IETF Logo Mail Archive

Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01)

Tero Kivinen <kivinen@iki.fi> Mon, 21 December 2009 12:01 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E251528C0E9 for <ipsec@core3.amsl.com>; Mon, 21 Dec 2009 04:01:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.577
X-Spam-Level:
X-Spam-Status: No, score=-2.577 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZjwG+bjrwkl for <ipsec@core3.amsl.com>; Mon, 21 Dec 2009 04:01:28 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id B5F3128C0E0 for <ipsec@ietf.org>; Mon, 21 Dec 2009 04:01:27 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id nBLC15Jl026894 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Dec 2009 14:01:05 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nBLC14Rt001355; Mon, 21 Dec 2009 14:01:04 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19247.25472.791900.940291@fireball.kivinen.iki.fi>
Date: Mon, 21 Dec 2009 14:01:04 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Scott C Moonen <smoonen@us.ibm.com>
In-Reply-To: <OF1FD3CDFB.F4E96F12-ON85257690.004924DB-85257690.004AD52E@us.ibm.com>
References: <19243.32427.247190.77844@fireball.kivinen.iki.fi> <OF1FD3CDFB.F4E96F12-ON85257690.004924DB-85257690.004AD52E@us.ibm.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 16 min
X-Total-Time: 21 min
Cc: ipsec@ietf.org
Subject: Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2009 12:01:29 -0000

Scott C Moonen writes:
> Tero, what you propose seems the right way to go in principle, but I 
> suspect we are solving a problem that doesn't exist.  Is there any crypto 
> library or device that exposes the y coordinate for use in the ECDH 
> secret?  It seems pretty well established that the x coordinate serves as 
> the ECDH secret.  Moreover, since the y coordinate provides only one more 
> bit of independent information, it's actually misleading to use it.

At least in our crypto library it would be possible to get both of
them out if we wanted. I checked our implementation and currently it
seems to return only x, but that was changed July 2009 after this
dicussion started on the list. Before that the code was modified in
2007 to follow RFC4753, and the original code was written in 2001.

This means that all our implementations we have released between
2007-2009 are using the orignal RFC4753 version, thus nobody will be
interoperable with those.

> I seriously doubt there is any implementation that does not implement the 
> intent of the erratum, if only because there are immense practical 
> barriers to implementing the RFC as written.  Given that, I think the 
> practical result of what you propose will actually be more confusion and a 
> longer period of time before all implementations (as well as all 
> standards/profiles) are able to re-stabilize to the new ECDH landscape. 
> The practical cost of making this change is greater than the practical 
> benefit it buys.

There are as all our QuickSec implementations with versions 4.4 - 5.0
do include the original RFC 4753 code, and only the latest QuickSec
5.1 was modified to include errata.

(I just now noticed this myself).

Note, that none of our customers have complained to us that we are not
compatible with other vendor's product using groups 19-21, so that
either means nobody uses those groups, or some of those other vendors
have also implemented RFC4753 without errata... 

> On the other hand, if there is such an implementation, then we probably do 
> need to do something like what you propose.

As we need to do something on those versions anyway, I rather make
patch that will fix them to follow the new RFC, and also change the
group numbers to match new group numbers for those old versions, as
then customers using those versions will not break their own
interoperability with old versions (it is ok, if they decide to select
some other Diffie-Hellman group as old versions do not support new
numbers, but it is not ok for the implementations to get MAC failures
when trying to use those groups). 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email