## Security Issues in the Diffie-Hellman Key Agreement Protocol (2000)

### Cached

### Download Links

Venue: | IEEE Trans. on Information Theory |

Citations: | 5 - 0 self |

### BibTeX

@ARTICLE{Raymond00securityissues,

author = {Jean-françois Raymond and Anton Stiglic},

title = {Security Issues in the Diffie-Hellman Key Agreement Protocol},

journal = {IEEE Trans. on Information Theory},

year = {2000},

pages = {1--17}

}

### OpenURL

### Abstract

Diffie-Hellman key agreement protocol [27] implementations have been plagued by serious security flaws. The attacks can be very subtle and, more often than not, haven't been taken into account by protocol designers. In this paper we attempt to provide a link between theoretical research and real-world implementations. In addition to exposing the most important attacks and issues we present fairly detailed pseudo-code for the authenticated DiffieHellman protocol and for the half-certified Diffie-Hellman (a.k.a. Elgamal key agreement). It is hoped that computer security practitioners will obtain enough information to build and design secure and efficient versions of this classic key agreement protocol. Contents 1

### Citations

3064 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...ertificate checking, etc.). Many digital signature schemes exist in the literature (see chapter 11 of [47] for examples) note however that DSS – the Data Signature Standard [62], Elgamal [30] and RS=-=A [2, 43] are by f-=-ar the most popular. � � ¤�� will denote the signing function and VER User() the verification function where User specifies the party 8.2.4 Public Key Certificates Often used standards for ce... |

2843 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...fie-Hellman Key Agreement Protocol Jean-François Raymond and Anton Stiglic Zero-Knowledge Systems, Inc.sjfr, anton¡ @zeroknowledge.com December 19, 2000 Abstract Diffie-Hellman key agreement protoco=-=l [27] i-=-mplementations have been plagued by serious security flaws. The attacks can be very subtle and, more often than not, haven’t been taken into account by protocol designers. In this paper we attempt t... |

1175 | A logic of authentication
- Burrows, Abadi, et al.
- 1990
(Show Context)
Citation Context ...ls are not uncommon. As this is a very important problem, it has received some attention; here are the most important approaches that have been proposed: 1. The use of verification logics such as BAN =-=[18]-=- to prove protocol properties. 2. Very high level programming languages in which security properties can be proved mechanically (i.e. by computers) [1]. 3. Complete proofs of security [10, 9]. 4. The ... |

1172 | A public key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1986
(Show Context)
Citation Context ...e used only once. 2.3 Half-Certified Diffie-Hellman (or Elgamal Key agreement protocol) This is a very important and useful variant on the Diffie-Hellman protocol discussed above. First introduced in =-=[30], the protoc-=-ol is almost exactly the same as the basic one except that a user (Bob) publishes his public key (��� ). The public key (��� ) remains constant for large periods of time and is used by eve... |

807 | A Calculus for Cryptographic Protocols: The Spi Calculus
- Abadi, Gordon
- 1999
(Show Context)
Citation Context ...: 1. The use of verification logics such as BAN [18] to prove protocol properties. 2. Very high level programming languages in which security properties can be proved mechanically (i.e. by computers) =-=[1]-=-. 3. Complete proofs of security [10, 9]. 4. The use of robustness principles, i.e. rules of thumb, protocol design principles [5]. The biggest problem with the first approach is that encryption primi... |

701 |
Cryptography: Theory and Practice
- Stinson
- 2006
(Show Context)
Citation Context ...inality (size) ¥ of . The order of an � element of . ��� ¥ � ����������©���©�������©�� � ��� � � a finite group is defined to be =-=the smallest value such that 1 for an introduction to cryptography see [63]. 4 D-=-RAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFTs2.1.2 Cyclic Groups A cyclic group is a group that has the property that there exists an element � such that all elements in ¥ can be expressed as �... |

486 | Entity Authentication and Key Distribution
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...such as BAN [18] to prove protocol properties. 2. Very high level programming languages in which security properties can be proved mechanically (i.e. by computers) [1]. 3. Complete proofs of security =-=[10, 9]-=-. 4. The use of robustness principles, i.e. rules of thumb, protocol design principles [5]. The biggest problem with the first approach is that encryption primitives are dissociated from the verificat... |

438 |
Blind signatures for untraceable payments
- Chaum
- 1983
(Show Context)
Citation Context ...ttack can be countered by modifying the computations so that the exponentiation time doesn’t depend as heavily on the input parameters. Kocher [42] gives a method that uses the blinding techniques o=-=f [21] that help-=- randomize the modular exponentiation computing time 15 : (we provide pseudo-code in section 8.1.4.) One Time Set Up: We calculate the private seeds. An integer, ��� � � , is chosen at rando... |

341 | HMAC: Keyed-hashing for message authentication
- Krawczyk, Bellare, et al.
- 1997
(Show Context)
Citation Context .... (Note that SHA1-80 isn’t as efficient as MD5 which isn’t as efficient as MD4). 8.2.2 Message Authentication codes MAC Denoted by ¤¦¥¨§�� (� ¤�� is the shared secret key); CBC-MAC=-= [60], SHA1-HMAC-80 [8] and UMAC [11] -=-are examples of MACs that are believed to be secure. 19 DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFTs8.2.3 Digital Signatures ©������ that signs; � In order to simplify the pseudo-co... |

319 |
Efficient identification and signatures for smart cards
- Schnorr
- 1990
(Show Context)
Citation Context ...sage with the secret key. Unfortunately, a variation on the previous attack allows for an insider attack where a user can fool the CA when specific signature schemes are used (e.g. Schnorr signatures =-=[57]-=-, see [45] for the details). Hence, when this type of attack can be mounted, we should check the order of the public keys. 4 Authentication In the previous section we presented attacks related to the ... |

247 | Chosen ciphertext attacks against protocols based on the rsa encryption standard pkcs #1
- Bleichenbacher
- 1998
(Show Context)
Citation Context ... important that the values be deleted as soon as possible to guard against RAM reading techniques such as the ones described in [34]. 5.5 Bleichenbacher Type of Attacks D. Bleichenbacher described in =-=[13]-=- an attack against PKCS #1 v1.5. The attack exploited the fact that some servers implementations of the PKCS #1 v1.5 RSA encryption padding used an inadequate authentication mechanism: if a plaintext ... |

209 |
RFC 1321 - The MD5 Message-Digest Algorithm
- Rivest
- 1992
(Show Context)
Citation Context ...f the following primitives. 8.2.1 Cryptographic hash functions Denoted by HS(), HW(); SHA1 [61] and RIPEMD-160 [28] (the output is 160 bits long) are thought to be the most secure hash functions. MD5 =-=[55], -=-although it hasn’t been broken, has become a more dubious choice since the discovery of internal pseudocollisions ([25]). MD5 (or MD4 which is faster and has weaker security) might be useful in prot... |

204 | The decision Diffie-Hellman problem
- Boneh
- 1998
(Show Context)
Citation Context ...H secret is indistinguishable from an element chosen at random from the group if and only if the Decisional Diffie-Hellman problem in that group is hard (in several groups it is an easy problem), see =-=[11]. Also-=- notice that ��� random number, chances are greater that the most significant bit equals 0. Hence, it makes sense to spread the risk and have the bits in the new session key depend on all the bi... |

188 | Pricing via processing or combatting junk mail
- Dwork, Naor
- 1993
(Show Context)
Citation Context ...hich can simply be random numbers) so that the vic� tim is compelled to carry out many modular exponentiations in order to compute the shared DH secret keys (computational). The most robust solution=-=s [7, 29, 38]-=- to the problem involve having the connection initiators compute a solution to cryptographic puzzles (also known as hashcash or pricing functions). The amount of computations needed to solve these puz... |

134 | Secure deletion of data from magnetic and solid-state memory
- Gutmann
- 1996
(Show Context)
Citation Context ... overwriting these values with some constant (by � s for example). It is important that the values be deleted as soon as possible to guard against RAM reading techniques such as the ones described i=-=n [34]-=-. 5.5 Bleichenbacher Type of Attacks D. Bleichenbacher described in [13] an attack against PKCS #1 v1.5. The attack exploited the fact that some servers implementations of the PKCS #1 v1.5 RSA encrypt... |

120 | Robustness principles for public key protocols
- Anderson, Needham
- 1995
(Show Context)
Citation Context ...ch security properties can be proved mechanically (i.e. by computers) [1]. 3. Complete proofs of security [10, 9]. 4. The use of robustness principles, i.e. rules of thumb, protocol design principles =-=[5]. -=-The biggest problem with the first approach is that encryption primitives are dissociated from the verification logics, which implies that they don’t provide complete proofs of security [9]. As an e... |

116 | UMAC: Fast and secure message authentication
- Black, Halevi, et al.
- 1999
(Show Context)
Citation Context ...SHA1-80 isn’t as efficient as MD5 which isn’t as efficient as MD4). 8.2.2 Message Authentication codes MAC Denoted by ¤¦¥¨§�� (� ¤�� is the shared secret key); CBC-MAC [60], SHA1-H=-=MAC-80 [8] and UMAC [11] are examples o-=-f MACs that are believed to be secure. 19 DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFTs8.2.3 Digital Signatures ©������ that signs; � In order to simplify the pseudo-code, we will ab... |

115 | RIPEMD-160: A strengthened version of RIPEMD
- Dobbertin, Bosselaers, et al.
- 1996
(Show Context)
Citation Context ...phic Primitives We refer the interested reader to [47] for an in depth analysis of many of the following primitives. 8.2.1 Cryptographic hash functions Denoted by HS(), HW(); SHA1 [61] and RIPEMD-160 =-=[28] (-=-the output is 160 bits long) are thought to be the most secure hash functions. MD5 [55], although it hasn’t been broken, has become a more dubious choice since the discovery of internal pseudocollis... |

98 |
Ramarathnam Venkatesan. Hardness of computing the most significant bits of secret keys in diffie-hellman and related schemes
- Boneh
- 1996
(Show Context)
Citation Context ...spond. For example suppose we want to use our � -bit shared secret DH key with � a crypto-system requiring a key size � of , ��� ��� with . Although some bits of the shared secret ar=-=e provably secure [15] the security -=-of the vast majority of bits in the � shared DH secret key is not known (i.e. it’s not known whether an attacker can compute information about them19 ). Also notice ��� � that doesn’t sp... |

93 | The Oakley Key Determination Protocol
- Orman
- 1998
(Show Context)
Citation Context ...of order � . We also suggest that a proof that the primes have not been chosen maliciously be given (i.e. we want kosherized primes). This choice helps satisfy requirements 2, 3 and 4 of section 7.1=-=. [51] sug-=-gests the use of “special” safe primes which are used in the description of IKE [35] (a candidate DH protocol for IPsec). They have properties that enable efficient modular computations: The 64 hi... |

91 |
Client Puzzles: A cryptographic defense against connection depletion attacks
- Juels, Brainard
- 1999
(Show Context)
Citation Context ...hich can simply be random numbers) so that the vic� tim is compelled to carry out many modular exponentiations in order to compute the shared DH secret keys (computational). The most robust solution=-=s [7, 29, 38]-=- to the problem involve having the connection initiators compute a solution to cryptographic puzzles (also known as hashcash or pricing functions). The amount of computations needed to solve these puz... |

87 | Programming Satan's Computer
- Anderson, Needham
- 1995
(Show Context)
Citation Context ...erability is compounded by the fact that programmers often don’t have a proper understanding of the security issues. In fact, bad implementations of cryptographic protocols are, unfortunately, commo=-=n [4]-=-. In this work, we attempt to give a comprehensive listing of attacks on the DH protocol. This listing will in turn allow us to motivate protocol design decisions. Note that throughout this presentati... |

74 |
Photuris: Session-key management protocol. Request for Comments (Experimental
- Karn, Simpson
- 1999
(Show Context)
Citation Context ...m for use in overloading attacks. If a server can validate the IP addresses of it’s clients, one can use a less robust scheme for protecting against denial of services called SYN Cookies ([46], [16]=-=, [39]-=-). SYN Cookies help prevent IP spoofing to a certain extent. If a server is suppose to be able to accept unknown clients (or better yet anonymous clients), we suggest using the techniques of [38] whic... |

72 | Authenticated Diffie–Hellman key agreement protocols
- Blake–Wilson, Menezes
- 1999
(Show Context)
Citation Context ...T DRAFTsMany standards have been developed for the DH protocol (see Appendix A), unfortunately none describe the issues and attacks in detail. More importantly, none motivate the design decisions. In =-=[12]-=-, work has been done to characterize the security of the DH protocols introduced in various standards. We take a different, more general and perhaps more thorough approach by : 1. Describing and study... |

65 | P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup
- Lim, Lee
- 1997
(Show Context)
Citation Context ... is to choose a � prime such ����� that ������� contains large factors. Safe primes, primes of ����������� the form (where R is some small positive valu=-=e and q is a large prime8 ), and Lim-Lee primes [45] which have ������� � � ��-=-��� � ������� the form � � (where the s are all large primes) satisfy this property. In these last cases, prime factorization of the order of each generator will contain a la... |

61 | Collisions for the compression function of MD5
- Boer, Bosselaers
- 1994
(Show Context)
Citation Context ...output is 160 bits long) are thought to be the most secure hash functions. MD5 [55], although it hasn’t been broken, has become a more dubious choice since the discovery of internal pseudocollisions=-= ([25]).-=- MD5 (or MD4 which is faster and has weaker security) might be useful in protocols that don’t have stringent security requirements because it produces a 128 bit output and is much faster than both S... |

60 |
Randomness and the Netscape browser
- Goldberg, Wagner
- 1996
(Show Context)
Citation Context ...rom an entropy pool 22 . The pseudo-random numbers must be chosen extremely carefully because systems can be broken if inadequate pseudorandom functions or badly chosen seed are used (see for example =-=[32]). W-=-e recommend the use of Yarrow [40], since its design is based on many years of research and experience [41] and because it’s easy to use (the programmer doesn’t need to provide a seed for example)... |

59 | On Diffie–Hellman Key Agreement with Short Exponents
- Oorschot, Wiener
- 1996
(Show Context)
Citation Context ...mber that the order of any subgroup will divide .) � , i.e. the order of ��� ����� 3.3 Attacks Based on Composite Order Subgroups The attacker can exploit subgroups that do not have =-=large prime order [64]. This is best illustrated by an example. Suppose Alice -=-and Bob choose a prime ����������� , where q is prime, and a generator � of order ����������� . Oscar can intercept the messages � � and ��� and... |

50 |
How to expose an eavesdropper
- Rivest, Shamir
- 1984
(Show Context)
Citation Context ... into thinking that they share a secret key. In fact, Alice will think that the secret key � � � � is and Bob will believe that it is ��� � . This is a specific instance of a man in th=-=e middle attack [56]. � As a-=-n example of what can be done with such an attack, consider the case where Alice and Bob use the “secret” “shared” keys obtained in a DH protocol for symmetric encryption. Suppose Alice sends ... |

46 | Cryptanalytic Attacks on Pseudorandom Number Generators
- Kelsey, Schneier, et al.
- 1998
(Show Context)
Citation Context ...oken if inadequate pseudorandom functions or badly chosen seed are used (see for example [32]). We recommend the use of Yarrow [40], since its design is based on many years of research and experience =-=[41] and because it’s easy t-=-o use (the programmer doesn’t need to provide a seed for example). 8.2.6 Prime Number Generators We use safe primes, i.e. primes of the form ��� ������� (where � is prime) such... |

43 |
A cost-based security analysis of symmetric and asymmetric key lengths
- Silverman
(Show Context)
Citation Context ...44] for a table of balanced values. The parameters should be chosen in order to provide good long term security. Note that parameters that � constitute “good” long term security is very controve=-=rsial [44, 59]. Extr-=-emely conservative estimates are (from [44]): – For very good security until 2002 take: � 1024 bits, exponent range 127 bits and derived key length 72. – For very good security until 2025 take: ... |

33 |
Average case error estimates for the strong probable prime test
- Damgard, Landrock, et al.
- 1993
(Show Context)
Citation Context ...33] for example) or see for example [47] for pseudo-code. 23 For the resulting algorithm to be defined as a robust primalty test and considering efficiency, one should � choose NUMB ITER to be 3 (se=-=e [24] for-=- exact details). On kosherization: note that interested readers can verify that the primes haven’t been chosen maliciously by � simply taking the SEED, executing the previous protocol and verifyin... |

32 |
On the risk of opening distributed keys
- Burmester
- 1994
(Show Context)
Citation Context ... function is also important because it destroys the algebraic relationships between keys. If the protocol didn’t use a key derivation function, it would be vulnerable to the Burmester triangle attac=-=k [17] which renders the protocol vu-=-lnerable to known key attacks. In the previous protocol, if a key derivation function isn’t used, it is vulnerable to the following attack: � ¢ £ � � � � � £ ¢ � � ��� � ... |

28 | Discrete logarithms: the past and the future
- Odlyzko
(Show Context)
Citation Context ...x calculus based, methods for computing discrete logs (number field sieves) have been steadily improving 11 over the years and so it’s harder to gauge how large � should be for long term security.=-= In [49], -=-Odlyzko proposes using a � of at least 1024 bits for moderate security and at least 2048 for anything that should remain secure for a decade. 3.6 Attacks on Prime Order Subgroups In [45], an attack ... |

26 | Cryptanalysis of Diffie-Hellman, RSA, DSS and other systems using timing attacks
- Kocher
- 1996
(Show Context)
Citation Context ...ication (as discussed in section 4.3). Servers written in SSL version 3 that used � adequate authentication weren’t vulnerable to this attack. 5.6 Timing Attacks An interesting attack was proposed=-= in [42]-=-; the attack relies on the fact that for most modular exponentiation algorithms the time taken is dependent on the inputs. In the Half Certified DH protocol, an attacker, by initiating many protocol r... |

25 | Minding Your P’s and Q’s - Anderson, Vaudenay - 1996 |

24 |
RFC 2246: The TLS protocol version 1
- Dierks, Allen
- 1999
(Show Context)
Citation Context ...HS(shared DH secret ��� 1) ������������� HS(shared DH secret ��� c). c’s value will depend on the number of bits required. This method is similar to the ones th=-=at are used in many standards (e.g. TLS [26]). 2. A Chaining Based A-=-pproach: We take the bits for the session key from: 19 in fact, in some cases it is trivial to compute information about the shared secret ����� , given only � , � , ��� and ��... |

24 | N.: Yarrow-160: Notes on the design and analysis of the yarrow cryptographic pseudorandom number generator
- Kelsey, Schneier, et al.
- 1999
(Show Context)
Citation Context ...ndom numbers must be chosen extremely carefully because systems can be broken if inadequate pseudorandom functions or badly chosen seed are used (see for example [32]). We recommend the use of Yarrow =-=[40], si-=-nce its design is based on many years of research and experience [41] and because it’s easy to use (the programmer doesn’t need to provide a seed for example). 8.2.6 Prime Number Generators We use... |

23 |
Handbook of Applied Cryptography. CRC Press. ISBN 0-8493-8523-7. Authors Mr. Kuo-Tsang Huang received B.Sc. from Chung Hua University in 2001 and M.Sc. from Aletheia University in 2003. He is currently studying for the Ph.D. degree in Department of Electr
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ...ks in subsection ?? and finally a half-certified DH protocol in subsection ??. 8.1 Mathematical Primitives The following mathematical primitives are needed in the following protocols. See for example =-=[47] for more details on the algorithms and -=-[58] for free librairies that implement them. 8.1.1 Modular Multiplication mult(a,b,p); Returns � � ��������� . 8.1.2 Modular Squaring square(a,p); � ������� � ... |

14 |
RFC2409, The Internet Key Exchange
- Harkins, Carrel
- 1998
(Show Context)
Citation Context ...ly be given (i.e. we want kosherized primes). This choice helps satisfy requirements 2, 3 and 4 of section 7.1. [51] suggests the use of “special” safe primes which are used in the description of =-=IKE [35]-=- (a candidate DH protocol for IPsec). They have properties that enable efficient modular computations: The 64 high order bits are set to 1, so that the trial quotient digit in the classical remainder ... |

14 |
RFC 2459 Internet X.509 Public Key Infrastructure Certificate and CRL
- Housley, Polk, et al.
- 1999
(Show Context)
Citation Context ...will denote the signing function and VER User() the verification function where User specifies the party 8.2.4 Public Key Certificates Often used standards for certificates include PGP [19] and X.509 =-=[36]-=-. All dough PGP and X.509 both have the same IETF standard status, PGP is simple to use, whereas X.509 is constantly changing and very hard to comply with in practice. In order to simplify the pseudo-... |

11 |
Recent Results on PKCS #1: RSA Encryption Standard
- Bleichenbacher, Kaliski, et al.
- 1998
(Show Context)
Citation Context ...devised a practical attack against some implementations of SSL v3.0. Although we don’t describe any padding methods, nor do we use the RSA encryption scheme, some of the proposed countermeasures (se=-=e [14]) -=-to immunize protocols against this attack are relevant: � Change keys frequently (as discussed in section 6.2) and make sure that different servers use independent keys. Use only adequate authentica... |

11 |
RFC 2440: OpenPGP message format
- Callas, Donnerhacke, et al.
- 1998
(Show Context)
Citation Context ...pular. � � ¤�� will denote the signing function and VER User() the verification function where User specifies the party 8.2.4 Public Key Certificates Often used standards for certificates inc=-=lude PGP [19]-=- and X.509 [36]. All dough PGP and X.509 both have the same IETF standard status, PGP is simple to use, whereas X.509 is constantly changing and very hard to comply with in practice. In order to simpl... |

10 |
Modular approach to the design and analysis of key exchange protocols
- Bellare, Canetti, et al.
- 1998
(Show Context)
Citation Context ...such as BAN [18] to prove protocol properties. 2. Very high level programming languages in which security properties can be proved mechanically (i.e. by computers) [1]. 3. Complete proofs of security =-=[10, 9]-=-. 4. The use of robustness principles, i.e. rules of thumb, protocol design principles [5]. The biggest problem with the first approach is that encryption primitives are dissociated from the verificat... |

10 |
RFC 1644 - T/TCP – TCP extensions for Transactions, functional specification
- Braden
- 1989
(Show Context)
Citation Context ...of them for use in overloading attacks. If a server can validate the IP addresses of it’s clients, one can use a less robust scheme for protecting against denial of services called SYN Cookies ([46]=-=, [16]-=-, [39]). SYN Cookies help prevent IP spoofing to a certain extent. If a server is suppose to be able to accept unknown clients (or better yet anonymous clients), we suggest using the techniques of [38... |

10 |
Two Issues in Public Key Cryptography: RSA Bit Security and a New Knapsack Type System
- Chor
- 1986
(Show Context)
Citation Context ...plaintext started with 0002, as described in the standard, they would blindly accept it as valid and continue, otherwise, they would return an error message to the client. Using a theorem due to Chor =-=[22], -=-Bleichenbacher devised a practical attack against some implementations of SSL v3.0. Although we don’t describe any padding methods, nor do we use the RSA encryption scheme, some of the proposed coun... |

10 |
An improved algorithm for computing discrete logarithms over GF(p) and its cryptographic significance
- POHLIG, HELLMAN
- 1978
(Show Context)
Citation Context ...����� integer smaller than . The following attacks delve a bit deeper into computational number theory. 3.2 Generators of Arbitrary Order and the Pohlig-Hellman Algorithm The Pohlig-Hellman =-=algorithm [53] allows -=-one to efficiently compute the discrete log of � � if the prime factorization of � ’s order consists of small primes. Precisely, given that the order of a group has the following prime factori... |

10 | Monte Carlo methods for index computation (modp - POLLARD - 1978 |

8 | Limitations of challenge-response entity authentication - Mitchell - 1989 |

4 |
Phrack Magazine, 48(7): File 13
- neptune
- 1996
(Show Context)
Citation Context ...cause the server is so busy processing bogus requests that he doesn’t have time to reply to legitimate queries. The adversary usually exploits the fact that the servers are limited in terms of memor=-=y [20, 23]-=- and/or computational power. The DH protocol is vulnerable to the following kinds of attack: The attacker can carry out a connection (memory) depletion attack (e.g. [20, 23]). Note that it is very imp... |