On 18 March 2013 21:02, Dave Thompson <dthomp...@prinpay.com> wrote:
> >I also just noticed that in your JSON sample there is only one
> >prime number provided. There are in fact two required: p and q.
>
> No. *DSA* uses p,q,g. DH requires p,g which effectively determines
> q, but DH computation doesn't use q and standard formats don't have
> it. DH can use l which is the *size* of q thus the (max) entropy
> of the agreement. It is sometimes convenient to use DSA parameters
> as DH parameters by ignoring q except optionally its size.
>
Not entirely correct. I've just been digging into this when I saw your
email. PKCS 3 does not use q for DH:
DHParameter ::= SEQUENCE {
prime INTEGER, -- p
base INTEGER, -- g
privateValueLength INTEGER OPTIONAL }
However, the newer X9.42 DOES require q to be present:
DomainParameters ::= Sequence {
p INTEGER, -- odd prime, p = jq+1
g INTEGER, -- generator, g^q = 1 mod p
q INTEGER, -- prime factor of p-1
j INTEGER OPTIONAL, -- cofactor, j>=2
validationParms ValidationParms OPTIONAL
}
ValidationalParms ::= Sequence {
seed BITSTRING, -- seed for prime generation
pGenCounter INTEGER, -- parameter verification
}
However, it seems that OpenSSL does not support the X9.42 version.
>From the notes on the dhparam man page:
"OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
DH."
All the OpenSSL built-in RFC5114 domain parameters are also defined in terms of
p, q and g.
However, you are correct that the DH computation does not use q,
although I do not
know whether JCE requires it to be specified (not having used JCE).
Matt
