RFC 2785 (rfc2785) - Page 1 of 11
Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement Method for S/MIME
Alternative Format: Original Text Document
Network Working Group R. Zuccherato
Request for Comments: 2785 Entrust Technologies
Category: Informational March 2000
Methods for Avoiding the "Small-Subgroup" Attacks on the
Diffie-Hellman Key Agreement Method for S/MIME
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
In some circumstances the use of the Diffie-Hellman key agreement
scheme in a prime order subgroup of a large prime p is vulnerable to
certain attacks known as "small-subgroup" attacks. Methods exist,
however, to prevent these attacks. This document will describe the
situations relevant to implementations of S/MIME version 3 in which
protection is necessary and the methods that can be used to prevent
these attacks.
1. Introduction
This document will describe those situations in which protection from
"small-subgroup" type attacks is necessary when using Diffie-Hellman
key agreement [RFC 2631] in implementations of S/MIME version 3
[RFC 2630, RFC 2633]. Thus, the ephemeral-static and static-static
modes of Diffie-Hellman will be focused on. Some possible non-S/MIME
usages of CMS are also considered, though with less emphasis than the
cases arising in S/MIME. The situations for which protection is
necessary are those in which an attacker could determine a
substantial portion (i.e. more than a few bits) of a user's private
key.
Protecting oneself from these attacks involves certain costs. These
costs may include additional processing time either when a public key
is certified or a shared secret key is derived, increased parameter
generation time, and possibly the licensing of encumbered
Zuccherato Informational
