Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
"David McGrew (mcgrew)" <mcgrew@cisco.com> Wed, 07 November 2012 14:48 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01B1521F8BAD for <ipsec@ietfa.amsl.com>; Wed, 7 Nov 2012 06:48:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.499
X-Spam-Level:
X-Spam-Status: No, score=-110.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4BIk6H61r2s6 for <ipsec@ietfa.amsl.com>; Wed, 7 Nov 2012 06:48:02 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 7775421F8BA8 for <ipsec@ietf.org>; Wed, 7 Nov 2012 06:48:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6508; q=dns/txt; s=iport; t=1352299682; x=1353509282; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=m5tkJnoaqj+rLnIg1EcZDYpz/YK2bfT95KJRpiJdOWg=; b=heSb9Ly3HsbAXyGH2kp2X1QMB7Y7zvH2PNzg8jZrgqDYkFPfAGuIlO4W czFqcbEIqQQe3xAwGhMXCPNAwjuO3hHTQxXxeCn464IcpAolbcV5Xq9pL AHIlRlcsgPL4zijRxdaZRt3kubOOqYPMCF30dXl+HoPs5jg/1VmPCrLH4 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EALpzmlCtJXHA/2dsb2JhbABEw2qBCIIgAQQSASc/EgEIIhRCJQIEDgUIGodoC5t6oCyMIYVSYQOSSZILgWuCb4FbIB4
X-IronPort-AV: E=Sophos;i="4.80,730,1344211200"; d="scan'208";a="139795287"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-4.cisco.com with ESMTP; 07 Nov 2012 14:48:01 +0000
Received: from xhc-aln-x07.cisco.com (xhc-aln-x07.cisco.com [173.36.12.81]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id qA7Em1Bc031273 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 7 Nov 2012 14:48:01 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.200]) by xhc-aln-x07.cisco.com ([173.36.12.81]) with mapi id 14.02.0318.001; Wed, 7 Nov 2012 08:48:01 -0600
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Johannes Merkle <johannes.merkle@secunet.com>
Thread-Topic: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
Thread-Index: AQHNu1ps1FUub1JjY0W7Zvt4S+0awJfbrn+AgAL9ZID//9vsAA==
Date: Wed, 07 Nov 2012 14:48:00 +0000
Message-ID: <747787E65E3FBD4E93F0EB2F14DB556B0F507F6B@xmb-rcd-x04.cisco.com>
In-Reply-To: <509A4C91.4030507@secunet.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.228]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19346.005
x-tm-as-result: No--53.536300-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1079147A6AC9F245A04835DF915A41F0@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IPsecme WG <ipsec@ietf.org>, Manfred Lochter <Manfred.Lochter@bsi.bund.de>, "rfc-ise@rfc-editor.org" <rfc-ise@rfc-editor.org>
Subject: Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2012 14:48:04 -0000
Hi Johannes, On 11/7/12 6:57 AM, "Johannes Merkle" <johannes.merkle@secunet.com> wrote: >Hi David, > >> I strongly encourage you to remove the "Compressed" point format. Doing >> so will minimize the changes between RFC 5903 and make the draft easier >>to >> support, and improve the overall implementation by making it simpler. >> Also, it is not clear that there is any advantage to the "compressed" >> format. It saves at most 64 bytes in total for a complete IKEv2 key >> establishment, and since IKEv2 exchanges typically send a lot more data >> than that, it sounds like a false economy to add complexity in order to >> avoid a little bit of data. > >I do not think that using point compression is complex. Sure, it is not a giant amount of complexity, but is any complexity warranted here? If the compressed format is omitted, then the formats for all five of the EC groups registered in Diffie-Hellman Group Transform IDs, and that of the brainpool curves, would be identical, so that an implementation of the brainpool curves could be handled as "same software operating on different group parameters". That is much preferable to having different group logic for different DH Group IDs. >The rule, how to determine the representation of the KE payload >(by bit length) is very simple and common crypto libraries like OpenSSL >provide EC point expansion functions, so there >is not much an implementation could do wrong. Well, there are some steps that could be done wrong: a receiver-side implementation could fail to check and handle lengths correctly, it could fail to compute the y-coordinate from the x-coordinate correctly, either of which could result in an exploitable vulnerability. This might seem like a minor point, but it is clear that crypto protocols should avoid complexity, especially in how they parse data (this brings to mind an interesting recent presentation on this is <http://www.ists.dartmouth.edu/events/abstract-sassaman-patterson.html>). > >On the other hand, there may be environments where every byte savings >counts. For instance, when using IPsec for >communications between military radio equipment, bandwidth can be very >limited. Another example could be implementation >in embedded environments. For instance, I have talked with major car >manufacturers who are really concerned about >bandwidth limitations on their internal bus in the context of secure >communication between control units. IKE is an >option for such communications. I don't think the byte savings of any protocol option can be justified by considering only the number of bytes that it would eliminate from the communications. What matters is the relative savings, that is, the total number of bytes in the communications with and without that option. How many bytes will IKEv2 take, in an embedded context, say, with and without the compressed format? It should be possible to estimate a minimum based on draft-kivinen-ipsecme-ikev2-minimal-01. Looking at the table of payloads in Section 2, it appears that the total bytes exchanged is going to be considerably larger than that saved by the compressed format. > >Point compression is a quite common technique and supported by relevant >ECC standards, i.e. ANSI X9.62/X9.63, IEEE P1363 >and SEC, but also by many IETF standards like TLS, CMS, PKIX, SSH. IMHO, >IKE should allow this option like TLS does. A minor point: the use of ECC in TLS is not part of the standard, but is an informational extension. More importantly, the TLS ECC RFC allows the negotiation of supported point formats; only uncompressed format is a MUST-implement (see Section 5.1.2 of RFC4492). In contrast, draft-merkle-ikev2-ke-brainpool-00 requires all implementations to support compressed format. There is a clear preference in IETF to avoid having a compressed format as a MUST-implement, so I am concerned that keeping it in the draft will be an inhibitor. One way that you could change the draft to make the compressed format optional is to define a different DH Group ID for each of the existing groups and each of the formats, which would double the number of groups. This might be acceptable to the WG if the number of groups could be kept small. >Actually for IKE, the bandwidth limitations may be more relevant than for >TLS, where point compression is supported as well. > >> >> The paragraph starting "The corresponding twisted curves ..." is a >> distinct and self-contained topic. I suggest putting it into its own >> section. >> >This is a good point, I will do this in the next revision. > >> >> In some places, the draft gives [SEC1] as a normative reference, where >> RFC6090 is also applicable (Sections 4.1 and 6 apply jn Section 2.2 of >> draft-merkle-ikev2-ke-brainpool, for instance). >> > >RFC 6090 does not define a FieldElement-to-OctetString conversion but >only Integer-to-OctetString. In order to use a >reference to RFC 6090, I would have to change the text to >+++ >... by representing the field element as integer in the interval [0,p-1] >and then using the Integer-to-OctetString >conversion method specified in [RFC6090]... >+++ >This makes the whole sentence more difficult to comprehend. On the other >hand, I do not see any advantage in pointing to >RFC 6090 instead to SEC1. I didn't mean to suggest eliminating the reference to SEC1, sorry if I was unclear on that. What I was meant to suggest is text like "The compressed format is equivalent to the compact representation of Section 4.2 of RFC6090, using the conversion between integers and octet strings of Section 6 of the same reference." Let me take a step back here and explain some of my motivations. Here is the big picture as I see it: it is good for IKE to embrace ECC, and it is reasonable thing to have some diversity of ECC parameters, to provide a fallback in case of unanticipated future results in cryptanalysis. So I would like to see the brainpool IKE groups be something that IPsec implementers are comfortable with implementing (and I'm making suggestions that I hope will move the draft in that direction). Additionally, if in the future we do end up having additional ECC parameters that get contributed to IKE, it would be a good thing for the WG to have established a precedent favoring a consistency across ECP groups. Thanks and regards, David > >Johannes >
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Andrey Jivsov
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Andrey Jivsov
- [IPsec] I-D on Using the ECC Brainpool Curves for… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… David McGrew (mcgrew)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… David McGrew (mcgrew)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Tero Kivinen
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Derek Atkins
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Dan Harkins
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… David McGrew (mcgrew)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yoav Nir
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Tero Kivinen
- [IPsec] I-D on Using the ECC Brainpool Curves for… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Dan Harkins
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yaron Sheffer
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yoav Nir
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Dan Harkins
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yoav Nir
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yaron Sheffer
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yaron Sheffer
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Tero Kivinen
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Stephen Kent
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yaron Sheffer
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Tero Kivinen
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Andrey Jivsov
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Stephen Kent
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Andrey Jivsov