Re: [Curdle] draft-ietf-curdle-pkix and endianess of strings
David Benjamin <davidben@chromium.org> Wed, 19 December 2018 23:03 UTC
Return-Path: <davidben@google.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06089130EF9 for <curdle@ietfa.amsl.com>; Wed, 19 Dec 2018 15:03:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.564
X-Spam-Level:
X-Spam-Status: No, score=-9.564 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aWxhbEKWlMER for <curdle@ietfa.amsl.com>; Wed, 19 Dec 2018 15:03:32 -0800 (PST)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 905B5130EAE for <curdle@ietf.org>; Wed, 19 Dec 2018 15:03:32 -0800 (PST)
Received: by mail-qt1-x829.google.com with SMTP id d19so24177926qtq.9 for <curdle@ietf.org>; Wed, 19 Dec 2018 15:03:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8eZINLqrf73JFXvMeUfcKd/iPHXdLO1QMySwRst9Bio=; b=QOKKe6qR7umXmQSeu3wFUpmNWI6UfQcPnVmKNUWgEsljTGJbWiqgKL4DTlUNuTx/sC kviVlh9gVdue57rIrf0LOZ2UgYJDOZNCPron3UyCohTfmzjMIcsbB/99WjmbYwPj5l+M ANgV06fJAG8gSgT41q1uw9CQYm6/rkwIV8IaM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8eZINLqrf73JFXvMeUfcKd/iPHXdLO1QMySwRst9Bio=; b=se5/8F5I/CNfyAVB0LoCDfIQZwKG+C0Cw2FRyOcLFL3n8EpmjI4vWQrpVSFioAgqsO mXlOd+UBJs3oNgm3hQQohaPcPkbWzO7XRmKJSjr6Cv9ubYsOuu5cNyoLi5ORbI6CIMAF bodO2fdQ6+q/sfiwrHTUIVCyt9U+rzxQdKUBnWIgIuXcADEnMqnlQKTAZGnYvOKxGGv3 STEoJOiskW7RbBNGh2i+668ESI2ClfpprtlBHlJqps+5zxYCJ015PXS7CNqBazyMzUgn 7WyKUghKPWSsXHoXaShs3r5Ytu8dPhbJZT5F+vSHlHB5hlWLDPxUflngyiY5+T64lEvA K5SQ==
X-Gm-Message-State: AA+aEWbFWW+aJEUTpuWH1gl+kQBGgNPD/o3IlXvryCyEkaiw6wZGDAfs vQhybVnlX+NjQEuYUUMNIInf6kihlqjgbE1OYdky
X-Google-Smtp-Source: AFSGD/U51zX9/6gBmOQTDuZkwH6c6lgvuHBMG+ZDM+Yw25QXthtjfweYeTkmHo9E2VvmZfJ6VmXLd3UtnhPIEXdtHIo=
X-Received: by 2002:ac8:1873:: with SMTP id n48mr23500695qtk.10.1545260611378; Wed, 19 Dec 2018 15:03:31 -0800 (PST)
MIME-Version: 1.0
References: <CAH8yC8nHE_MKrv77Zyki+B4vrnB0N2SAp7kqJmcXKALDne9Nsw@mail.gmail.com> <027c01d4970e$cefd4c70$6cf7e550$@augustcellars.com> <CAH8yC8=T+HSDRW1VaYmwUO1un5U5zLSL9vQTucw+t=ZRG9-c9g@mail.gmail.com> <CAH8yC8nLjEez+EX0ex0Lcw4N_dhovuaZzrfALMO-LoQmHCydpg@mail.gmail.com> <028f01d49713$fd6a4540$f83ecfc0$@augustcellars.com> <CAH8yC8mXRYuyj10tiyYRjKWpJAzo2KHErDKcDqNmBoWsCtgVtg@mail.gmail.com> <1545188081299.7191@cs.auckland.ac.nz> <CAH8yC8kQVKxFP6or+B+qKq=RmE2LCSFRDD0zRFS5EFqf2oUXGg@mail.gmail.com> <BF16F7A0-0CA3-4F99-B402-C21947A8F9E0@vigilsec.com>
In-Reply-To: <BF16F7A0-0CA3-4F99-B402-C21947A8F9E0@vigilsec.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 19 Dec 2018 17:03:19 -0600
Message-ID: <CAF8qwaC9y16e4yGooXtNfJJ7k5N5=y1rO0-wuP+oo8eQvw7FzQ@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: noloader@gmail.com, curdle <curdle@ietf.org>, IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d4370a057d680567"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/0uNTINzKDyRUCvuw4J07w7NnTIs>
Subject: Re: [Curdle] draft-ietf-curdle-pkix and endianess of strings
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2018 23:03:36 -0000
(Is the concern that RFC 7748 and RFC 8032 differ in endianness or that the pair of them differ in endianness from X9.42-style EC? I'm assuming it's the latter, because the former is not the case. RFC 7748 and RFC 8032 both specify little-endian. They're different for other reasons.) No objections to clarifying, but RFC 8032 (correctly) specifies Ed25519 and X25519 algorithms as functions on byte strings and RFC 8410 (correctly) defers to that. So probably a better question is whether RFC 8032 is clear enough on the internal serialization. I think the best architecture here is for byte string serialization to be handled by your Ed25519 and X25519 implementations internally, so the ASN.1 layer doesn't need to care. (Endianness is far from the biggest distinction between X9.42-style EC and X25519/Ed25519. They use different curve equation shapes altogether.) As an analogy, if you look at SHA-256's internals, a SHA-256 hash isn't 32 bytes, but eight 32-bit integers. But this is not a useful public interface, so SHA-256 comes with a particular byte encoding of those eight integers. It could have been big-endian, little-endian, or middle-endian and nothing outside of low-level SHA-256 implementations would have known. It is unfortunate that ECDSA got this wrong and saddled us with a mess of different serializations, wasting time and complexity. RFCs 8032 and 8410 happily did not repeat this mistake, and we should keep this up. To that end, the quoted text talks about using curve parameters explicitly rather than a non-named curve. RFC 8410 doesn't specify such a thing. I would have made a lot of noise if it had. :-) Which encoding is this referring to? David On Wed, Dec 19, 2018 at 4:03 PM Russ Housley <housley@vigilsec.com> wrote: > This discussion probably belongs on the CURDLE WG mail list ... > > Note that draft-ietf-curdle-pkix has been published as RFC 8410. > > When this object identifier is used: > > id-Ed25519 OBJECT IDENTIFIER ::= { 1 3 101 112 } > > the algorithm parameters are absent, so there is no opportunity to define > the curve through parameters. > > The RFC warns: > > Both [RFC7748] and [RFC8032] define the public key value as being a > byte string. It should be noted that the public key is computed > differently for each of these documents; thus, the same private key > will not produce the same public key. > > The RFC could have also warned about the big-endian vs. little-endian > encoding used in different RFCs related to elliptic curve. > > Russ > > > > On Dec 19, 2018, at 4:13 PM, Jeffrey Walton <noloader@gmail.com> wrote: > > > > On Tue, Dec 18, 2018 at 9:54 PM Peter Gutmann <pgut001@cs.auckland.ac.nz> > wrote: > >> > >> Jeffrey Walton <noloader@gmail.com> writes: > >> > >>> You might consider adding a note that the byte array is written to the > >>> octet string with the LSB in the first position, and the MSB in the > last > >>> position. As far as I know this draft is the only one that reverses the > >>> byte ordering for presentation. It will avoid confusion for future > readers > >>> who expect network byte ordering in ASN.1 presentations. > >> > >> This was requested when the RFCs were written (alongside using the > standard > >> X9.62 form that everything else uses), but nothing got done. Basically > the > >> encoding used for the Bernstein curves is the reverse to the way > everything > >> else does it. So you take the standard form used by all other curves, > then > >> encode the values backwards. In my code I use a shim layer that > reverses > >> the bytes, at which point they can be handled by code that expects them > in > >> the standard form. > > > > Yeah, using the little endian presentation brings up some weird use > > cases. Suppose a named curve is not used (i, e., curve25519 parameters > > are specified). The other domain parameters like prime and subgroup > > order are big endian but the keys are little endian. > > > > I'm fairly certain the best course of action is to make this use case > > work as expected: > > > > $ dumpasn1 ed25519.bin > > 0 52: SEQUENCE { > > 2 1: INTEGER 0 > > ... > > 33 32: OCTET STRING > > : 6D C5 9D 3F 09 7F B2 3D 44 BA 90 79 12 81 B4 53 > > : 25 8D 69 1A 55 AF 5C E4 F1 EE 71 2F DF 91 AE 98 > > : } > > > > And then something like this with Botan (or pick your favorite library): > > > > uint8_t sb[32] = {0x6D, 0xC5, ... 0xAE, 0x98}; > > BigInt sk(sb, 32); > > > > The extra "byte reverse" needed to make things work as expected is > > non-intuitive and not documented. But maybe I am missing something or > > I don't understand the motivation. > > > > Jeff > > > > _______________________________________________ > > saag mailing list > > saag@ietf.org > > https://www.ietf.org/mailman/listinfo/saag > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle > >
- Re: [Curdle] draft-ietf-curdle-pkix and endianess… Russ Housley
- Re: [Curdle] draft-ietf-curdle-pkix and endianess… David Benjamin
- Re: [Curdle] draft-ietf-curdle-pkix and endianess… Jeffrey Walton
- Re: [Curdle] draft-ietf-curdle-pkix and endianess… Jeffrey Walton