IETF Logo Mail Archive

Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 30 November 2012 21:04 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 105C621F89E4 for <ipsec@ietfa.amsl.com>; Fri, 30 Nov 2012 13:04:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwhtMv2T3AT1 for <ipsec@ietfa.amsl.com>; Fri, 30 Nov 2012 13:04:07 -0800 (PST)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2750321F85A7 for <ipsec@ietf.org>; Fri, 30 Nov 2012 13:04:07 -0800 (PST)
Received: by mail-ee0-f44.google.com with SMTP id b47so624120eek.31 for <ipsec@ietf.org>; Fri, 30 Nov 2012 13:04:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=5yVAvR/hpaSzMjqiEeFrBs1Jbsk++JWvFHCnIq6Gz8g=; b=V3EOA/yJFu3vlq1fLbagskpzRj9BYG47LT/zv4//Jf8QO1zMHtvnoR5Xp/K0j27bU6 PXm0mzvOiDhYW+kx5jxNaAhxu8oayk85nRHcS2fO2ow/fIOBTOOrwp35xyOXiOCVEeHf rqPP1gM+9orQs9mvwuTNUpK4Hs4gF/6se3k3JRHoJeg8iOhOtAzx62wGm31MZYC2e1VQ edZDbjmuimqItKrwjyKgzRFOdYDptnxyqrIzShq6Cdk18z/boyShbuFJswOUqVc2gVua xqY9awiq9O/dx8hzt4/YgmFn/0be1knXkCP4n7SGHfELlFSf1NxA1SlhVbC6LVuNWYde MnFA==
Received: by 10.14.216.193 with SMTP id g41mr8333913eep.37.1354309446301; Fri, 30 Nov 2012 13:04:06 -0800 (PST)
Received: from [10.0.0.3] (bzq-79-183-164-29.red.bezeqint.net. [79.183.164.29]) by mx.google.com with ESMTPS id b2sm12868880eep.9.2012.11.30.13.03.56 (version=SSLv3 cipher=OTHER); Fri, 30 Nov 2012 13:04:05 -0800 (PST)
Message-ID: <50B91F37.1010503@gmail.com>
Date: Fri, 30 Nov 2012 23:03:51 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
References: <50B8A287.9090509@secunet.com> <074557eff2f722f10198aac4fb2f8d9c.squirrel@www.trepanning.net> <A113ACFD9DF8B04F96395BDEACB340421C8E40@xmb-rcd-x04.cisco.com>
In-Reply-To: <A113ACFD9DF8B04F96395BDEACB340421C8E40@xmb-rcd-x04.cisco.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Johannes Merkle <johannes.merkle@secunet.com>, Manfred Lochter <manfred.lochter@bsi.bund.de>, Dan Harkins <dharkins@lounge.org>, IPsecme WG <ipsec@ietf.org>, "rfc-ise@rfc-editor.org" <rfc-ise@rfc-editor.org>, "Turner, Sean P." <turners@ieca.com>
Subject: Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2012 21:04:08 -0000

The problem I have with this discussion is, this check (if really 
required) should have been in the base protocol, because the protocol 
has supported EC groups from day one. It doesn't belong in a specific 
curve definition. We could use the errata process to add it. It's not 
ideal, but certainly better than republishing RFC 5996.

Thanks,
	Yaron

On 11/30/2012 08:26 PM, Scott Fluhrer (sfluhrer) wrote:
> There should *absolutely* be a requirement that any point you receive from the peer is actually a point on the curve.
>
> What can happen if you don't?  Well, that depends on the implementation of the point addition/doubling; what happens with the normal implementation is that it acts as if it was a different curve with a different curve order -- this means that someone introducing a bogus value can give us a point with a small order (which can't happen with the normal Brainpool curves, because those curves have prime orders).
>
> In addition, validating the values is cheap; easily worth the gain.
>
>
> Also, given the you validate the peer's value, and forbid public points which are the point-at-infinity, doubling checking that the D-H common value is not the point at infinity appears to be unneeded.  The Brainpool Curves are (again) of prime order; this implies that the D-H common value is the point at infinity only if the peer's public value is the point at infinity (which ought to be forbidden), or our secret value is a multiple of the curve order (in which case, our public value is the point at infinity).
>
>
> -----Original Message-----
> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Dan Harkins
> Sent: Friday, November 30, 2012 12:57 PM
> To: Johannes Merkle
> Cc: IPsecme WG; Manfred Lochter; Turner, Sean P.; rfc-ise@rfc-editor.org
> Subject: Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
>
>
>    Hi Johannes,
>
> On Fri, November 30, 2012 4:11 am, Johannes Merkle wrote:
>> We have submitted a new revision of the Internet Draft on Using the
>> ECC Brainpool Curves (defined in RFC 5639) for IKEv2 Key Exchange
>> https://datatracker.ietf.org/doc/draft-merkle-ikev2-ke-brainpool/
>>
>> Since there was considerable objection to the point compression method
>> in the WG, we have removed this option altogether and define only the
>> uncompressed KE payload format, which is in full accordance with RFC
>> 5903.
>>
>>
>> Any feedback is welcome.
>
>    I see that there is a requirement that an implementation MUST verify that the D-H common value is not the point-at-infinity. Do you think there should also be a requirement that an implementation MUST verify that the x- and y-coordinates received from a peer satisfy the equation of the negotiated curve (and abort the exchange if not)?
>
>    regards,
>
>    Dan.
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

v2.23.0 | Report a Bug | By Email