which looked correct to me. This problem as outside the
> > scope of my patch. 
> > I was able to get openswan->strongswan to work with old and new modp
> > groups.
> > 
> > I was also told following on ipsec ietf list:
> > 
> > 1. The exponent only needs to be size of q, for group 22-24. I noticed
> > in strongswan it likes to use the size of the prime. I left it like
> > this.
> >
> There is no sense spending a lot of entropy by choosing a secret DH
> exponent which is larger than the size q of the subgroup since the
> resulting public DH factor will just wrap around modulo q.
> 
> In order to restrict the secret factor to the size of the subgroup
> either q or at least the number of bits of q (160, 224, 256 bits)
> should be stored in the dh_params tables. Actually they are already
> stored there as the optimum secret size (20, 28, 32 octets) but
> these restrictions should also be heeded with charon's default
> setting
> 
>    libstrongswan.dh_exponent_ansi_x9_42=yes
> 
> where with the normal DH groups secret is chosen randomly up to
> the full prime p size. So probably an additional column is needed
> in the dh_params table containing the maximum size of ANSI X9.42
> secrets.
> 
Should I go ahead and make this change? 
I plan to submit second patch for validation of the public value and
could do it then... 

Thanks!

regards,
Joy