IETF Logo Mail Archive

Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01)

"Dan Harkins" <dharkins@lounge.org> Fri, 18 December 2009 19:01 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6033D3A69A1; Fri, 18 Dec 2009 11:01:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.265
X-Spam-Level:
X-Spam-Status: No, score=-6.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fur1yfgmN2eJ; Fri, 18 Dec 2009 11:01:24 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id 9C9763A6890; Fri, 18 Dec 2009 11:01:24 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id C840D102240AE; Fri, 18 Dec 2009 11:01:09 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Fri, 18 Dec 2009 11:01:09 -0800 (PST)
Message-ID: <72a888732545c5066f493228c416d286.squirrel@www.trepanning.net>
In-Reply-To: <OF1FD3CDFB.F4E96F12-ON85257690.004924DB-85257690.004AD52E@us.ibm.com>
References: <19243.32427.247190.77844@fireball.kivinen.iki.fi> <OF1FD3CDFB.F4E96F12-ON85257690.004924DB-85257690.004AD52E@us.ibm.com>
Date: Fri, 18 Dec 2009 11:01:09 -0800
From: Dan Harkins <dharkins@lounge.org>
To: Scott C Moonen <smoonen@us.ibm.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: ipsec@ietf.org, ipsec-bounces@ietf.org, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2009 19:01:26 -0000

  Hi Scott,

  I agree. The errata is not technically wrong. That's the way ECDH
is defined in ANSI X9.63, and SEC1, and FIPS 800-56A and that's the
way every crypto library that I'm aware of produces the shared secret.
I don't think this is problem has manifested itself in implementation
non-interoperability, it's just document non-interoperability.

  I think it would be better to just obsolete RFC 4753 and update
RFC 5114 (to not refer to RFC 4753 and have _correct_ test vectors
producing Z = x_Z as the result of the ECDH), and update RFC 4869
to refer to the updated RFC 5114. Then the IANA registry should indicate
that the updated RFC 5114 defines these groups.

  The solution of allocating new numbers still doesn't really solve the
problem because if you receive an KE payload from group 19, 20, or 21
"you can make your guess whether they also implemented errata or not,
and act based on that" and that sounds like a recipe for future
non-interoperability.

  The IANA registry for these groups is used by more than just IKE(v2)
and it would be nice if it was coherent and did not make assumption like
that.

  regards,

  Dan.

On Fri, December 18, 2009 5:37 am, Scott C Moonen wrote:
> Tero, what you propose seems the right way to go in principle, but I
> suspect we are solving a problem that doesn't exist.  Is there any crypto
> library or device that exposes the y coordinate for use in the ECDH
> secret?  It seems pretty well established that the x coordinate serves as
> the ECDH secret.  Moreover, since the y coordinate provides only one more
> bit of independent information, it's actually misleading to use it.
>
> I seriously doubt there is any implementation that does not implement the
> intent of the erratum, if only because there are immense practical
> barriers to implementing the RFC as written.  Given that, I think the
> practical result of what you propose will actually be more confusion and a
> longer period of time before all implementations (as well as all
> standards/profiles) are able to re-stabilize to the new ECDH landscape.
> The practical cost of making this change is greater than the practical
> benefit it buys.
>
> On the other hand, if there is such an implementation, then we probably do
> need to do something like what you propose.
>
>
> Scott Moonen (smoonen@us.ibm.com)
> z/OS Communications Server TCP/IP Development
> http://www.linkedin.com/in/smoonen
>
>
>
> From:
> Tero Kivinen <kivinen@iki.fi>
> To:
> ipsec@ietf.org
> Date:
> 12/18/2009 08:08 AM
> Subject:
> [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114,
> RFC4869, and draft-solinas-rfc4753bis-01)
>
>
>
> I got just request to review modifications to IKEv2 IANA because of
> the draft-solinas-rfc4753bis-01.txt.
>
> We had this discussion a while back on the IPsec list where we noted
> that having errata which makes non-interoperable change to the RFC is
> not really ok, and we requested the authors to submit new document.
>
> Errata:
> http://www.rfc-editor.org/errata_search.php?rfc=4753&rec_status=15&presentation=records
>
>
> Email thread:
> http://www.ietf.org/mail-archive/web/ipsec/current/msg04529.html
>
> At that point Paul summarized things very nicely:
>
>    My view is that the errata is technically wrong and should be
>    withdrawn because it changes something that is disagreed to by test
>    vectors in the document itself. If the authors of RFC 4753 want the
>    format to be just the x coordinate, they should prepare a revision
>    to RFC 4753 that obsoletes it and has correct text and test
>    vectors.
>
> Now when this came to me when IANA asked me to do Expert review to the
> IANA allocations, I noticed that it would be very bad if we reused the
> old numbers 19, 20, 21 as that would mean nobody knows which version
> of the RFC (old RFC without errata, or RFC4753 with errata == new RFC)
> is really used.
>
> As the Diffie-Hellman groups are negotiated and the registry is 16
> bits, we do not need to try to save the numbers, I think it would be
> bad idea to reuse the existing values with different meaning. Because
> of this I answered that the new groups with new meanings would need to
> get new numbers.
>
> When I started investigating problem bit more I found out that RFC5114
> which defines 2 new ECP groups (in addition of repeating the 3 ECP
> groups from RFC4753) says:
> ----------------------------------------------------------------------
> 3.2.  IKE
>
>    Use of MODP Diffie-Hellman groups with IKEv2 is defined in [RFC4306],
>    and the use of MODP groups with IKEv1 is defined in [RFC2409].
>    However, in the case of ECP Diffie-Hellman groups, the format of key
>    exchange payloads and the derivation of a shared secret has thus far
>    been specified on a group-by-group basis.  For the ECP Diffie-Hellman
>    groups defined in this document, the key exchange payload format and
>    shared key derivation procedure specified in [RFC4753] MUST be used
>    (with both IKEv2 and IKEv1).
> ----------------------------------------------------------------------
>
> Now if we obsolete RFC4753, does that mean that this reference will
> also change, so which format is used for these groups 25 and 26 define
> in RFC5114?
>
> Do we need a new numbers for those groups also so it will be clear
> which version they use.
>
> Then there is also the RFC4869 which defines UI suites. That refers
> Diffie-Hellman groups as "256-bit random ECP group [RFC4753]". Which
> format of group those uses. When we now change RFC4753 does that mean
> that old implementations using RFC4869 UI suites using original
> RFC4753 groups is not compatible with newer RFC4869 version or what?
>
> I think the best way forward is to allocate new numbers for all
> RFC4753 derived groups (19, 20, 21, 25, 26) and create new UI suites
> using those new group numbers.
>
> This will create one time update where everybody needs to change their
> code by changing number 19 to n and 20 to n+1 and so on, and at the
> same time verify that the secret they use is only the x-coordinate.
> This change is small and can be done very quickly, but after that we
> do not need to think whether we can interoperate with someone using
> ECP group n, as we know it must be using new secret format.
>
> If someone uses old groups 19, 20, 21, 25, or 26 then you can make
> your guess whether they also implemented errata or not, and act based
> on that. Good thing is that as Diffie-Hellman groups are negotiated in
> IKEv2 it is easy to offer both 19 and new group n if backward
> compatibility with old versions is needed (provided you also know
> whether the group 19 on the other end uses errata or not).
> --
> kivinen@iki.fi
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

v2.23.0 | Report a Bug | By Email