Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-checks-03.txt
Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 25 April 2013 12:49 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D19921F8C08 for <ipsec@ietfa.amsl.com>; Thu, 25 Apr 2013 05:49:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.474
X-Spam-Level:
X-Spam-Status: No, score=-102.474 tagged_above=-999 required=5 tests=[AWL=0.126, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X-y0Gcp+ggCs for <ipsec@ietfa.amsl.com>; Thu, 25 Apr 2013 05:49:49 -0700 (PDT)
Received: from mail-ea0-x230.google.com (mail-ea0-x230.google.com [IPv6:2a00:1450:4013:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 04F2A21F8523 for <ipsec@ietf.org>; Thu, 25 Apr 2013 05:49:48 -0700 (PDT)
Received: by mail-ea0-f176.google.com with SMTP id h14so1192462eak.7 for <ipsec@ietf.org>; Thu, 25 Apr 2013 05:49:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=fhPl4umj4pRBvllYJ507D32m2L3yrRpQjN3SYb2Ewtk=; b=Pcf2jEfTYSUBFUdYN/5UfzucgAhh2nDdtBhderxC07QONUKqj1Yxv/dDzN9ph7O1E8 Z13BtdwRlotpQFczyQZcVHeWtQ4UWGs30KPSqdCJG/KjXlUsB0GASI87qE/1qZ1n33SY pIxZx1HrYy2ylB6H40L6SzE6CU4dvDcG9tUvO30eJuRlPpjtVKH3OfQp74dzJQeXbIwi JZUtdWoeS1dq2dy+pI34MZPTaorKbCUHbk8EilzabVuZxLlUh+BR2AJ64PamwuQ4wBQ9 dzGKEUvm1YsSXcV/NOXEkyKJCwJQ1m2B5IPK+8CMogFO2EABtqJ/FE/FsY6IFxtkP/55 3Q4w==
X-Received: by 10.14.194.70 with SMTP id l46mr28160702een.28.1366894187953; Thu, 25 Apr 2013 05:49:47 -0700 (PDT)
Received: from [10.0.0.14] (109-186-115-180.bb.netvision.net.il. [109.186.115.180]) by mx.google.com with ESMTPSA id f9sm10182550eeu.11.2013.04.25.05.49.42 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Apr 2013 05:49:47 -0700 (PDT)
Message-ID: <51792663.3030403@gmail.com>
Date: Thu, 25 Apr 2013 15:49:39 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: Johannes Merkle <johannes.merkle@secunet.com>
References: <20130422184745.13680.44055.idtracker@ietfa.amsl.com> <5176C7B9.50001@secunet.com> <810C31990B57ED40B2062BA10D43FBF51437D8@XMB111CNC.rim.net> <51792504.5010800@secunet.com>
In-Reply-To: <51792504.5010800@secunet.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Dan Brown <dbrown@certicom.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-checks-03.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 12:49:50 -0000
I agree. I will implement the change when Sean completes his AD review of the draft. Thanks, Yaron On 2013-04-25 15:43, Johannes Merkle wrote: > >> I disagree that (x,y)=(0,0) should be interpreted as the point-at-infinity. I advise against a separate check for this, and instead to rely on the length-check and the curve equation-check. > > I agree. As no encoding is defined for the point-at-infinity in IKEv2, there can be no check for it. > > Section 2.3 should be changed from > A receiving peer MUST check > that its peer's public value is valid; that is, it is not the point- > at-infinity, and that the x and y parameters from the peer's public > value satisfy the curve equation, that is, y**2 = x**3 + ax + b mod p > > to > > A receiving peer MUST check > that its peer's public value is valid; that is, the x and y parameters > from the peer's public value satisfy the curve equation, that is, > y**2 = x**3 + ax + b mod p > > And a note should be added explaining, why a check for the point-at-infinity, as suggested by other standards, is not > applicable for IKE. > > Johannes > >> >>> -----Original Message----- >>> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf >>> Of Johannes Merkle >>> Sent: Tuesday, April 23, 2013 1:41 PM >>> To: ipsec@ietf.org >>> Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-checks-03.txt >>> >>> I hope I am not too late as the document write-up has already been sent >>> out. >>> >>> Section 2.3 specifies: >>> A receiving peer MUST check >>> that its peer's public value is valid; that is, it is not the point- >>> at-infinity, and that the x and y parameters from the peer's public >>> value satisfy the curve equation, that is, y**2 = x**3 + ax + b mod >>> p >>> >>> How can a peer check this? I am not aware of any encoding rule for the >>> point-at-infinity in RFC 5903 or RFC 5114. Does >>> the encoding of SEC1 apply, where the point-at-infinity is encoded to >>> 0x00? According to RFC 5903 this would be padded >>> with zeros, so that the decoding algorithm of the receiving peer would >>> obtain x=0 and y=0. These do certainly not >>> fulfill the curve equation as the discriminant -16*(4*a^3 + 27*b^2) >>> must be non-zero. >>> >>> So isn't the requirement to check that the value it is not the point- >>> at-infinity confusing and redundant? >>> >>> Johannes >>> >>> >>>> A New Internet-Draft is available from the on-line Internet-Drafts >>> directories. >>>> This draft is a work item of the IP Security Maintenance and >>> Extensions Working Group of the IETF. >>>> >>>> Title : Additional Diffie-Hellman Tests for IKEv2 >>>> Author(s) : Yaron Sheffer >>>> Scott Fluhrer >>>> Filename : draft-ietf-ipsecme-dh-checks-03.txt >>>> Pages : 11 >>>> Date : 2013-04-22 >>>> >>>> Abstract: >>>> This document adds a small number of mandatory tests required for >>> the >>>> secure operation of IKEv2 with elliptic curve groups. No change >>> is >>>> required to IKE implementations that use modular exponential >>> groups, >>>> other than a few rarely used so-called DSA groups. This document >>>> updates the IKEv2 protocol, RFC 5996. >>>> >>>> >>>> The IETF datatracker status page for this draft is: >>>> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-dh-checks >>>> >>>> There's also a htmlized version available at: >>>> http://tools.ietf.org/html/draft-ietf-ipsecme-dh-checks-03 >>>> >>>> A diff from the previous version is available at: >>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-dh-checks-03 >>>> >>>> >>>> Internet-Drafts are also available by anonymous FTP at: >>>> ftp://ftp.ietf.org/internet-drafts/ >>>> >>>> _______________________________________________ >>>> IPsec mailing list >>>> IPsec@ietf.org >>>> https://www.ietf.org/mailman/listinfo/ipsec >>>> >>> >> > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] I-D Action: draft-ietf-ipsecme-dh-checks-… internet-drafts
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-che… Johannes Merkle
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-che… Dan Brown
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-che… Johannes Merkle
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-che… Yaron Sheffer