[NobleSir]

For someone whose almost exclusively studied cryptography in cyclic curve groups rather than cyclic integer groups (coming from an algebraic geometry background). Maybe someone can explain to me why the modulus isn't always chosen to be prime for DH? Is there some reason you would ever want to allow composite modulus in DH?

[rocqua]

As far as I know, using a composite modulus is bad. It means that some of the integers (besides the obvious case of 0) no longer exhibit the group properties. That said, it only makes it a bit more difficult to find a generator. I am not sure about the overall security implications.

However, the plan here is too get someone to use your chosen modulus which is weaker. I'd suppose they are banking on no one checking that the modulus actually is prime.

[NobleSir]

I see - I searched for a while and it seems (if I'm reading correctly) that right in the RFC from 1999 it says to use / check prime-ness of the modulus: http://tools.ietf.org/html/rfc2631 so I'm still a bit confused - maybe the point is that it's commonly not done?