COM.claymoresystems.ptls

Class SSLDHPrivateKey

public class SSLDHPrivateKey extends DHPrivateKey

SSLDHPrivateKey.java Copyright (C) 1999, Claymore Systems, Inc. All 3 Rights Reserved. ekr@rtfm.com Sun May 9 16:31:12 1999 This package is a SSLv3/TLS implementation written by Eric Rescorla and licensed by Claymore Systems, Inc. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by Claymore Systems, Inc. 4. Neither the name of Claymore Systems, Inc. nor the name of Eric Rescorla may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. $Id: SSLDHPrivateKey.java,v 1.10 2001/03/22 16:35:52 ekr Exp $
Method Summary
voidinitPrivateKey(BigInteger g_, BigInteger p_, SecureRandom rand_)
voidinitPrivateKey(SecureRandom rand_, int keylength, boolean sg)
Generate a DH private key.
byte[]keyAgree(DHPublicKey pub, boolean check)

Method Detail

initPrivateKey

public void initPrivateKey(BigInteger g_, BigInteger p_, SecureRandom rand_)

initPrivateKey

public void initPrivateKey(SecureRandom rand_, int keylength, boolean sg)
Generate a DH private key. We generate the parameters in one of two modes: 1. If sg is false, then we simply generate a large p and check that it's a generator using the trick of checking the p % 24 == 11 (From Phil Karn via OpenSSL). 2. If sg is true, then we generate Sophie-Germain primes according to the procedures of RFC2412, except that our p is chosen randomly rather than via pi. The text from RFC2412 describing the virtues of this procedure follows: The primes for groups 1 and 2 were selected to have certain properties. The high order 64 bits are forced to 1. This helps the classical remainder algorithm, because the trial quotient digit can always be taken as the high order word of the dividend, possibly +1. The low order 64 bits are forced to 1. This helps the Montgomery- style remainder algorithms, because the multiplier digit can always be taken to be the low order word of the dividend. The middle bits are taken from the binary expansion of pi. This guarantees that they are effectively random, while avoiding any suspicion that the primes have secretly been selected to be weak. Because both primes are based on pi, there is a large section of overlap in the hexadecimal representations of the two primes. The primes are chosen to be Sophie Germain primes (i.e., (P-1)/2 is also prime), to have the maximum strength against the square-root attack on the discrete logarithm problem. The starting trial numbers were repeatedly incremented by 2^64 until suitable primes were located. Because these two primes are congruent to 7 (mod 8), 2 is a quadratic residue of each prime. All powers of 2 will also be quadratic residues. This prevents an opponent from learning the low order bit of the Diffie-Hellman exponent (AKA the subgroup confinement problem). Using 2 as a generator is efficient for some modular exponentiation algorithms. [Note that 2 is technically not a generator in the number theory sense, because it omits half of the possible residues mod P. From a cryptographic viewpoint, this is a virtue.]

keyAgree

public byte[] keyAgree(DHPublicKey pub, boolean check)
Copyright (c) 1999-2001 Claymore Systems, Inc., All Rights Reserved.