Re: [TLS] Pre-master secret formatting for master secret calculation with DH in TLS 1.x
Andrey Jivsov <openpgp@brainhub.org> Mon, 11 February 2013 17:26 UTC
Return-Path: <openpgp@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CF0D21F86F5 for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 09:26:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.437
X-Spam-Level:
X-Spam-Status: No, score=-0.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XOsp3nWPis3m for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 09:26:41 -0800 (PST)
Received: from qmta12.emeryville.ca.mail.comcast.net (qmta12.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:44:76:96:27:227]) by ietfa.amsl.com (Postfix) with ESMTP id 0615221F8681 for <tls@ietf.org>; Mon, 11 Feb 2013 09:26:40 -0800 (PST)
Received: from omta23.emeryville.ca.mail.comcast.net ([76.96.30.90]) by qmta12.emeryville.ca.mail.comcast.net with comcast id z1kN1k00A1wfjNsAC5SgKR; Mon, 11 Feb 2013 17:26:40 +0000
Received: from [127.0.0.1] ([69.181.162.123]) by omta23.emeryville.ca.mail.comcast.net with comcast id z5Sf1k00C2g33ZR8j5Sg54; Mon, 11 Feb 2013 17:26:40 +0000
Message-ID: <5119296B.80702@brainhub.org>
Date: Mon, 11 Feb 2013 09:24:59 -0800
From: Andrey Jivsov <openpgp@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120911 Thunderbird/15.0.1
MIME-Version: 1.0
To: tls@ietf.org
References: <20130208192355.359111A52E@ld9781.wdf.sap.corp>
In-Reply-To: <20130208192355.359111A52E@ld9781.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1360603600; bh=uh1Spodz9Bhi6TlnOQ6Q7/mWnV7iIcm62sV857Eci7A=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=kVeCSgv34Hw44tmwUftpGvyRlq7aKwpF7ape3JtFGOU7sJfHhPSNxovPqsRb+u/r9 pd+uQYAVHqVA8ghlPivqdBoFGH0UFTZTIxu0hLkHHzKSAyYmOkkIBLdxABJ9S0Bjdn cOkESWLagmKxD2HTzr3d/4KMYLNBFk8NWkitzN5LE/TpTRr/0XFOs5LqT/Ydt1H3vb 2FBPCQpC1ueBzivUGI+Uctb8Okc7RHcdFVx/55s+sGQGXPl9gOijJLUqxuxzbnZZlE KTw581CdWOs0Ng37fnv2ulqU/C6j6mjx8oZ/PGtCfaBXthLFEpYzytWCasn2d/HJuE la3CXqIUDKTnw==
Subject: Re: [TLS] Pre-master secret formatting for master secret calculation with DH in TLS 1.x
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2013 17:26:41 -0000
Thank you, Martin. I will assume that the TLS >= 1.1 style it the right way to encode the shared secret of the DH exchange. This seems like an odd way to represent a finite field element with implicit length. Unlike strings, here we know the maximum size. On 02/08/2013 11:23 AM, Martin Rex wrote: > It appears to have been retroactively clarified as being (2) > from your choices: > > TLSv1.1 http://tools.ietf.org/html/rfc4346#section-8.1.2 > TLSv1.2 http://tools.ietf.org/html/rfc5246#section-8.1.2 > > Leading bytes of Z that > contain all zero bits are stripped before it is used as the > pre_master_secret. > > -Martin > > Andrey Jivsov wrote: >> I ran into an interoperability problem between our TLS implementation >> and another very popular one. >> >> The question is what exactly is the formatting for the RFC2246 sec. >> 8.1.2 "Diffie-Hellman" shared secret 'Z' ? >> >> The problem arises when the most significant byte of the Z is zero. >> Let's say that the field prime's size is 256. There are two possibilities: >> >> 1. export the Z in the big endian format, padding it to 256 (first byte >> in the buffer is zero) >> 2. export the Z in the big endian format, placing the result in a 255 >> byte buffer. >> >> I would say that this should be #1, because it is the natural >> representation of the Z. If there is a language specifying the canonical >> encoding for the Z, I would appreciate the reference. >> >> ( Apparently, this problem doesn't clearly manifest itself in real >> deployments because ~ the 1/256 failure rate is masked by >> re-negotiations at the higher protocol level. ) >> >> Thank you. >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls
- [TLS] Pre-master secret formatting for master sec… Andrey Jivsov
- Re: [TLS] Pre-master secret formatting for master… Jack Lloyd
- Re: [TLS] Pre-master secret formatting for master… Martin Rex
- Re: [TLS] Pre-master secret formatting for master… Andrey Jivsov