[IPsec] [Errata Rejected] RFC8031 (6339)
RFC Errata System <rfc-editor@rfc-editor.org> Fri, 28 July 2023 17:54 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 994ADC151061; Fri, 28 Jul 2023 10:54:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.865
X-Spam-Level:
X-Spam-Status: No, score=-0.865 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gId5CU8VQITg; Fri, 28 Jul 2023 10:54:24 -0700 (PDT)
Received: from rfcpa.amsl.com (unknown [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5A58C14CE3B; Fri, 28 Jul 2023 10:54:24 -0700 (PDT)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id 9F5F3AEA0; Fri, 28 Jul 2023 10:54:24 -0700 (PDT)
To: christian.tschudin@unibas.ch, ynir.ietf@gmail.com, simon@josefsson.org
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: paul.wouters@aiven.io, iesg@ietf.org, ipsec@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20230728175424.9F5F3AEA0@rfcpa.amsl.com>
Date: Fri, 28 Jul 2023 10:54:24 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/IpfHrBaAxTlMR0iKTY_xSA-sEFk>
Subject: [IPsec] [Errata Rejected] RFC8031 (6339)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jul 2023 17:54:28 -0000
The following errata report has been rejected for RFC8031, "Curve25519 and Curve448 for the Internet Key Exchange Protocol Version 2 (IKEv2) Key Agreement". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6339 -------------------------------------- Status: Rejected Type: Technical Reported by: Christian Tschudin <christian.tschudin@unibas.ch> Date Reported: 2020-11-17 Rejected by: Paul Wouters (IESG) Section: Appendix A Original Text ------------- The public keys are generated from this using the formula in Section 2: pub_i = X25519(d_i, G) = 48 d5 dd d4 06 12 57 ba 16 6f a3 f9 bb db 74 f1 a4 e8 1c 08 93 84 fa 77 f7 90 70 9f 0d fb c7 66 pub_r = X25519(d_r, G) = 0b e7 c1 f5 aa d8 7d 7e 44 86 62 67 32 98 a4 43 47 8b 85 97 45 17 9e af 56 4c 79 c0 ef 6e ee 25 And this is the value of the Key Exchange Data field in the Key Exchange payload described in Section 3.1. The shared value is calculated as in Section 2: SHARED_SECRET = X25519(d_i, pub_r) = X25519(d_r, pub_i) = c7 49 50 60 7a 12 32 7f-32 04 d9 4b 68 25 bf b0 68 b7 f8 31 9a 9e 37 08-ed 3d 43 ce 81 30 c9 50 Corrected Text -------------- The public keys are generated from this using the formula in Section 2: pub_i = X25519(d_i, G) = a7 07 b3 bc 0f 37 56 fc 0a cf 33 55 85 c5 f7 7b 9f 29 ff a4 24 70 14 af 84 70 5b eb 50 46 26 29 pub_r = X25519(d_r, G) = 0e 57 7e 11 5d 6c 08 59 b8 51 36 d2 1b 1c fd 74 67 9f 91 14 61 1d 79 c6 81 ba d0 8a 7e 1f 0a 04 And this is the value of the Key Exchange Data field in the Key Exchange payload described in Section 3.1. The shared value is calculated as in Section 2: SHARED_SECRET = X25519(d_i, pub_r) = X25519(d_r, pub_i) = d6 8d 8c ea fd 2c d3 ce 25 34 43 33 c8 9e 35 54 9e 0f c6 1a 98 87 39 34 b1 8a 18 70 f0 3a 17 0c Notes ----- The test vector values given both for the public keys and for the shared secret are wrong. It turns out that they were derived from the unchanged random input, instead of d_X. An explanation could be that a first text version did not include the fixing of the random bits and that after inserting the respective paragraph (introducing fixed_X and d_X), it was forgotten to update pub_X and SHARED_SECRET. Paul Wouters: endian issue mentioned in notes split into separate errata --VERIFIER NOTES-- Paul Wouters (AD): As per Tobias Brunner: The original test vector works for us (verified with multiple X25519 implementations). I think most of the confusion comes from the different formatting of the values when compared to the test vectors in RFC 7749 (in particular d_i/r). In the latter, the values are given as long hex strings. It states: "The inputs are generally given as 64 or 112 hexadecimal digits that need to be decoded as 32 or 56 binary bytes before processing." So these values are byte strings, i.e. each two hex digits simply represent a byte. For the random_i/r, pub_i/r and SHARED_SECRET values in RFC 8031 this has been made a bit clearer by separating the individual bytes. But then there are the d_i and d_r values. These are given as long hex strings, however, unlike those in RFC 7749, they are not byte strings but actually the numbers in base 16 after decoding the binary values fixed_i/r as little-endian. Note that RFC 7749 also gives the decoded numeric values of some of the inputs, but does so in base 10 thus avoiding this confusion. So in RFC 8031 it would have been clearer if these values were either prefixed with 0x: d_i = 0x549D5F4A460900E6D9F63F53586AD1DD8CEAF925739B78B676B4558630B41F70 d_r = 0x4856A039B8F178E9A1550722DCEF01559ECDBA30E0D0ADDD600D295352645408 or also given in base 10: d_i = 38272331938479145686941743521879072306 324697418955568337792079861743202082672 d_r = 32719579781175365148694953981896303820 370069993938279311538545124444601603080 -------------------------------------- RFC8031 (draft-ietf-ipsecme-safecurves-05) -------------------------------------- Title : Curve25519 and Curve448 for the Internet Key Exchange Protocol Version 2 (IKEv2) Key Agreement Publication Date : December 2016 Author(s) : Y. Nir, S. Josefsson Category : PROPOSED STANDARD Source : IP Security Maintenance and Extensions Area : Security Stream : IETF Verifying Party : IESG
- [IPsec] [Errata Rejected] RFC8031 (6339) RFC Errata System