Re: [Curdle] AD Review of: draft-ietf-curdle-ssh-curves-04.txt
Eric Rescorla <ekr@rtfm.com> Fri, 05 May 2017 21:23 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41754126DED for <curdle@ietfa.amsl.com>; Fri, 5 May 2017 14:23:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zewaUO_06L_1 for <curdle@ietfa.amsl.com>; Fri, 5 May 2017 14:23:39 -0700 (PDT)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE661126BF0 for <curdle@ietf.org>; Fri, 5 May 2017 14:23:38 -0700 (PDT)
Received: by mail-yw0-x233.google.com with SMTP id k11so8839582ywb.1 for <curdle@ietf.org>; Fri, 05 May 2017 14:23:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fDdW00WGQOYV/j4bC2ezt2b9nbB09OnDObjtpEC6ShQ=; b=Vr56mAMNXhUo0/bYRSZz5MZKdWdeXJf83LH/mFXuWD4ysV+XZ+3HVzMG9gFa+x9Xju 1pirwmziaRExXw/5nHeY4dcmGFATgs+UVSziBCBI4QRdCL07zdHXjWYbfFvZifDq4TCG V2U8Sbm7gVKxh8avPye4NVHYtFscKFWK786PPakWe7zD0R5CJmuBbtvH87M3bWQuAiJ+ rGTkmcUMrYHgBOyftHtNxVyhtuBfP8IgslhovI0N2TkwiQsHb2GZPBqFfaWH08y2/fVD oIIR5vLlnMouAiRnlrFCqhyatQHWJvqVgzSQXZJ9dc9wkpJIPnTYIR4wU/wFWo3KdtZk pEKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fDdW00WGQOYV/j4bC2ezt2b9nbB09OnDObjtpEC6ShQ=; b=YGGQqgSlzw6dE+WoJ0UtT69PoaYXuz20qZVrR3krNzdmz/LtaI+6xGTYarv8JLIjex Oezm7KvrWXilxeN3tTipxvkU5lXZDCVbxAG+gYENj+mAtkWg27M9B+ekqrMy9Iq6OcsP LJQC/8BJDeNabX87D3gQfYUvuFNsA3B6DQyKvE9V+kCvh+MrnAjzM04J2RE3XObIIDw3 VnC/fmwwJ1VUpifwnkZ+EyUOXVVaAUzh3xv55MxEMEBMl3/O3EqU5B8rcXc7Rb3aK9DO nNzxn/35RSZQNhIiJ9nzxRibY5bl8CFblWNMRHOTsiIBLnWWnqr8lmEyS3bCrYmJX/hx TwiQ==
X-Gm-Message-State: AN3rC/5l0a7UkKpiyPimlNAcOm70s8/jQE0tbDNSdjmiSedhdQ+wPhBD 1jzh/oQAXSabCmP+eb2SlytVFgblYA==
X-Received: by 10.13.245.2 with SMTP id e2mr42431847ywf.270.1494019418206; Fri, 05 May 2017 14:23:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Fri, 5 May 2017 14:22:57 -0700 (PDT)
In-Reply-To: <7050.1494018999@eng-mail01.juniper.net>
References: <CABcZeBMFWE35S0okfF378YMWoWmWuZRZCe4oHsHagN0LF9W0WA@mail.gmail.com> <7050.1494018999@eng-mail01.juniper.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 05 May 2017 14:22:57 -0700
Message-ID: <CABcZeBNkJhX-CL9rwzwHJhFPpbfS++zTsmtWR63ACKpmiJvFPQ@mail.gmail.com>
To: "Mark D. Baushke" <mdb@juniper.net>
Cc: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c08763ab61463054ecd8058"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/Z6NMHl_G9T2pKq6Pf0-kb5AnTFY>
Subject: Re: [Curdle] AD Review of: draft-ietf-curdle-ssh-curves-04.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2017 21:23:41 -0000
On Fri, May 5, 2017 at 2:16 PM, Mark D. Baushke <mdb@juniper.net> wrote: > Hi Eric, > > Eric Rescorla <ekr@rtfm.com> writes: > > > Document: draft-ietf-curdle-ssh-curves-04.txt > > > > TECHNICAL > > S 2. > > > > The methods are based on Curve25519 and Curve448 scalar > > multiplication, as described in [RFC7748]. Private and public keys > > are generated as described therein. Public keys are defined as > > strings of 32 bytes for Curve25519 and 56 bytes for Curve448. > > Clients and servers MUST fail the key exchange if the length of the > > received public keys are not the expected lengths, or if the derived > > shared secret only consists of zero bits. No further validation is > > required beyond what is discussed in [RFC7748]. > > > > Is any other validation specified? Maybe I'm missing it, but I don't > > see any. > > Hmmm... When I read it, I was under the impression that this was > referencing the concept of batched verification via the referenced via > the [goldilocks] paper http://eprint.iacr.org/2015/625.pdf reference in > RFC 7748. It is possible that my reading is flawed. > > I am willing to consider alterations to the text to make it better if > you have something in particular to propose. Hmm.. Mostly, I'm just trying to figure out what this document is saying, because it just doesn't seem clear. What is it you think people should do? With that said, TLS just specifies: For X25519 and X448, implementations SHOULD use the approach specified in [RFC7748] to calculate the Diffie-Hellman shared secret. Implementations MUST check whether the computed Diffie-Hellman shared secret is the all-zero value and abort if so, as described in Section 6 of [RFC7748]. If implementers use an alternative implementation of these elliptic curves, they SHOULD perform the additional checks specified in Section 7 of [RFC7748]. -Ekr > S 2.1. IMPORTANT: > > other side’s public key and the local private key scalar. The 32 or > > 56 bytes of X are converted into K by interpreting the bytes as an > > unsigned fixed-length integer encoded in network byte order. This > > conversion follows the normal "mpint" process as described in section > > 5 of [RFC4251]. > > > > It appears you are specifying the opposite encoding from RFC 7748 which > > says: > > > > or GF(2^448 - 2^224 - 1) and are encoded as an array of bytes, u, in > > little-endian order such that u[0] + 256*u[1] + 256^2*u[2] + ... + > > > > First, I want to confirm that this is in fact true and that I'm not > > missing something. Second, if it's not true, this needs to be called out > > in big letters. > > I regret that I did not do anything to implement Curdle448 myself. > > I suspect that only Aris or Simon will be able to be authoritative on > this set of paragraphs. > > > > > > > EDITORIAL > > Curve25519 provide strong security and is efficient on a wide range > > of architectures, and has properties that allows better > > implementation properties compared to traditional elliptic curves. > > Curve448 with SHA-512 is similar, but have not received the same > > > > has not received > > Good catch, I have incorporated this change into my copy of the > document. I will publish an update after more folks have commented on > the points you raised. > > -- Mark >
- [Curdle] AD Review of: draft-ietf-curdle-ssh-curv… Eric Rescorla
- Re: [Curdle] AD Review of: draft-ietf-curdle-ssh-… Mark D. Baushke
- Re: [Curdle] AD Review of: draft-ietf-curdle-ssh-… Eric Rescorla
- Re: [Curdle] AD Review of: draft-ietf-curdle-ssh-… Mark D. Baushke