Re: [Curdle] draft-ietf-curdle-pkix and endianess of strings
Russ Housley <housley@vigilsec.com> Wed, 19 December 2018 22:03 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80F0A130EAE for <curdle@ietfa.amsl.com>; Wed, 19 Dec 2018 14:03:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dN56jln6svk2 for <curdle@ietfa.amsl.com>; Wed, 19 Dec 2018 14:03:34 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D83A2130EDA for <curdle@ietf.org>; Wed, 19 Dec 2018 14:03:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 8DC0A3002C1 for <curdle@ietf.org>; Wed, 19 Dec 2018 17:03:31 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id hivXwPyXA4DU for <curdle@ietf.org>; Wed, 19 Dec 2018 17:03:29 -0500 (EST)
Received: from [192.168.1.161] (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id EA428300054; Wed, 19 Dec 2018 17:03:28 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CAH8yC8kQVKxFP6or+B+qKq=RmE2LCSFRDD0zRFS5EFqf2oUXGg@mail.gmail.com>
Date: Wed, 19 Dec 2018 17:03:30 -0500
Cc: IETF SAAG <saag@ietf.org>, curdle <curdle@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BF16F7A0-0CA3-4F99-B402-C21947A8F9E0@vigilsec.com>
References: <CAH8yC8nHE_MKrv77Zyki+B4vrnB0N2SAp7kqJmcXKALDne9Nsw@mail.gmail.com> <027c01d4970e$cefd4c70$6cf7e550$@augustcellars.com> <CAH8yC8=T+HSDRW1VaYmwUO1un5U5zLSL9vQTucw+t=ZRG9-c9g@mail.gmail.com> <CAH8yC8nLjEez+EX0ex0Lcw4N_dhovuaZzrfALMO-LoQmHCydpg@mail.gmail.com> <028f01d49713$fd6a4540$f83ecfc0$@augustcellars.com> <CAH8yC8mXRYuyj10tiyYRjKWpJAzo2KHErDKcDqNmBoWsCtgVtg@mail.gmail.com> <1545188081299.7191@cs.auckland.ac.nz> <CAH8yC8kQVKxFP6or+B+qKq=RmE2LCSFRDD0zRFS5EFqf2oUXGg@mail.gmail.com>
To: noloader@gmail.com
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/VL6mDZAycS-QEqftsMgfxxl7fRs>
Subject: Re: [Curdle] draft-ietf-curdle-pkix and endianess of strings
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2018 22:03:37 -0000
This discussion probably belongs on the CURDLE WG mail list ...
Note that draft-ietf-curdle-pkix has been published as RFC 8410.
When this object identifier is used:
id-Ed25519 OBJECT IDENTIFIER ::= { 1 3 101 112 }
the algorithm parameters are absent, so there is no opportunity to define the curve through parameters.
The RFC warns:
Both [RFC7748] and [RFC8032] define the public key value as being a
byte string. It should be noted that the public key is computed
differently for each of these documents; thus, the same private key
will not produce the same public key.
The RFC could have also warned about the big-endian vs. little-endian encoding used in different RFCs related to elliptic curve.
Russ
> On Dec 19, 2018, at 4:13 PM, Jeffrey Walton <noloader@gmail.com> wrote:
>
> On Tue, Dec 18, 2018 at 9:54 PM Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
>>
>> Jeffrey Walton <noloader@gmail.com> writes:
>>
>>> You might consider adding a note that the byte array is written to the
>>> octet string with the LSB in the first position, and the MSB in the last
>>> position. As far as I know this draft is the only one that reverses the
>>> byte ordering for presentation. It will avoid confusion for future readers
>>> who expect network byte ordering in ASN.1 presentations.
>>
>> This was requested when the RFCs were written (alongside using the standard
>> X9.62 form that everything else uses), but nothing got done. Basically the
>> encoding used for the Bernstein curves is the reverse to the way everything
>> else does it. So you take the standard form used by all other curves, then
>> encode the values backwards. In my code I use a shim layer that reverses
>> the bytes, at which point they can be handled by code that expects them in
>> the standard form.
>
> Yeah, using the little endian presentation brings up some weird use
> cases. Suppose a named curve is not used (i, e., curve25519 parameters
> are specified). The other domain parameters like prime and subgroup
> order are big endian but the keys are little endian.
>
> I'm fairly certain the best course of action is to make this use case
> work as expected:
>
> $ dumpasn1 ed25519.bin
> 0 52: SEQUENCE {
> 2 1: INTEGER 0
> ...
> 33 32: OCTET STRING
> : 6D C5 9D 3F 09 7F B2 3D 44 BA 90 79 12 81 B4 53
> : 25 8D 69 1A 55 AF 5C E4 F1 EE 71 2F DF 91 AE 98
> : }
>
> And then something like this with Botan (or pick your favorite library):
>
> uint8_t sb[32] = {0x6D, 0xC5, ... 0xAE, 0x98};
> BigInt sk(sb, 32);
>
> The extra "byte reverse" needed to make things work as expected is
> non-intuitive and not documented. But maybe I am missing something or
> I don't understand the motivation.
>
> Jeff
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
- Re: [Curdle] draft-ietf-curdle-pkix and endianess… Russ Housley
- Re: [Curdle] draft-ietf-curdle-pkix and endianess… David Benjamin
- Re: [Curdle] draft-ietf-curdle-pkix and endianess… Jeffrey Walton
- Re: [Curdle] draft-ietf-curdle-pkix and endianess… Jeffrey Walton