IETF Logo Mail Archive

Re: [TLS] Diffie-Hellman: value of Z - the shared secret - without leading zero octets

David Benjamin <davidben@chromium.org> Tue, 17 May 2016 20:14 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8895712DDC3 for <tls@ietfa.amsl.com>; Tue, 17 May 2016 13:14:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.125
X-Spam-Level:
X-Spam-Status: No, score=-4.125 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LeitIhx11B8p for <tls@ietfa.amsl.com>; Tue, 17 May 2016 13:14:22 -0700 (PDT)
Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFBFE12DDC1 for <tls@ietf.org>; Tue, 17 May 2016 13:14:21 -0700 (PDT)
Received: by mail-ig0-x229.google.com with SMTP id bi2so81435070igb.0 for <tls@ietf.org>; Tue, 17 May 2016 13:14:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ra94i833KV0ktPaDBXcuD+pN6xJPvThmMuN4+WVkxgU=; b=IOZ08p/DKbbFsdTl04889qzE2lTcCAuqnx/XuTWoWLYSKQQfEb4AGuDDsloGiK5VMh KU4wEhy52QyAfOf1Xkh/aNthiuRq6ikkR7OMpTt8C04W9lDorWYxtquEDUO7p2tuvCAu wuuuDR6pcP4/DAAtTnvy2yyDod2+SNvC2dMc0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ra94i833KV0ktPaDBXcuD+pN6xJPvThmMuN4+WVkxgU=; b=VKb2cY6y4wpmIY22vYjHameYPDuvTgpOD7XdWbHP1KZJH3bumzBXyeEj4ZTkfZbxNc r3MUhtY7P8YeR+c6JCJPCQmb1VcPFuWB/el0gCa7PFY2P9iJpv7IVKBpwMDiqy4YRC6d sB7f6riR13o8J4R96WHVXpNKQoDAAk9qcQOa9qS79ZGmJMqKOaoAzbKBFsbrIzABwWJH acKpKw1NRTKc/IrpKsevt9IgxV1wFYv9DXLbPiacEqS7o67PJuBbJ/j05lJnDcHOGYfg 3/yD1/OCviJH+hyIwG5yxlgqP7gRbm4O2QDQi9uP5B8nrAZx651LkbVHoLs+L4JWdaqT SNcA==
X-Gm-Message-State: AOPr4FXkG0O1KTiWOm+r0VjKOAGi1PnxltpK+fBgt/yWc6YNqyWy+GSxxxXfn04EqaShoK1jQdEBKqzCTdVkxVDu
X-Received: by 10.50.18.132 with SMTP id w4mr2619171igd.83.1463516061113; Tue, 17 May 2016 13:14:21 -0700 (PDT)
MIME-Version: 1.0
References: <CADwHJ+9XCpEDtX6vE+TQXKwz1MEhXHkj5Xbua6vAY_03Q=6LDA@mail.gmail.com> <A58F7462-B9A0-4FFA-AAEB-7C6AA6BCA1C2@vigilsec.com>
In-Reply-To: <A58F7462-B9A0-4FFA-AAEB-7C6AA6BCA1C2@vigilsec.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 17 May 2016 20:14:11 +0000
Message-ID: <CAF8qwaBFY+8HEgMcH4cQg2-3F1qOGzqkeqtqnuFpjYp09+hviA@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>, Maarten Bodewes <maarten.bodewes@gmail.com>
Content-Type: multipart/alternative; boundary="14dae93b57d2f29b9705330f62b3"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/29CbenX6wL0nHl22s2GrrPF4I1Y>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Diffie-Hellman: value of Z - the shared secret - without leading zero octets
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 20:14:24 -0000

Reviving this thread, I also think it would also be a good idea if 1.3 did
not stripping zeros from Z. Having this logic is rather dubious w.r.t.
treating secret data in constant-time. And as Bill Cox mentioned elsewhere
in this thread, this odd behavior has caused interoperability issues in the
past.

I don't think we have to be worried about inconsistency with 1.2 as, by the
time this happens, we will already know we're speaking 1.3. TLS 1.3 DHE is
already a very different beast from TLS 1.2 DHE. At this point, the only
thing they meaningfully share is they happen to use the same code points.

David

On Thu, Apr 7, 2016 at 10:37 AM Russ Housley <housley@vigilsec.com> wrote:

> I would prefer to always use the full, known-length byte string for Z.  In
> my experience, it is better to know the lengths of byte strings instead of
> stripping leading zeroes.  The difference in the speed of the HKDF
> computation by omitting the leading zeros is not significant.  Alignment
> with NIST SP 800-56A is nice, but it is not the reason for my preference.
>
> Russ
>
>
> On Mar 28, 2016, at 11:56 AM, Maarten Bodewes <maarten.bodewes@gmail.com>
> wrote:
>
> > Hi all,
> >
> > I see that the leading zero is stripped off of the value of Z (the
> shared secret) before it is used as input to HKDF. This seems to be
> compatible with TLS 1.2. Then again, it is not compatible with e.g.
> NISP800-56A which uses the value of Z with the same size of the prime in
> octets. Furthermore, it is also different with regards to handling the
> coordinate X as used in ECDH.
> >
> > Was this a conscious decision to keep compatibility with TLS? Has the
> use of the value of Z including zero octets been considered?
> >
> > Regards,
> > Maarten
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.40.3 | Report a Bug | By Email | System Status