IETF Logo Mail Archive

Re: [TLS] Negotiated Finite Field Diffie-Hellman shared secret calculation

David Benjamin <davidben@chromium.org> Wed, 20 February 2019 18:29 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8156F130E2F for <tls@ietfa.amsl.com>; Wed, 20 Feb 2019 10:29:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.5
X-Spam-Level:
X-Spam-Status: No, score=-9.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P3KrmjoRGPBC for <tls@ietfa.amsl.com>; Wed, 20 Feb 2019 10:29:23 -0800 (PST)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8DC9130E6A for <tls@ietf.org>; Wed, 20 Feb 2019 10:29:22 -0800 (PST)
Received: by mail-qk1-x731.google.com with SMTP id o125so2630034qkf.3 for <tls@ietf.org>; Wed, 20 Feb 2019 10:29:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Rkrg2fXVzjPo52A6GHFj025fj7ykz6Lqs1D52eyE1j4=; b=Br+SE7nmVNb3II6P22loNt8rdYpTayZyFsT3t8cBQMOaXyjheSPMrtOcNALsBYuVyH H16qjGKHhPPiCiMQCQCpEtxuiKIHa4O4e//FE9McBMl1VQ0QnGoUmTYJ0Jz6pm3zYC1u euRnxX+q5+f8FefUWIc8Qv19OkfEB4BQh5GQY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Rkrg2fXVzjPo52A6GHFj025fj7ykz6Lqs1D52eyE1j4=; b=BWhFtOlydSpsyWzqDnn1CQ571ouVYisAE5VGWhbBA6l897oNJ/8c9K7GwPrHg7vAAU Yjw9GDwuuxNUFFQfXRcPn5vdgAKlJYiMOLkIxv1L7d3Aa/pKKvFPyeTUFCX/AwXlMfp7 IhoKJBr+Ge5UzYxepHyWi7JuIUWXM9HMC/SohHNzefIPhSGwKP26bZ4D24b/fCB/ITxU NV/hkEaWKCZNm2PY2FsDB8vGHRk/21m4uxK6aZrFYzSkaoZWXZOaVjm6TDSd9wQp/pCM lvPLFZrK7w+uumSE0mPol0NR4mz9FzhxSYHcfIa764KCuV6t6cyM7hZRi7DHCW+L9aa1 rL3A==
X-Gm-Message-State: AHQUAuawgNml2LeYlLmP9gmC9hYtMHlOFxAK34FOgeI3/p3jb0zIfICw 0QoO88qc3wfDFd1BrNryoiur4aVl10Ry1a/G9vlk78JcC2ix
X-Google-Smtp-Source: AHgI3Ibb2PSNDXBG3HFAJ6eQczW812/LvpMgQeUUFzmtweHPOh38xdfNUibyxa/EqZuzFliIM+Io6foDezdwLGtHjVc=
X-Received: by 2002:a37:5ac2:: with SMTP id o185mr12937003qkb.349.1550687361475; Wed, 20 Feb 2019 10:29:21 -0800 (PST)
MIME-Version: 1.0
References: <6fff39d3-649d-867a-db71-b0faa18185a5@brainhub.org>
In-Reply-To: <6fff39d3-649d-867a-db71-b0faa18185a5@brainhub.org>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 20 Feb 2019 12:29:09 -0600
Message-ID: <CAF8qwaCMhfsndABga55gpauX6=WhknNXija=nUU2xr93wYLaQA@mail.gmail.com>
To: Andrey Jivsov <crypto@brainhub.org>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000057115105825789df"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/25nMR676KY9iz-EpXpxRHcdIQuM>
Subject: Re: [TLS] Negotiated Finite Field Diffie-Hellman shared secret calculation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 18:29:26 -0000

(We haven't actually implemented RFC 7919 and have no plans to, so I'm just
going by the document.)

RFC 7919 doesn't say anything, so I think the only reasonable
interpretation is to continue with the legacy option for TLS 1.2 and below.
It's also the only interoperable option given how the document is set up.
RFC 7919 repurposed the existing DHE scheme with no directly visible server
differences, so the client cannot tell if it is talking to a post-7919
server, or a pre-7919 server that happened to use a well-known parameter.
That means 7919 cannot change how DHE works. (This isn't the only
consequence of that decision. See
https://mailarchive.ietf.org/arch/msg/tls/bAOJD281iGc2HuEVq0uUlpYL2Mo. DHE
in TLS 1.2 is a mess and RFC 7919 failed to repair it.)

Note all this only applies to TLS 1.2. TLS 1.3 is free to use the more
sound method and does:
https://tools.ietf.org/html/rfc8446#section-7.4.1

On Tue, Feb 19, 2019 at 6:10 PM Andrey Jivsov <crypto@brainhub.org> wrote:

> Greetings.
>
> it's unclear to me how is the shared secret g^xy calculated for groups
> in https://tools.ietf.org/html/rfc7919 .
>
> If you recall, the TLS 1.1 uses this method the
> https://tools.ietf.org/html/rfc4346#section-8.1.2 , causing some
> interoperability problems that are hard to fix.
>
> The RFC 7919 doesn't specify what to do here.
>
> So, the question is, assuming that ffdhe2048 is negotiated,
>
> - is g^xy padded to 256 bytes (more sound method) or
> - the leading zero bytes of g^xy must be stripped (legacy method, used
> for historic reasons)?
>
> Thank you.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email