IETF Logo Mail Archive

Re: [http-auth] I-D Action: draft-ietf-httpauth-mutual-algo-00.txt

Yutaka OIWA <y.oiwa@aist.go.jp> Fri, 18 July 2014 08:09 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A26C1A016A for <http-auth@ietfa.amsl.com>; Fri, 18 Jul 2014 01:09:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.679
X-Spam-Level:
X-Spam-Status: No, score=-3.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cTnFFpd1NIBP for <http-auth@ietfa.amsl.com>; Fri, 18 Jul 2014 01:09:56 -0700 (PDT)
Received: from na3sys010aog112.obsmtp.com (na3sys010aog112.obsmtp.com [74.125.245.92]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13B061A011F for <http-auth@ietf.org>; Fri, 18 Jul 2014 01:09:56 -0700 (PDT)
Received: from mail-vc0-f178.google.com ([209.85.220.178]) (using TLSv1) by na3sys010aob112.postini.com ([74.125.244.12]) with SMTP ID DSNKU8jWU27BNsE8YECXm+q+IzTP5SBpWmqO@postini.com; Fri, 18 Jul 2014 01:09:56 PDT
Received: by mail-vc0-f178.google.com with SMTP id la4so6656392vcb.37 for <http-auth@ietf.org>; Fri, 18 Jul 2014 01:09:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=UXY30sbiE0QwihGnneFOyDH+s99B4Ddx4GSjsJ4mfZw=; b=t8nkyU3cqGLq5LZCg7bZ8lxwCvkDsF4gSruXvR1199LvesGeeD71x6iUNB7KPU78TD K24E7xektYi2RcAr0O5pu97AjAEJp75sfq/UdWhVo+N94n49Jcsf+o8FpW9zx6gFcpSq R9PAffQV4TYMXl0wYLByOlCkt6cw+BZhhIAJo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=UXY30sbiE0QwihGnneFOyDH+s99B4Ddx4GSjsJ4mfZw=; b=lRw11JeUaQlJwKHxkNFoG/szQIevhv4DGl3kCu0GFg50UaAXgFkC8rixiTiOUfnO4o eGTwt3B5WCCGQ+LOi5KnEt9eLsgRD+usvq9ywzWFGHgbBVal5nJ245mw1BErRJ7O9XG9 oUnFlyrxV9whHcGgj4uFUxiVTuSdzW3nA8JvZ5ymteOpNrnDG9tgV4cASdRD7SoAttjY ZO2Dzc9oPKWS47G2vqGip6kEl3KAqSL+LE30+uNdWDEpHf7HS6HUInCHLh//it0zg1Hd 1AkTR2Z+eVOZrJZNI58OpK2gxlPJK+7vwGB0u3SMwi1pOnZOI3FuI2PWQggQ8H9a07On VluA==
X-Gm-Message-State: ALoCoQmNZwB358DicfeeZccRTeBwrZg5VRuhBVRc7UHHcLgj4q2dUC2a0hOLppVEjKbKRHntDQpPVxg9KbyUSrPueUNKww7z6GKB0w3rQELulKFtvZLPi8nSlNcjz0zUKWePAwmxjrHL
X-Received: by 10.52.178.66 with SMTP id cw2mr733532vdc.93.1405670994928; Fri, 18 Jul 2014 01:09:54 -0700 (PDT)
X-Received: by 10.52.178.66 with SMTP id cw2mr733526vdc.93.1405670994861; Fri, 18 Jul 2014 01:09:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.154.198 with HTTP; Fri, 18 Jul 2014 01:09:34 -0700 (PDT)
In-Reply-To: <20140705124400.GA3684@LK-Perkele-VII>
References: <20140704220217.30291.17196.idtracker@ietfa.amsl.com> <20140705124400.GA3684@LK-Perkele-VII>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Fri, 18 Jul 2014 17:09:34 +0900
Message-ID: <CAMeZVwuTkjWzkjuCcFdLEYCE1HhCm_FdO=85=jarTZjdngjfZg@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/Z07T98LMSsc5RJt7g2Gj4TfrnmM
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] I-D Action: draft-ietf-httpauth-mutual-algo-00.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jul 2014 08:09:58 -0000

Dear Ilari,

Thank you very much for valuable comments.
We'd asked our cryptographer colleagues' assistance
for answering, and please forgive us that we needed
some time to prepare these answers.

BTW,

2014-07-05 21:44 GMT+09:00 Ilari Liusvaara <ilari.liusvaara@elisanet.fi>:
> On Fri, Jul 04, 2014 at 03:02:17PM -0700, internet-drafts@ietf.org wrote:
>>
>>       Filename        : draft-ietf-httpauth-mutual-algo-00.txt
>
> Section 2.3:
>
>>   where S_c1 is a random number within range [1, r-1].  The value of
>>   K_c1 MUST represent a valid curve point, and K_c1' SHALL NOT be 0_E.
>>   The server MUST check this condition upon reception.
>
> How this generalizes to non-cofactor-1 curves (those can be quite a bit
> faster than cofactor-1 ones)?
>
> Looking at the discrete-group algorithm, it generalizes as "valid point
> with large prime dividing order".
>
> So would:
>
> The value of K_c1 MUST represent a valid curve point, and [h]*K_c1'
> SHALL NOT be 0_E. The server MUST check this condition upon reception.
>
> Work?
> (0_E is the identity point, h is the curve cofactor.)
>
>>   where S_s1 is a random number within range [1, r-1].  The value of

It seems to work.  We need to modify some other parts of
documents (e.g. introducing the parameter h).
Original ISO specification also has a consideration for
non-cofactor-1 curves in the exactly same way.
I'd like to incorporate it in the next revision.

>>   K_s1 MUST represent a valid curve point and satisfy [4] * P'(K_s1) <>
>>   0_E. If this condition is not satisfied, the server MUST retry using
>>   another value for S_s1.  The client MUST check this condition upon
>>   reception.
>
> Same here.
>
> Also where does that multiplier 4 in check come from? Attempt at
> supporing h>1 curves (except that some stuff in use has h=8)?
>
> Should it be [h]*P'(K_s1) <> 0_E?

It is copied from the original ISO specification, and
it seems to be corresponding to the DL-case checking
"[t]he value of K_s1 MUST satisfy 1 < K_s1 < q-1",
that is to check K_s1 is not equivalent to either 1 or -1.
For this purpose, it should at least be [2] * P'(K_s1) <> 0_E.
I don't have a strict idea on why this is 4 instead of 2, though.
Does anyone have idea on this?
(Our colleague currently considers this 4 as not related to
 the cofactor setting).

> Section 2.2&2.3:
>
> 2.2 has:
>> The value of K_s1 MUST satisfy 1 < K_s1 < q-1.  If this condition
>> is not held, the server MUST retry using another value for S_s1.
>
> And 2.3:
>> The value of K_s1 MUST represent a valid curve point and satisfy
>> [4] * P'(K_s1) <> 0_E. If this condition is not satisfied, the
>> server MUST retry using another value for S_s1.
>
> If K_c1 has certain relationship (extremely unlikely) with
> J(pi), that will fail over and over again (no S_s1 works).
>
> Values of S_s1 that don't work are AFAICT very rare anyway (making
> failures be dominated by all sorts of calculation errors in K_s1).

I'd like to answer this in a separate mail.

-- 
Yutaka OIWA, Ph.D.                 Leader, System Life-cycle Research Group
                               Research Institute for Secure Systems (RISEC)
     National Institute of Advanced Industrial Science and Technology (AIST)
                       Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

v2.23.0 | Report a Bug | By Email