On 30 Mar 2011, at 6:19 AM, ikuzar wrote: > I 'd like to know if it is a security issue when p ( a DH param ) is not a > safe prime ? > is it more easier to attack DH algorithm with a non safe prime ... ?
Yes. If p-1 does not have large factors, then it is easier to compute the discrete logarithm and recover the message. See: C.H. Lim and P.J. Lee, "A key recovery attack on discrete log-based schemes using a prime order subgroup" http://citeseer.ist.psu.edu/viewdoc/summary?doi=10.1.1.44.5296 R. Zuccherato, "Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement Method for S/MIME" http://tools.ietf.org/rfc/rfc2785.txt And Wikipedia on safe primes ( http://en.wikipedia.org/wiki/Safe_prime ): > Safe primes are also important in cryptography because of their use in > discrete logarithm-based techniques like Diffie-Hellman key exchange. If 2p + > 1 is a safe prime, the multiplicative group of numbers modulo 2p + 1 has a > subgroup of large prime order. It is usually this prime-order subgroup that > is desirable, and the reason for using safe primes is so that the modulus is > as small as possible relative to p. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
