Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-checks-03.txt

Johannes Merkle <johannes.merkle@secunet.com> Thu, 25 April 2013 12:43 UTC

Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FA0021F9590 for <ipsec@ietfa.amsl.com>; Thu, 25 Apr 2013 05:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k3WjEVvZeIy5 for <ipsec@ietfa.amsl.com>; Thu, 25 Apr 2013 05:43:52 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) by ietfa.amsl.com (Postfix) with ESMTP id 4E2A221F95E1 for <ipsec@ietf.org>; Thu, 25 Apr 2013 05:43:52 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id E1AC01A0088; Thu, 25 Apr 2013 14:43:50 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id vYv8nd_7rT_x; Thu, 25 Apr 2013 14:43:49 +0200 (CEST)
Received: from mail-srv1.secumail.de (unknown [10.53.40.200]) by a.mx.secunet.com (Postfix) with ESMTP id 4C8BD1A0087; Thu, 25 Apr 2013 14:43:49 +0200 (CEST)
Received: from [10.208.1.73] ([10.208.1.73]) by mail-srv1.secumail.de with Microsoft SMTPSVC(6.0.3790.4675); Thu, 25 Apr 2013 14:43:49 +0200
Message-ID: <51792504.5010800@secunet.com>
Date: Thu, 25 Apr 2013 14:43:48 +0200
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: Dan Brown <dbrown@certicom.com>
References: <20130422184745.13680.44055.idtracker@ietfa.amsl.com> <5176C7B9.50001@secunet.com> <810C31990B57ED40B2062BA10D43FBF51437D8@XMB111CNC.rim.net>
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF51437D8@XMB111CNC.rim.net>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 25 Apr 2013 12:43:49.0345 (UTC) FILETIME=[88AE9510:01CE41B2]
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-checks-03.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 12:43:54 -0000

> I disagree that (x,y)=(0,0) should be interpreted as the point-at-infinity.  I advise against a separate check for this, and instead to rely on the length-check and the curve equation-check.

I agree. As no encoding is defined for the point-at-infinity in IKEv2, there can be no check for it.

Section 2.3 should be changed from
   A receiving peer MUST check
   that its peer's public value is valid; that is, it is not the point-
   at-infinity, and that the x and y parameters from the peer's public
   value satisfy the curve equation, that is, y**2 = x**3 + ax + b mod p

 to

   A receiving peer MUST check
   that its peer's public value is valid; that is, the x and y parameters
   from the peer's public value satisfy the curve equation, that is,
   y**2 = x**3 + ax + b mod p

And a note should be added explaining, why a check for the point-at-infinity, as suggested by other standards, is not
applicable for IKE.

Johannes

> 
>> -----Original Message-----
>> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf
>> Of Johannes Merkle
>> Sent: Tuesday, April 23, 2013 1:41 PM
>> To: ipsec@ietf.org
>> Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-checks-03.txt
>>
>> I hope I am not too late as the document write-up has already been sent
>> out.
>>
>> Section 2.3 specifies:
>>    A receiving peer MUST check
>>    that its peer's public value is valid; that is, it is not the point-
>>    at-infinity, and that the x and y parameters from the peer's public
>>    value satisfy the curve equation, that is, y**2 = x**3 + ax + b mod
>> p
>>
>> How can a peer check this? I am not aware of any encoding rule for the
>> point-at-infinity in RFC 5903 or RFC 5114. Does
>> the encoding of SEC1 apply, where the point-at-infinity is encoded to
>> 0x00? According to RFC 5903 this would be padded
>> with zeros, so that the decoding algorithm of the receiving peer would
>> obtain x=0 and y=0. These do certainly not
>> fulfill the curve equation as the discriminant -16*(4*a^3 + 27*b^2)
>> must be non-zero.
>>
>> So isn't the requirement to check that the value it is not the point-
>> at-infinity confusing and redundant?
>>
>> Johannes
>>
>>
>>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>>>  This draft is a work item of the IP Security Maintenance and
>> Extensions Working Group of the IETF.
>>>
>>> 	Title           : Additional Diffie-Hellman Tests for IKEv2
>>> 	Author(s)       : Yaron Sheffer
>>>                           Scott Fluhrer
>>> 	Filename        : draft-ietf-ipsecme-dh-checks-03.txt
>>> 	Pages           : 11
>>> 	Date            : 2013-04-22
>>>
>>> Abstract:
>>>    This document adds a small number of mandatory tests required for
>> the
>>>    secure operation of IKEv2 with elliptic curve groups.  No change
>> is
>>>    required to IKE implementations that use modular exponential
>> groups,
>>>    other than a few rarely used so-called DSA groups.  This document
>>>    updates the IKEv2 protocol, RFC 5996.
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-dh-checks
>>>
>>> There's also a htmlized version available at:
>>> http://tools.ietf.org/html/draft-ietf-ipsecme-dh-checks-03
>>>
>>> A diff from the previous version is available at:
>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-dh-checks-03
>>>
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>> _______________________________________________
>>> IPsec mailing list
>>> IPsec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ipsec
>>>
>>
>