Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-checks-03.txt
Dan Brown <dbrown@certicom.com> Tue, 23 April 2013 18:34 UTC
Return-Path: <prvs=38251c59b3=dbrown@certicom.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A96F21F9623 for <ipsec@ietfa.amsl.com>; Tue, 23 Apr 2013 11:34:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.203
X-Spam-Level:
X-Spam-Status: No, score=-5.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gIT4YZgCDc1e for <ipsec@ietfa.amsl.com>; Tue, 23 Apr 2013 11:34:44 -0700 (PDT)
Received: from mhs060cnc.rim.net (mhs060cnc.rim.net [208.65.73.34]) by ietfa.amsl.com (Postfix) with ESMTP id 69E6321F9621 for <ipsec@ietf.org>; Tue, 23 Apr 2013 11:34:44 -0700 (PDT)
X-AuditID: 0a41282f-b7f326d000005ad9-1d-5176d438e2d3
Received: from XCT107CNC.rim.net (xct107cnc.rim.net [10.65.161.207]) by mhs060cnc.rim.net (SBG) with SMTP id D7.0F.23257.834D6715; Tue, 23 Apr 2013 13:34:32 -0500 (CDT)
Received: from XCT116CNC.rim.net (10.65.161.216) by XCT107CNC.rim.net (10.65.161.207) with Microsoft SMTP Server (TLS) id 14.2.328.9; Tue, 23 Apr 2013 14:34:32 -0400
Received: from XMB111CNC.rim.net ([fe80::fcd6:cc6c:9e0b:25bc]) by XCT116CNC.rim.net ([::1]) with mapi id 14.02.0328.009; Tue, 23 Apr 2013 14:34:31 -0400
From: Dan Brown <dbrown@certicom.com>
To: 'Johannes Merkle' <johannes.merkle@secunet.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] I-D Action: draft-ietf-ipsecme-dh-checks-03.txt
Thread-Index: AQHOP4oAIiS+sFdG0kqWmTRP6ozCHpjkV3mA///GaUA=
Date: Tue, 23 Apr 2013 18:34:31 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF51437D8@XMB111CNC.rim.net>
References: <20130422184745.13680.44055.idtracker@ietfa.amsl.com> <5176C7B9.50001@secunet.com>
In-Reply-To: <5176C7B9.50001@secunet.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.251]
Content-Type: text/plain; charset="iso-8859-1"
content-transfer-encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrHKsWRmVeSWpSXmKPExsXC5bjwvK7FlbJAg+MblSz2b3nBZrFsxixG ByaPJUt+Mnlsal3CGsAU1cBok5RYUhacmZ6nb2eTmJeXX5JYkqqQklqcbKvkk5qemKMQUJRZ lphcqeCSWZyck5iZm1qkpJCZYqtkoqRQkJOYnJqbmldiq5RYUJCal6Jkx6WAAWyAyjLzFFLz kvNTMvPSbZU8g/11LSxMLXUNlex0Ezp5MlY1zmYpWKtUcXXeRaYGxnbpLkZODgkBE4kVBzcw QthiEhfurWfrYuTiEBJYxShx48Z3VghnJaPE4WPTWECqhATmMEo8avYDsdkEVCXuHz3HDGKL CERI/Jm7FWySsICLxOsLXYwQcVeJdwca2CFsK4lZL96B1bMA9a78uAoszivgJvF8zkwmiPkJ EsfOngCLcwpoSkw+M5UNxGYUkJXYffY6WA2zgLjErSfzmSCuFpBYsuc8M4QtKvHy8T9WCFtR 4sXkcywQ9XoSN6ZOYYOwtSWWLXzNDLFXUOLkzCdQfylIXLm+j2UCo/gsJCtmIWmfhaR9FpL2 BYwsqxgFczOKDcwMkvOS9Yoyc/XyUks2MYITiIb+Dsa37y0OMQpwMCrx8J7aXxYoxJpYVlyZ e4hRgoNZSYTXejZQiDclsbIqtSg/vqg0J7X4EKMrMIQmMktxJ+cDk1teSbyxgQFujpI474Ve oCEC6cB0lZ2aWpBaBDOHiYMTZA+XlEgxMOmkFiWWlmTEg1JjfDEwOUo1MCqntH2aFR15kE1r SvmmvF8bKtv75Ww8370I8191Oujx+jevtNcunDf1xelK9Wc7e0Ne2Im+yGH1vey7mfOYROud tYs/bN25tvzlp3Xc3ptPHF+3iG31zeJz+27xLy9fMe9siNs/AVbGJbt7D3YHs7xawM1wop2t c9V97eJTvAn/bnsdvaKq5+WoxFKckWioxVxUnAgAjLzUWmEDAAA=
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-checks-03.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2013 18:34:46 -0000
Johannes, Good catch. This probably requires a clarification. I would suggest that the existing formats (x,y) of the correct length imply a point in the finite plane, and in particular not the point at infinity. In other words, whatever length-checking that peers currently use probably suffices to check for this condition of not being the point-at-infinity. I disagree that (x,y)=(0,0) should be interpreted as the point-at-infinity. I advise against a separate check for this, and instead to rely on the length-check and the curve equation-check. Elliptic curves exist, e.g. y^2 = x^3 + x, for which (0,0) is a point on the curve, but the point (0,0) would have order two, so would normally be considered invalid (excluded by a cofactor check etc.). In the SEC1 format that you mention, which is similar to the IEEE and ANSI format, the 00 encoding occupies the initial octet position. This first octet acts like a tag, and takes a non-zero value when the point is on the finite plane. It seems that IKE does not use this tag octet. Best regards, Dan > -----Original Message----- > From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf > Of Johannes Merkle > Sent: Tuesday, April 23, 2013 1:41 PM > To: ipsec@ietf.org > Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-checks-03.txt > > I hope I am not too late as the document write-up has already been sent > out. > > Section 2.3 specifies: > A receiving peer MUST check > that its peer's public value is valid; that is, it is not the point- > at-infinity, and that the x and y parameters from the peer's public > value satisfy the curve equation, that is, y**2 = x**3 + ax + b mod > p > > How can a peer check this? I am not aware of any encoding rule for the > point-at-infinity in RFC 5903 or RFC 5114. Does > the encoding of SEC1 apply, where the point-at-infinity is encoded to > 0x00? According to RFC 5903 this would be padded > with zeros, so that the decoding algorithm of the receiving peer would > obtain x=0 and y=0. These do certainly not > fulfill the curve equation as the discriminant -16*(4*a^3 + 27*b^2) > must be non-zero. > > So isn't the requirement to check that the value it is not the point- > at-infinity confusing and redundant? > > Johannes > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the IP Security Maintenance and > Extensions Working Group of the IETF. > > > > Title : Additional Diffie-Hellman Tests for IKEv2 > > Author(s) : Yaron Sheffer > > Scott Fluhrer > > Filename : draft-ietf-ipsecme-dh-checks-03.txt > > Pages : 11 > > Date : 2013-04-22 > > > > Abstract: > > This document adds a small number of mandatory tests required for > the > > secure operation of IKEv2 with elliptic curve groups. No change > is > > required to IKE implementations that use modular exponential > groups, > > other than a few rarely used so-called DSA groups. This document > > updates the IKEv2 protocol, RFC 5996. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-dh-checks > > > > There's also a htmlized version available at: > > http://tools.ietf.org/html/draft-ietf-ipsecme-dh-checks-03 > > > > A diff from the previous version is available at: > > http://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-dh-checks-03 > > > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > > > > -- > > Mit freundlichen Grüßen, > Dr. Johannes Merkle > Principal Beratung, Elektronische Identitäten > Public Sector > secunet Security Networks AG > Mergenthaler Allee 77 > 65760 Eschborn > Germany > Telefon +49 201 54 54-3091 > Telefax +49 201 54 54-1325 > Mobil +49 175 2224439 > johannes.merkle@secunet.com > www.secunet.com > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec --------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
- [IPsec] I-D Action: draft-ietf-ipsecme-dh-checks-… internet-drafts
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-che… Johannes Merkle
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-che… Dan Brown
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-che… Johannes Merkle
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-dh-che… Yaron Sheffer