Charles M. Hannum wrote:

>Let us start with the basics.  We have two possibilities:
>
>  
>
Sure, since you seem to not have a grasp of the basics....

>1) RSA and D-H are not secure.  If this is the case, you're screwed, and we 
>have nothing more to talk about.
>
>2) RSA and D-H are secure.  In this case, the only thing to "crack" is to 
>discover that one of the moduli is not actually prime.
>
>  
>
Interesting false dichotomy.

Shall we go back to 512-bit moduli?  How about 16-bits?  Silly goose.


>Now, I'd like to say that the method the OpenBSD people use to generate the 
>moduli is safe.  
>
Good, since that's *my* code.

>However, while it is substantially stronger (it uses many 
>more Miller-Rabin rounds) than the process used to generate your host keys 
>and user keys, 
>
Now this is the silliest argument of all.

I chose to use fewer rounds this time, mostly because I ran 64 (on a
MacOSX machine) and then 16 (on a NetBSD machine), being a power of
two kinda guy -- checking against possible flaws in either
implementation. 

You remember that I found bugs in the NetBSD BN implementation a
couple of years ago?  (Short memory?  Sign of senility?)

Since the error probability is (off the top of my head memories from
a decade or so ago, so pardon me for forgetting something) (1/4)**i,
the difference is so small the calculator on this computer cannot
display it.  I've never yet found a change from even 16 iterations. 

If you're curious, just run some more yourself!  You'll find the
software in PR 21983.

>it is *not* actually a primality proof.
>
>The only known primality proof with usable complexity is ECPP.  If you're 
>going to worry about the possibility of keys being cracked, you should not be 
>using primes verified with any other method.  This includes not just the D-H 
>moduli, but also host and user keys.
>
>  
>
You need to brush up on "modular exponentiation".  And "discrete
logarithms".  And the "short exponent" problem. 

Google for "Odlyzko Diffie Hellman" and look at the various papers.

And you might also take a gander at:
 draft-ietf-secsh-dh-group-exchange-04

You might find some relevant information there. :-(

>Unless you're actually going to solve this problem, you have no pants.
>  
>
Apparently, you have no idea what you're talking about, and it's
nearly impossible to completely educate you in an email message.

Enough with the attitude, thank you very much.

Nobody should trust relatively short primes for any length of time. 
That's one of several reasons to change them regularly. 

It's not likely we're going to run out of them any time soon....

-- 
William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32