RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 1 record.

Status: Held for Document Update (1)

RFC 2412, "The OAKLEY Key Determination Protocol", November 1998

Source of RFC: ipsec (sec)

Errata ID: 3960

Status: Held for Document Update
Type: Editorial

Reported By: Daniel Kahn Gillmor
Date Reported: 2014-04-11
Held for Document Update by: Stephen Farrell
Date Held: 2014-05-08

Section 2.8 & Appx E says:

Section 2.8:

   [...] In order to maximize this, one can
   choose "strong" or Sophie Germaine primes, P = 2Q + 1, where P and Q
   are prime.  However, if P = kQ + 1, where k is small, then the
   strength of the group is still considerable.  These groups are known
   as Schnorr subgroups, and they can be found with much less
   computational effort than Sophie-Germaine primes.

   [...]

      [...]  For Sophie Germain primes, if the
      generator is a square, then there are only two elements in the
      subgroup: 1 and g^(-1) (same as g^(p-1)) which we have already
      recommended avoiding. 

Appendix E:

   [...] The
   primes are chosen to be Sophie Germain primes (i.e., (P-1)/2 is also
   prime), to have the maximum strength against the square-root attack
   on the discrete logarithm problem.

It should say:

Section 2.8:
   [...] In order to maximize this, one can
   choose safe primes, P = 2Q + 1, where P and Q
   are prime.  However, if P = kQ + 1, where k is small, then the
   strength of the group is still considerable.  These groups are known
   as Schnorr subgroups, and they can be found with much less
   computational effort than safe primes.

   [...]

      [...]  For safe primes, if the
      generator is a square, then there are only two elements in the
      subgroup: 1 and g^(-1) (same as g^(p-1)) which we have already
      recommended avoiding. 

Appendix E:
   [...] The
   primes are chosen to be safe primes (i.e., (P-1)/2 is also
   prime), to have the maximum strength against the square-root attack
   on the discrete logarithm problem.

Notes:

This is a terminology clarification.

For primes P and Q related such that P = 2Q + 1, P is a "safe prime" and Q is a "Sophie Germain prime" The draft gets this definition backward. The draft also suggests that "strong" primes are equivalent to Sophie Germain primes, which is not necessarily the case.

Section 2.8 also misspells "Germain" with an extra e at the end twice.

see for example: http://www.ams.org/journals/mcom/1996-65-213/S0025-5718-96-00670-9/S0025-5718-96-00670-9.pdf

Report New Errata