Re: [secdir] Secdir review of draft-herzog-static-ecdh-05

David McGrew <mcgrew@cisco.com> Wed, 09 March 2011 20:31 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 45C843A6AB6; Wed, 9 Mar 2011 12:31:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.224
X-Spam-Level:
X-Spam-Status: No, score=-110.224 tagged_above=-999 required=5 tests=[AWL=-0.375, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_OBFU_ALL=0.751, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jrkVmgxtW8OA; Wed, 9 Mar 2011 12:31:34 -0800 (PST)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id B3B123A69FD; Wed, 9 Mar 2011 12:31:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mcgrew@cisco.com; l=4951; q=dns/txt; s=iport; t=1299702771; x=1300912371; h=cc:message-id:from:to:in-reply-to: content-transfer-encoding:mime-version:subject:date: references; bh=Jl9Lq1bM/gQeFuo+QhJbh5VGvpxKNOlfmeAY4HJPJsA=; b=jW3O2qMGrRcGDXsO+JN7BEeCVkduCcWhSQkdVSLojtatOAU/+YPX/Yut 5iNwiA537nBZ+Aq2JuqRRBaBFc+XF5FwmwFH+n0obi5pfklmHHt1mdWy8 a+gwXSFyKisydv4FmFNITof3zZtdWAtWkk8uKGmfzATFqe9apRwctsJRI w=;
X-IronPort-AV: E=Sophos;i="4.62,292,1297036800"; d="scan'208";a="413163172"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-1.cisco.com with ESMTP; 09 Mar 2011 20:32:51 +0000
Received: from stealth-10-32-254-214.cisco.com (stealth-10-32-254-214.cisco.com [10.32.254.214]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id p29KWo8G020966; Wed, 9 Mar 2011 20:32:50 GMT
Message-Id: <65D56695-894D-458E-A9C4-6DCF6A38F196@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: "Herzog, Jonathan - 0668 - MITLL" <jherzog@ll.mit.edu>
In-Reply-To: <FFD02A42-A10C-4AE7-A763-5C2D1E1DFADA@ll.mit.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 9 Mar 2011 12:32:49 -0800
References: <D858A225-D1D1-497D-BA40-A66D3F55AD57@cisco.com> <552BBAA9-712F-49B4-8A5F-C671C3817C05@ll.mit.edu> <AA323705-436C-4B71-8B51-D2CA9E4E140C@cisco.com> <47CF9528-81A1-49D7-8D4B-B1DCC136581E@ll.mit.edu> <3E69AF7B-D325-4FC5-A003-FEBA1997D67E@cisco.com> <FFD02A42-A10C-4AE7-A763-5C2D1E1DFADA@ll.mit.edu>
X-Mailer: Apple Mail (2.936)
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-herzog-static-ecdh@tools.ietf.org" <draft-herzog-static-ecdh@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] Secdir review of draft-herzog-static-ecdh-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 20:31:36 -0000

Hi Jonathan,

On Mar 9, 2011, at 10:34 AM, Herzog, Jonathan - 0668 - MITLL wrote:

>
> On Mar 8, 2011, at 12:13 PM, Brian Weis wrote:
>
>>>>>
>>>>>> 2. Reference [SEC1] is heavily referenced in this document, for  
>>>>>> both a definition of ECDH and specific methods for using ECDH.  
>>>>>> But it would be good to also mention RFC 6090, which is the  
>>>>>> best IETF document describing ECDH.
>>>>>
>>>>> I was not previous aware of this RFC-- my bad. I have added it  
>>>>> as an informative reference, but continued to refer to [Sec1] as  
>>>>> the normative reference for the ECDH operation. Or do you think  
>>>>> that RFC 6090 should be the normative reference?
>>>>
>>>> I would suggesting using RFC 6090 for a normative reference to  
>>>> ECDH if you need such a reference. But I don't believe RFC 6090  
>>>> discusses static-static consideration or issues at all, so for  
>>>> that [Sec1] seems to be the appropriate normative reference.
>>>
>>> I'm a little uneasy with using RFC 6090 as a normative reference  
>>> for ECDH, as my impression is that the rest of CMS uses SEC1 as  
>>> the normative reference. (See RFC 5753.) This may be because RFC  
>>> 6090 is so new, but I'm worried that switching to RFC 6090 as the  
>>> normative reference for ECDH will introduce subtle  
>>> incompatibilities.
>>>
>>> Also, RFC 6090 doesn't seem to include the cofactor ECDH operation  
>>> (I think), or the use of the SharedInfo/ukm value.
>>>
>>> Given this, do you mind if I keep SEC1 as normative and use RFC  
>>> 6090 as informative?
>>
>> Sure, that's fine.
>
>
> I've thought a little more about this, and change my proposal to:
>
> * Reference RFC 6090 for ECDH in general, but
> * SEC1 for co-factor ECDH, the public-key validation primitives, and  
> the key-derivation function (KDF).
>
> Unfortunately, none of those algorithms in the second bullet are  
> present in RFC 6090. (Though the security considerations of RFC 6090  
> discuss why one would want to validate public keys, it doesn't  
> describe how to do so.)

That's exactly right.  RFC6090 should be referenced for ECDH, but not  
cofactor-ECDH.

I would like to know: why does the draft reference [SEC1] instead of a  
NIST or IEEE standard?  I would strongly prefer to see explicit  
references to the appropriate NIST algorithms and KDFs in this  
document.  That would make it clear that the specification conformed  
to the NIST crypto guidelines, and that is apparently a goal for the  
document.  It mentions Suite B conformance as a motivator, and Suite B  
references the NIST guidelines.  I think the document describes  
something useful, and that it would be more valuable if it referenced  
the NIST specifications.   Probably the easiest way to do this would  
be to add an additional reference, rather than replace the references  
to [SEC1].

Here is some detail on how RFC6090 EDCH can be used to implement  
static-static ECDH as it is defined by NIST SP 800-56A.  RFC6090  
describes how the ECDH protocol it describes can interoperate with the  
ECSVDP-DH primitive.  NIST SP 800-56 defines static-static ECDH using  
a primitive which it calls the "unified cofactor method", the ECC CDH  
primitive in SP800-56 Section 5.7.1.2 (in conjunction with a NIST- 
defined KDF).   The "unified cofactor method" is equivalent to the  
RFC6090 ECDH when the cofactor h=1.  I'll outline the correspondence.   
The "unified cofactor method" is:

Input:
1. (q, FR, a, b{, SEED}, G, n, h): Domain parameters,
2. dA : One’s own private key, and
3. QB : The other party’s public key.
Process:
1. Compute the point P = hdAQB.
2. If P = O, output an error indicator.
3. Z = xP where xP is the x-coordinate of P.

And here is the table of correspondence between parameters:

SP-800-56A   RFC6090
  q             p
  a             a
  b             b
  G             g
  h             1

h is not used in RFC6090; is is the cofactor associated with the  
elliptic curve generator.  when h=1, ECC CDH is equivalent to ECDH

FR is not used in RFC6090; it is an indication of the field  
representation in ANSI X9.63

SEED is not used in RFC6090; it is an indication of how the ECC  
parameters were created

David

>
>
> Any objections?
>
> Thanks.
> -- 
> Jonathan Herzog							voice:  (781) 981-2356
> Technical Staff							fax:    (781) 981-7687
> Cyber Systems and Technology Group		email:  jherzog@ll.mit.edu
> MIT Lincoln Laboratory               			www:    http://www.ll.mit.edu/CST/
> 244 Wood Street
> Lexington, MA 02420-9185
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir