dh.md - OpenGrok cross reference for /external/wycheproof/doc/dh.md

Lines Matching +full:- +full:- +full:with +full:- +full:libssh
1 # Diffie-Hellman
6 Diffie-Hellman keys can be found much faster if the short exponents are used and
12 where p is a safe prime (i.e. $$q=(p-1)/2),$$ hence the only elements of small
13 order are 1 and p-1.
15 [NIST SP 800-56A] rev. 2, Section 5.5.1.1 only requires that the size of the
16 subgroup generated by the generator g is big enough to prevent the baby-step
17 giant-step algorithm. I.e. for 80-bit security p must be at least 1024 bits long
21 public key y satisfies the conditions $$2 \leq y \leq p-2$$ and $$y^q \mod p =
26 order q is missing in [PKCS #3]. [PKCS #3] describes the Diffie-Hellman
29 The class DHParameterSpec that defines the Diffie-Hellman parameters in JCE
34 Therefore, there is no guarantee that an implementation of Diffie-Hellman is secure against
35 subgroup confinement attacks. Without a key validation it is insecure to use the key-pair
36 generation from [NIST SP 800-56A] Section 5.6.1.1 (The key-pair generation there only requires that
37 static and ephemeral private keys are randomly chosen in the range \\(1..q-1)\\).
54 that 1024 bit discrete logarithms with the special number field sieve are
64 parameters: p is sometimes composite, p-1 contains no large prime factor, q is
69 EUROCRYPT '92, LNCS 658, pp. 194-199.
77 [OW96]: P. C. van Oorschot, M. J. Wiener, "On Diffie-Hellman key agreement with short exponents",
81 "A key recovery attack on discrete log-based schemes using a prime order subgroup",
86 B. VanderSloot, E. Wustrow, S. Zanella-Béguelink, P. Zimmermann,
87 "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice"
88 https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
90 [NIST SP 800-56A], revision 2, May 2013
91 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
94 http://uk.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-3-diffie-hellman-key-agreement-stand…
97 "Methods for Avoiding 'Small-Subgroup' Attacks on the Diffie-Hellman Key Agreement Method for S/MIM…
101 <!--
104 CVE-2015-3193: The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl
107 https://blog.fuzzing-project.org/31-Fuzzing-Math-miscalculations-in-OpenSSLs-BN_mod_exp-CVE-2015-31…
109 CVE-2016-0739: libssh before 0.7.3 improperly truncates ephemeral secrets generated for the
110 (1) diffie-hellman-group1 and (2) diffie-hellman-group14 key exchange methods to 128 bits ...
112 CVE-2015-1787 The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before
113 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled,
115 message with a length of zero.
117 CVE-2015-0205 The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p
118 and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate
121 recognizes a Certification Authority with DH support.
123 CVE-2016-0701 The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before
124 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange,
126 handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an
129 CVE-2006-1115 nCipher HSM before 2.22.6, when generating a Diffie-Hellman public/private key
133 CVE-2015-1716 Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server
135 Windows RT Gold and 8.1 does not properly restrict Diffie-Hellman Ephemeral (DHE) key lengths,
139 CVE-2015-2419: Random generation of the prime p allows Pohlig-Hellman and probably other
141 -->