Re: [IPsec] New draft on IKE Diffie-Hellman checks
Hugo Krawczyk <hugo@ee.technion.ac.il> Mon, 10 December 2012 22:56 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE7821F85E6 for <ipsec@ietfa.amsl.com>; Mon, 10 Dec 2012 14:56:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.143
X-Spam-Level:
X-Spam-Status: No, score=-2.143 tagged_above=-999 required=5 tests=[AWL=0.833, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 414ZIlJnIV8I for <ipsec@ietfa.amsl.com>; Mon, 10 Dec 2012 14:56:48 -0800 (PST)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE8621F8507 for <ipsec@ietf.org>; Mon, 10 Dec 2012 14:56:48 -0800 (PST)
Received: by mail-vc0-f172.google.com with SMTP id fw7so3340368vcb.31 for <ipsec@ietf.org>; Mon, 10 Dec 2012 14:56:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=woLufvmT9IqVmbSrNhceStcWd4hPnTSOsaOJc/NDX9g=; b=vmZMC9Dz/Mbv0GwUnbd37iJXlPAhtSSce/9KefWPvj9zOuSOUAoDORAWGQrTkvn0ua 6KmTz0Qzox9sWRTHa8dPjv6zafOmXdadwpiLXUPC41kAqYAZnn6lrKR4rhVsfb+CEVuH nA8P9I/iWdgGr+hPWzPiodERzpBhFP72Jdol5JfFYqD9RDJdGvWNoo1GEjfKuWtwuOVV IHS+YTIIJMkD06fkpaWG5u9EUUt6Gn9+JXklsNQirFACpb/5XPNTghLDxZCFCLIE38RY uQq1quXGQDOzdSjVCOXEjipxhQWB6SO219zmJFf0rKG8jYgsGBxRUYcMk5FQ2rzCxM3u MVsw==
Received: by 10.58.198.164 with SMTP id jd4mr10279709vec.34.1355180208104; Mon, 10 Dec 2012 14:56:48 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.58.29.50 with HTTP; Mon, 10 Dec 2012 14:56:28 -0800 (PST)
In-Reply-To: <A113ACFD9DF8B04F96395BDEACB340421E4BE9@xmb-rcd-x04.cisco.com>
References: <50C62D6A.8010709@gmail.com> <CADi0yUPp4=8BMXf8543rMzc2bYE8XAM6vjSxZa-9cjBUv5zdSA@mail.gmail.com> <A113ACFD9DF8B04F96395BDEACB340421E4BE9@xmb-rcd-x04.cisco.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Mon, 10 Dec 2012 17:56:28 -0500
X-Google-Sender-Auth: ygb_RxvQ0gFL3qG8gHIav-AxhAk
Message-ID: <CADi0yUOKt2SAbWVrSio68e1cD5WQ4HaJaaZcpMQG9G+3nXDXBA@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Content-Type: multipart/alternative; boundary="e89a8f642ee0e9242f04d0877ad0"
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] New draft on IKE Diffie-Hellman checks
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2012 22:56:49 -0000
If the recommendation is to be compatible with the unnecessary checks of 56A in this case then say that. As written now, one would assume that there is a security benefit to it. (That's how we carry legacy misconceptions from standard to standard.) Hugo On Mon, Dec 10, 2012 at 4:53 PM, Scott Fluhrer (sfluhrer) < sfluhrer@cisco.com> wrote: > ** ** > > ** ** > > *From:* ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] *On Behalf > Of *Hugo Krawczyk > *Sent:* Monday, December 10, 2012 2:50 PM > *To:* Yaron Sheffer > *Cc:* IPsecme WG > *Subject:* Re: [IPsec] New draft on IKE Diffie-Hellman checks**** > > ** ** > > The tests in sections 2.1 and 2.3 are cheap and can serve as sanity checks > for an implementation as stated in the draft, even if DH is not reused. > > On the other hand, the test in 2.2 is expensive, equivalent to a group > exponentiation, and therefore should not be recommended without DH re-use > (in which case the test is an expensive waste). > > Actually, the right recommendation (or MUST) for 2.2 groups is NOT to > reuse DH values. > Indeed, the reason to reuse DH is to save an exponentiation but if you do > so you pay with an extra exponentiation for the membership test. Moreover, > while the exponentiation you are saving can be performed offline (before > the run of the IKE session), the group membership test is online, so either > way it makes no sense to reuse the DH exponents.**** > > I cannot disagree with anything you say. However, the real reason the 2.2 > groups (22, 23, 24) exist is the other MODP groups do not conform to NIST > SP 800-56A (see section 5.5.1.1). And, SP 800-56A also mandates the checks > we recommend (section 5.6.2.4).**** > > That is, if you are implementing (say) group 24 specifically for > conformance reasons, you’re going to do that test anyways (yes, it may be > an expensive waste for cryptographical reasons, however, it isn’t for > conformance reasons). In that scenario, DH reuse does make sense (because > not doing DH reuse doesn’t let you eliminate the test).**** > > I would agree that maybe we need to extend the draft to discuss these > noncryptographical issues.**** > > ** ** > > > By the way, if you forbid re-use, you need to actually mandate fresh > exponents with each session (otherwise, an implementation maybe tempted to > avoid re-use by using g^x, g^{x+1}, g^{x+2}, etc.) > > Hugo**** > > On Mon, Dec 10, 2012 at 1:43 PM, Yaron Sheffer <yaronf.ietf@gmail.com> > wrote:**** > > Hi, > > following the recent discussion on the mailing list, Scott Fluhrer and > myself just published a draft that updates RFC 5996 by adding the required > recipient-side tests for ECDH. Please see > http://www.ietf.org/internet-drafts/draft-sheffer-ipsecme-dh-checks-00.txt > . > > We have not addressed the issues raised by Dan and Tero regarding > inconsistencies between various RFCs that define ECDH groups for IKE. I > personally deem these issues to be out of scope of the current document. > > Comments are very welcome. > > Thanks, > Yaron > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec**** > > ** ** >
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Scott Fluhrer (sfluhrer)
- [IPsec] New draft on IKE Diffie-Hellman checks Yaron Sheffer
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Hugo Krawczyk
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Scott Fluhrer (sfluhrer)
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Dan Harkins
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Yaron Sheffer
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Hugo Krawczyk
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Dan Harkins
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Dan Harkins
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Dan Brown
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Dan Harkins
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Dan Brown
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Johannes Merkle
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Scott Fluhrer (sfluhrer)
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Hilarie Orman
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Dan Harkins
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Tero Kivinen
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Johannes Merkle
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Yaron Sheffer
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Tero Kivinen
- Re: [IPsec] New draft on IKE Diffie-Hellman checks Tero Kivinen