IETF Logo Mail Archive

Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Fri, 30 November 2012 22:00 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8031221F8589 for <ipsec@ietfa.amsl.com>; Fri, 30 Nov 2012 14:00:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A3eH5ih5ACC0 for <ipsec@ietfa.amsl.com>; Fri, 30 Nov 2012 14:00:56 -0800 (PST)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 5261821F85C3 for <ipsec@ietf.org>; Fri, 30 Nov 2012 14:00:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3593; q=dns/txt; s=iport; t=1354312856; x=1355522456; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=SBqj+B1L0xBTxXvc1e2Vw88fExvxTHl9ywTyhEotcvc=; b=NICtc1Dc5+BkykhQKtBuXj00jSMG9H6m8yVYK9t+e2qS5Pf+uBdY/54o fLRzuUNvh0o5u8KG7R6vnEQAuVSBCcH1TOHe9mdW2NEwKmclyszhRLZmu xRlC0fbTeGZe5FgJ7hCa6Xrwgc1v+Jzzhqx7k4DGrzBVJiPJexx28hvlw s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAG4ruVCtJV2b/2dsb2JhbABEwAIWc4IeAQEBAwEBAQE3NAsMBAIBCA4DBAEBAQoUCQcnCxQJCAIEAQ0FCIgCBgy/UgSMQINgYQOmRIJygWUkGA
X-IronPort-AV: E=McAfee;i="5400,1158,6912"; a="145137851"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-9.cisco.com with ESMTP; 30 Nov 2012 22:00:55 +0000
Received: from xhc-aln-x10.cisco.com (xhc-aln-x10.cisco.com [173.36.12.84]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id qAUM0tHK006846 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 30 Nov 2012 22:00:55 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.203]) by xhc-aln-x10.cisco.com ([173.36.12.84]) with mapi id 14.02.0318.001; Fri, 30 Nov 2012 16:00:55 -0600
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Yoav Nir <ynir@checkpoint.com>, Johannes Merkle <johannes.merkle@secunet.com>
Thread-Topic: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
Thread-Index: AQHNzvPr3RuFFj57U0u04fPTF6DjPpgDDvyAgAA98gD//55asA==
Date: Fri, 30 Nov 2012 22:00:55 +0000
Message-ID: <A113ACFD9DF8B04F96395BDEACB340421C9045@xmb-rcd-x04.cisco.com>
References: <50B8A287.9090509@secunet.com> <074557eff2f722f10198aac4fb2f8d9c.squirrel@www.trepanning.net> <4613980CFC78314ABFD7F85CC30277210EDCE571@IL-EX10.ad.checkpoint.com>
In-Reply-To: <4613980CFC78314ABFD7F85CC30277210EDCE571@IL-EX10.ad.checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.32.244.86]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IPsecme WG <ipsec@ietf.org>, Manfred Lochter <manfred.lochter@bsi.bund.de>, "Sean P. Turner" <turners@ieca.com>, Dan Harkins <dharkins@lounge.org>, "rfc-ise@rfc-editor.org" <rfc-ise@rfc-editor.org>
Subject: Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2012 22:00:57 -0000

With ECDH, there are two separate EC points that are output by the algorithm:

- There's the public value xG (where x is our secret); this is passed in the KE payload
- There's the shared secret value xyG (where x is our shared secret, and y is the peer's secret); this is used in the key derivation function.

What RFC5903 says is:
- The public value xG will be expressed as explicit x, y coordinates.
- The shared secret value xyG (that is, the value we give to the sk generation function) will be only the x coordinate; the y coordinate will not be used.

Yes, this implies that doing point compression on the shared secret value doesn't make much sense (as point compression discards all but one bit of y -- the format that RFC5903 chooses already discards all the bits of y).  However, the argument about point compression was never about the shared secret value; instead, it was about the repesentation that appeared in the KE payload (that is, the one that is specified to have both the x and y coordinates).

As for Dan's question, it was about whether we should validate the public value we get from the peer, well, the public value does have explicit x and y coordinates, and so it makes sense to check them.


-----Original Message-----
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Yoav Nir
Sent: Friday, November 30, 2012 4:39 PM
To: Johannes Merkle
Cc: IPsecme WG; Manfred Lochter; Sean P. Turner; Dan Harkins; rfc-ise@rfc-editor.org
Subject: Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

Hi Johannes,

Dan't question made me realise something I hadn't noticed before. 

In section 2.3, the draft says:
   For the encoding of the key exchange payload and the derivation of
   the shared secret, the methods specified in [RFC5903] are adopted.

   In an ECP key exchange in IKEv2, the Diffie-Hellman public value
   passed in a KE payload consists of two components, x and y,

However, according to RFC 5903:
      The Diffie-Hellman shared secret value consists of the x value of
      the Diffie-Hellman common value.

In fact RFC 5903 replaced 4753 just to say that the encoding consists only of x, not both x and y.

This also relates to Dan't question. If the y value is missing, what is there to verify?

Yoav

On Nov 30, 2012, at 7:57 PM, Dan Harkins <dharkins@lounge.org> wrote:

> 
>  Hi Johannes,
> 
> On Fri, November 30, 2012 4:11 am, Johannes Merkle wrote:
>> We have submitted a new revision of the Internet Draft on Using the 
>> ECC Brainpool Curves (defined in RFC 5639) for IKEv2 Key Exchange 
>> https://datatracker.ietf.org/doc/draft-merkle-ikev2-ke-brainpool/
>> 
>> Since there was considerable objection to the point compression 
>> method in the WG, we have removed this option altogether and define 
>> only the uncompressed KE payload format, which is in full accordance 
>> with RFC 5903.
>> 
>> 
>> Any feedback is welcome.
> 
>  I see that there is a requirement that an implementation MUST verify 
> that the D-H common value is not the point-at-infinity. Do you think 
> there should also be a requirement that an implementation MUST verify 
> that the x- and y-coordinates received from a peer satisfy the 
> equation of the negotiated curve (and abort the exchange if not)?
> 
>  regards,
> 
>  Dan.

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email