Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01)
Scott C Moonen <smoonen@us.ibm.com> Fri, 18 December 2009 13:38 UTC
Return-Path: <smoonen@us.ibm.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AF3833A68B1; Fri, 18 Dec 2009 05:38:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.874
X-Spam-Level:
X-Spam-Status: No, score=-3.874 tagged_above=-999 required=5 tests=[AWL=-1.276, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a3u5OzjSs8Gk; Fri, 18 Dec 2009 05:38:06 -0800 (PST)
Received: from e37.co.us.ibm.com (e37.co.us.ibm.com [32.97.110.158]) by core3.amsl.com (Postfix) with ESMTP id DCA293A6783; Fri, 18 Dec 2009 05:38:05 -0800 (PST)
Received: from d03relay04.boulder.ibm.com (d03relay04.boulder.ibm.com [9.17.195.106]) by e37.co.us.ibm.com (8.14.3/8.13.1) with ESMTP id nBIDaQgp005478; Fri, 18 Dec 2009 06:36:26 -0700
Received: from d03av06.boulder.ibm.com (d03av06.boulder.ibm.com [9.17.195.245]) by d03relay04.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id nBIDbQnA153652; Fri, 18 Dec 2009 06:37:27 -0700
Received: from d03av06.boulder.ibm.com (loopback [127.0.0.1]) by d03av06.boulder.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id nBIDdIg9007920; Fri, 18 Dec 2009 06:39:19 -0700
Received: from d03nm118.boulder.ibm.com (d03nm118.boulder.ibm.com [9.17.195.144]) by d03av06.boulder.ibm.com (8.14.3/8.13.1/NCO v10.0 AVin) with ESMTP id nBIDdIRR007916; Fri, 18 Dec 2009 06:39:18 -0700
In-Reply-To: <19243.32427.247190.77844@fireball.kivinen.iki.fi>
References: <19243.32427.247190.77844@fireball.kivinen.iki.fi>
To: Tero Kivinen <kivinen@iki.fi>
MIME-Version: 1.0
X-KeepSent: 1FD3CDFB:F4E96F12-85257690:004924DB; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.0.2 HF623 January 16, 2009
From: Scott C Moonen <smoonen@us.ibm.com>
X-MIMETrack: S/MIME Sign by Notes Client on Scott C Moonen/Raleigh/IBM(Release 8.0.2 HF623|January 16, 2009) at 12/18/2009 08:36:52 AM, Serialize by Notes Client on Scott C Moonen/Raleigh/IBM(Release 8.0.2 HF623|January 16, 2009) at 12/18/2009 08:36:52 AM, Serialize complete at 12/18/2009 08:36:52 AM, S/MIME Sign failed at 12/18/2009 08:36:52 AM: The cryptographic key was not found, Serialize by Router on D03NM118/03/M/IBM(Release 8.5.1HF41 | October 22, 2009) at 12/18/2009 06:37:25, Serialize complete at 12/18/2009 06:37:25
Message-ID: <OF1FD3CDFB.F4E96F12-ON85257690.004924DB-85257690.004AD52E@us.ibm.com>
Date: Fri, 18 Dec 2009 08:37:25 -0500
Content-Type: multipart/alternative; boundary="=_alternative 004AC97E85257690_="
Cc: ipsec@ietf.org, ipsec-bounces@ietf.org
Subject: Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2009 13:38:07 -0000
Tero, what you propose seems the right way to go in principle, but I suspect we are solving a problem that doesn't exist. Is there any crypto library or device that exposes the y coordinate for use in the ECDH secret? It seems pretty well established that the x coordinate serves as the ECDH secret. Moreover, since the y coordinate provides only one more bit of independent information, it's actually misleading to use it. I seriously doubt there is any implementation that does not implement the intent of the erratum, if only because there are immense practical barriers to implementing the RFC as written. Given that, I think the practical result of what you propose will actually be more confusion and a longer period of time before all implementations (as well as all standards/profiles) are able to re-stabilize to the new ECDH landscape. The practical cost of making this change is greater than the practical benefit it buys. On the other hand, if there is such an implementation, then we probably do need to do something like what you propose. Scott Moonen (smoonen@us.ibm.com) z/OS Communications Server TCP/IP Development http://www.linkedin.com/in/smoonen From: Tero Kivinen <kivinen@iki.fi> To: ipsec@ietf.org Date: 12/18/2009 08:08 AM Subject: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01) I got just request to review modifications to IKEv2 IANA because of the draft-solinas-rfc4753bis-01.txt. We had this discussion a while back on the IPsec list where we noted that having errata which makes non-interoperable change to the RFC is not really ok, and we requested the authors to submit new document. Errata: http://www.rfc-editor.org/errata_search.php?rfc=4753&rec_status=15&presentation=records Email thread: http://www.ietf.org/mail-archive/web/ipsec/current/msg04529.html At that point Paul summarized things very nicely: My view is that the errata is technically wrong and should be withdrawn because it changes something that is disagreed to by test vectors in the document itself. If the authors of RFC 4753 want the format to be just the x coordinate, they should prepare a revision to RFC 4753 that obsoletes it and has correct text and test vectors. Now when this came to me when IANA asked me to do Expert review to the IANA allocations, I noticed that it would be very bad if we reused the old numbers 19, 20, 21 as that would mean nobody knows which version of the RFC (old RFC without errata, or RFC4753 with errata == new RFC) is really used. As the Diffie-Hellman groups are negotiated and the registry is 16 bits, we do not need to try to save the numbers, I think it would be bad idea to reuse the existing values with different meaning. Because of this I answered that the new groups with new meanings would need to get new numbers. When I started investigating problem bit more I found out that RFC5114 which defines 2 new ECP groups (in addition of repeating the 3 ECP groups from RFC4753) says: ---------------------------------------------------------------------- 3.2. IKE Use of MODP Diffie-Hellman groups with IKEv2 is defined in [RFC4306], and the use of MODP groups with IKEv1 is defined in [RFC2409]. However, in the case of ECP Diffie-Hellman groups, the format of key exchange payloads and the derivation of a shared secret has thus far been specified on a group-by-group basis. For the ECP Diffie-Hellman groups defined in this document, the key exchange payload format and shared key derivation procedure specified in [RFC4753] MUST be used (with both IKEv2 and IKEv1). ---------------------------------------------------------------------- Now if we obsolete RFC4753, does that mean that this reference will also change, so which format is used for these groups 25 and 26 define in RFC5114? Do we need a new numbers for those groups also so it will be clear which version they use. Then there is also the RFC4869 which defines UI suites. That refers Diffie-Hellman groups as "256-bit random ECP group [RFC4753]". Which format of group those uses. When we now change RFC4753 does that mean that old implementations using RFC4869 UI suites using original RFC4753 groups is not compatible with newer RFC4869 version or what? I think the best way forward is to allocate new numbers for all RFC4753 derived groups (19, 20, 21, 25, 26) and create new UI suites using those new group numbers. This will create one time update where everybody needs to change their code by changing number 19 to n and 20 to n+1 and so on, and at the same time verify that the secret they use is only the x-coordinate. This change is small and can be done very quickly, but after that we do not need to think whether we can interoperate with someone using ECP group n, as we know it must be using new secret format. If someone uses old groups 19, 20, 21, 25, or 26 then you can make your guess whether they also implemented errata or not, and act based on that. Good thing is that as Diffie-Hellman groups are negotiated in IKEv2 it is easy to offer both 19 and new group n if backward compatibility with old versions is needed (provided you also know whether the group 19 on the other end uses errata or not). -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Yaron Sheffer
- [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess … Tero Kivinen
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Scott C Moonen
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Paul Hoffman
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Dan Harkins
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Yoav Nir
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Tero Kivinen
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Tero Kivinen
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Tero Kivinen
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Yaron Sheffer
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Dan Harkins
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Dan Harkins
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Black_David
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Bill Sommerfeld
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Dan Harkins
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Black_David
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Dan Harkins
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Yoav Nir
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Tero Kivinen
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Tero Kivinen
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Tero Kivinen
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Jerome A. Solinas
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Dan Harkins
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Tero Kivinen
- Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve m… Jerome A. Solinas