IETF Logo Mail Archive

Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 01 December 2012 10:32 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FD8A21F85D1 for <ipsec@ietfa.amsl.com>; Sat, 1 Dec 2012 02:32:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d4WG0ul-EQiM for <ipsec@ietfa.amsl.com>; Sat, 1 Dec 2012 02:32:05 -0800 (PST)
Received: from mail-ea0-f172.google.com (mail-ea0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id F1F8921F855E for <ipsec@ietf.org>; Sat, 1 Dec 2012 02:32:04 -0800 (PST)
Received: by mail-ea0-f172.google.com with SMTP id a1so579687eaa.31 for <ipsec@ietf.org>; Sat, 01 Dec 2012 02:32:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=13GhM+hF8k6sL0xAwQDDCR8EcCe6ffX2DVu+oqo43Ac=; b=FEhutxeNslgsC90Pn+ev8QL8esHPeir//6UoeLVczH5oXpU/LFb+CS+AXKw7TOYNwl 3bX4EZCPupAQPniyX2rSrcHnamid04h3w58myiX6nLy117fL+qmUPsWY5fjNk4cmL0Wg +IPEeBxTIcmzUwAiJfpkp9kEvaYeZRN6gCY/zbtWmsyf0f9xetOmX/0ZAJG5qOoIM2Oz YPLYr5Mbk3x+n/1IxC2nNwV1xtWGjEKTl4EB9ZdbEVAYI3+N0QCbOmrgVYuKOCd10o2o U6bChed1KzdhZC/NV5gmklBgo41VyuXTaaM2TozMlFqHBlnlKVkQI+d/Hybv1AtBX+Fp fdzg==
Received: by 10.14.209.193 with SMTP id s41mr14893156eeo.9.1354357924192; Sat, 01 Dec 2012 02:32:04 -0800 (PST)
Received: from [10.0.0.3] (bzq-79-183-164-29.red.bezeqint.net. [79.183.164.29]) by mx.google.com with ESMTPS id f49sm16446702eep.12.2012.12.01.02.31.51 (version=SSLv3 cipher=OTHER); Sat, 01 Dec 2012 02:32:03 -0800 (PST)
Message-ID: <50B9DC95.80202@gmail.com>
Date: Sat, 01 Dec 2012 12:31:49 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
References: <50B8A287.9090509@secunet.com> <074557eff2f722f10198aac4fb2f8d9c.squirrel@www.trepanning.net> <4613980CFC78314ABFD7F85CC30277210EDCE571@IL-EX10.ad.checkpoint.com> <A113ACFD9DF8B04F96395BDEACB340421C9045@xmb-rcd-x04.cisco.com>
In-Reply-To: <A113ACFD9DF8B04F96395BDEACB340421C9045@xmb-rcd-x04.cisco.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Johannes Merkle <johannes.merkle@secunet.com>, Manfred Lochter <manfred.lochter@bsi.bund.de>, Yoav Nir <ynir@checkpoint.com>, Dan Harkins <dharkins@lounge.org>, IPsecme WG <ipsec@ietf.org>, "rfc-ise@rfc-editor.org" <rfc-ise@rfc-editor.org>, "Sean P. Turner" <turners@ieca.com>
Subject: Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Dec 2012 10:32:06 -0000

Actually, I think we have it wrong. There is no reason for a *valid* 
peer to send an incorrect KE. And IKEv2 already protects against a MITM 
doing such a thing. As we all know, the protocol assumes that messages 
#3 and #4 can be observed by an attacker, and protects against 
malicious changes to any of the 4 messages, including the KE value.

In other words, I would say this is a QA-level test that MAY be 
performed by the sender. Not one that MUST be performed by the recipient.

By the way, there are related protocols that need this test for their 
security and do include it: SPSK, and my own RFC 6631 (IKEv2 with PACE). 
See e.g. https://tools.ietf.org/html/rfc6631#section-3.4.

Thanks,
	Yaron


On 12/01/2012 12:00 AM, Scott Fluhrer (sfluhrer) wrote:
> With ECDH, there are two separate EC points that are output by the algorithm:
>
> - There's the public value xG (where x is our secret); this is passed in the KE payload
> - There's the shared secret value xyG (where x is our shared secret, and y is the peer's secret); this is used in the key derivation function.
>
> What RFC5903 says is:
> - The public value xG will be expressed as explicit x, y coordinates.
> - The shared secret value xyG (that is, the value we give to the sk generation function) will be only the x coordinate; the y coordinate will not be used.
>
> Yes, this implies that doing point compression on the shared secret value doesn't make much sense (as point compression discards all but one bit of y -- the format that RFC5903 chooses already discards all the bits of y).  However, the argument about point compression was never about the shared secret value; instead, it was about the repesentation that appeared in the KE payload (that is, the one that is specified to have both the x and y coordinates).
>
> As for Dan's question, it was about whether we should validate the public value we get from the peer, well, the public value does have explicit x and y coordinates, and so it makes sense to check them.
>
>
> -----Original Message-----
> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Yoav Nir
> Sent: Friday, November 30, 2012 4:39 PM
> To: Johannes Merkle
> Cc: IPsecme WG; Manfred Lochter; Sean P. Turner; Dan Harkins; rfc-ise@rfc-editor.org
> Subject: Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
>
> Hi Johannes,
>
> Dan't question made me realise something I hadn't noticed before.
>
> In section 2.3, the draft says:
>     For the encoding of the key exchange payload and the derivation of
>     the shared secret, the methods specified in [RFC5903] are adopted.
>
>     In an ECP key exchange in IKEv2, the Diffie-Hellman public value
>     passed in a KE payload consists of two components, x and y,
>
> However, according to RFC 5903:
>        The Diffie-Hellman shared secret value consists of the x value of
>        the Diffie-Hellman common value.
>
> In fact RFC 5903 replaced 4753 just to say that the encoding consists only of x, not both x and y.
>
> This also relates to Dan't question. If the y value is missing, what is there to verify?
>
> Yoav
>
> On Nov 30, 2012, at 7:57 PM, Dan Harkins <dharkins@lounge.org> wrote:
>
>>
>>   Hi Johannes,
>>
>> On Fri, November 30, 2012 4:11 am, Johannes Merkle wrote:
>>> We have submitted a new revision of the Internet Draft on Using the
>>> ECC Brainpool Curves (defined in RFC 5639) for IKEv2 Key Exchange
>>> https://datatracker.ietf.org/doc/draft-merkle-ikev2-ke-brainpool/
>>>
>>> Since there was considerable objection to the point compression
>>> method in the WG, we have removed this option altogether and define
>>> only the uncompressed KE payload format, which is in full accordance
>>> with RFC 5903.
>>>
>>>
>>> Any feedback is welcome.
>>
>>   I see that there is a requirement that an implementation MUST verify
>> that the D-H common value is not the point-at-infinity. Do you think
>> there should also be a requirement that an implementation MUST verify
>> that the x- and y-coordinates received from a peer satisfy the
>> equation of the negotiated curve (and abort the exchange if not)?
>>
>>   regards,
>>
>>   Dan.
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

v2.23.0 | Report a Bug | By Email