IETF Logo Mail Archive

Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

Johannes Merkle <johannes.merkle@secunet.com> Wed, 07 November 2012 11:57 UTC

Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFEB021F8900 for <ipsec@ietfa.amsl.com>; Wed, 7 Nov 2012 03:57:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cpbfb362t7w8 for <ipsec@ietfa.amsl.com>; Wed, 7 Nov 2012 03:57:18 -0800 (PST)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) by ietfa.amsl.com (Postfix) with ESMTP id D4CB621F88D1 for <ipsec@ietf.org>; Wed, 7 Nov 2012 03:57:17 -0800 (PST)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 29B631A0083; Wed, 7 Nov 2012 12:57:15 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from mail-srv1.secumail.de (unknown [10.53.40.200]) by a.mx.secunet.com (Postfix) with ESMTP id 8A65E1A007B; Wed, 7 Nov 2012 12:57:06 +0100 (CET)
Received: from [10.208.1.73] ([10.208.1.73]) by mail-srv1.secumail.de with Microsoft SMTPSVC(6.0.3790.4675); Wed, 7 Nov 2012 12:57:05 +0100
Message-ID: <509A4C91.4030507@secunet.com>
Date: Wed, 07 Nov 2012 12:57:05 +0100
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: "David McGrew (mcgrew)" <mcgrew@cisco.com>
References: <747787E65E3FBD4E93F0EB2F14DB556B0F507509@xmb-rcd-x04.cisco.com>
In-Reply-To: <747787E65E3FBD4E93F0EB2F14DB556B0F507509@xmb-rcd-x04.cisco.com>
X-Enigmail-Version: 1.4.5
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 07 Nov 2012 11:57:05.0907 (UTC) FILETIME=[01E42430:01CDBCDF]
Cc: IPsecme WG <ipsec@ietf.org>, Manfred Lochter <Manfred.Lochter@bsi.bund.de>, "rfc-ise@rfc-editor.org" <rfc-ise@rfc-editor.org>
Subject: Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2012 11:57:18 -0000

Hi David,

> I strongly encourage you to remove the "Compressed" point format.  Doing
> so will minimize the changes between RFC 5903 and make the draft easier to
> support, and improve the overall implementation by making it simpler.
> Also, it is not clear that there is any advantage to the "compressed"
> format.   It saves at most 64 bytes in total for a complete IKEv2 key
> establishment, and since IKEv2 exchanges typically send a lot more data
> than that, it sounds like a false economy to add complexity in order to
> avoid a little bit of data.

I do not think that using point compression is complex. The rule, how to determine the representation of the KE payload
(by bit length) is very simple and common crypto libraries like OpenSSL provide EC point expansion functions, so there
is not much an implementation could do wrong.

On the other hand, there may be environments where every byte savings counts. For instance, when using IPsec for
communications between military radio equipment, bandwidth can be very limited. Another example could be implementation
in embedded environments. For instance, I have talked with major car manufacturers who are really concerned about
bandwidth limitations on their internal bus in the context of secure communication between control units. IKE is an
option for such communications.

Point compression is a quite common technique and supported by relevant ECC standards, i.e. ANSI X9.62/X9.63, IEEE P1363
and SEC, but also by many IETF standards like TLS, CMS, PKIX, SSH. IMHO, IKE should allow this option like TLS does.
Actually for IKE, the bandwidth limitations may be more relevant than for TLS, where point compression is supported as well.

> 
> The paragraph starting "The corresponding twisted curves ..." is a
> distinct and self-contained topic.  I suggest putting it into its own
> section.  
> 
This is a good point, I will do this in the next revision.

> 
> In some places, the draft gives [SEC1] as a normative reference, where
> RFC6090 is also applicable (Sections 4.1 and 6 apply jn Section 2.2 of
> draft-merkle-ikev2-ke-brainpool, for instance).
> 

RFC 6090 does not define a FieldElement-to-OctetString conversion but only Integer-to-OctetString. In order to use a
reference to RFC 6090, I would have to change the text to
+++
... by representing the field element as integer in the interval [0,p-1] and then using the Integer-to-OctetString
conversion method specified in [RFC6090]...
+++
This makes the whole sentence more difficult to comprehend. On the other hand, I do not see any advantage in pointing to
RFC 6090 instead to SEC1.

Johannes

v2.23.0 | Report a Bug | By Email