Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ipsecme-dh-checks

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 09 April 2013 13:27 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 092E921F9003 for <ipsec@ietfa.amsl.com>; Tue, 9 Apr 2013 06:27:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D52zxgYqUurZ for <ipsec@ietfa.amsl.com>; Tue, 9 Apr 2013 06:27:01 -0700 (PDT)
Received: from tuna.sandelman.ca (unknown [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) by ietfa.amsl.com (Postfix) with ESMTP id B625721F8FD6 for <ipsec@ietf.org>; Tue, 9 Apr 2013 06:27:01 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id D91352016F; Tue, 9 Apr 2013 09:36:36 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 40B65A9946; Tue, 9 Apr 2013 09:26:42 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 2A3F3B9396; Tue, 9 Apr 2013 09:26:42 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
In-Reply-To: <A113ACFD9DF8B04F96395BDEACB3404209060652@xmb-rcd-x04.cisco.com>
References: <9F821C79-A855-4060-A356-ED8E5C50048B@vpnc.org> <5697.1365476466@sandelman.ca> <A113ACFD9DF8B04F96395BDEACB3404209060652@xmb-rcd-x04.cisco.com>
X-Mailer: MH-E 8.3; nmh 1.3-dev; XEmacs 21.4 (patch 22)
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature"
Date: Tue, 09 Apr 2013 09:26:42 -0400
Message-ID: <17925.1365514002@sandelman.ca>
Sender: mcr@sandelman.ca
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ipsecme-dh-checks
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2013 13:27:05 -0000

>>>>> "sfluhrer" == sfluhrer  <Scott> writes:
    >> I read draft-ietf-ipsecme-dh-checks-01.
    >> I am not competent to understand if this addresses a real problem.
    >> I understood that (1 < r < p-1) is a test that many implementors did not
    >> do.    I think that most implementations generated r from a PRNG.

    sfluhrer> This last statement makes me suspect that you
    sfluhrer> misunderstood what we were doing. 

    sfluhrer> The tests we suggest in this draft are not run on either
    sfluhrer> the secret exponent nor the public value we generate.
    sfluhrer> Instead, it's run on the value r we receive from the
    sfluhrer> peer's KE payload.  How the peer selects that value isn't
    sfluhrer> our problem (we certainly hope the peer selects it in a
    sfluhrer> way such that a third party can't guess its secret
    sfluhrer> exponent; we can't actually test for that); our problem is
    sfluhrer> deciding whether to accept it or not. 

Yes, I think that I understood that these tests are for what we receive,
and then I must have read something that talked about generation... sec...

Aha.... so:

   o  It MUST check both that the peer's public value is in range (1 < r
      < p-1) and that r**q = 1 mod p (where q is the size of the

...
   o  It MUST NOT reuse DH private values (that is, the DH private value
      for each DH exchange MUST be generated from a fresh output of a

So, in section 2.2 we talk both about what we should do with something
received, and also place a mandate about generating.

Perhaps these things belong in seperate sections.
It seems that from the receiver of g^x's point of view, point two
repeats point one, since the receiver is not in a position to know if
the DH private value was reused.

    >> I have not implemented ECDSA, but the instructions seemed well
    >> formatted, but I don't at this point know what they mean.

    sfluhrer> Actually, we're talking about ECDH here, and not ECDSA.

my typo at 11:30pm.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [